Weekly Vulnerabilities Reports > February 7 to 13, 2022

Overview

538 new vulnerabilities reported during this period, including 69 critical vulnerabilities and 212 high severity vulnerabilities. This weekly summary report vulnerabilities in 2548 products from 143 vendors including Google, Intel, Fedoraproject, Schneider Electric, and Netapp. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Improper Input Validation", "Use After Free", and "Out-of-bounds Read".

  • 321 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 84 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 305 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 108 reported vulnerabilities.
  • Schneider Electric has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

69 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-09 CVE-2022-22536 SAP Unspecified vulnerability in SAP products

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.

10.0
2022-02-11 CVE-2021-42940 Projeqtor Cross-site Scripting vulnerability in Projeqtor

A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to upload a SVG file containing malicious JavaScript code.

9.9
2022-02-09 CVE-2021-36302 Dell Improper Privilege Management vulnerability in Dell EMC Integrated System for Microsoft Azure Stack HUB Firmware

All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability.

9.9
2022-02-11 CVE-2021-46361 Magnolia CMS Unspecified vulnerability in Magnolia-Cms Magnolia CMS

An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload.

9.8
2022-02-11 CVE-2021-46362 Magnolia CMS Code Injection vulnerability in Magnolia-Cms Magnolia CMS

A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter.

9.8
2022-02-11 CVE-2021-20001 Skolelinux
Debian
Incorrect Default Permissions vulnerability in multiple products

It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.

9.8
2022-02-11 CVE-2021-23555 VM2 Project Unspecified vulnerability in VM2 Project VM2

The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

9.8
2022-02-11 CVE-2020-26728 Tenda Unspecified vulnerability in Tenda AC9 Firmware 15.03.05.19(6318)Cn/15.03.06.42Multi

A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request.

9.8
2022-02-11 CVE-2020-14521 Mitsubishielectric Incorrect Default Permissions vulnerability in Mitsubishielectric products

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability.

9.8
2022-02-11 CVE-2020-14523 Mitsubishielectric Path Traversal vulnerability in Mitsubishielectric products

Multiple Mitsubishi Electric Factory Automation products have a vulnerability that allows an attacker to execute arbitrary code.

9.8
2022-02-11 CVE-2021-22801 Schneider Electric Unspecified vulnerability in Schneider-Electric Connexium Network Manager

A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions.

9.8
2022-02-11 CVE-2021-22802 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution due to missing length check on user supplied data, when a constructed message is received on the network.

9.8
2022-02-11 CVE-2021-22803 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could lead to remote code execution through a number of paths, when an attacker, writes arbitrary files to folders in context of the DC module, by sending constructed messages on the network.

9.8
2022-02-11 CVE-2021-31932 Nokia Unspecified vulnerability in Nokia BTS TRS web Console Ftmw20Fp22019.08.160010

Nokia BTS TRS web console FTM_W20_FP2_2019.08.16_0010 allows Authentication Bypass.

9.8
2022-02-11 CVE-2021-34235 TSG Solutions SQL Injection vulnerability in Tsg-Solutions Tokheim Profleet Dialog 11.005.02

Tokheim Profleet DiaLOG 11.005.02 is affected by SQL Injection.

9.8
2022-02-11 CVE-2021-39616 Google Unspecified vulnerability in Google Android

Summary:Product: AndroidVersions: Android SoCAndroid ID: A-204686438

9.8
2022-02-11 CVE-2021-39658 Google Incorrect Default Permissions vulnerability in Google Android

ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service,but it does not check the permissions of the caller,resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207

9.8
2022-02-11 CVE-2021-39675 Google Out-of-bounds Write vulnerability in Google Android 12.0

In GKI_getbuf of gki_buffer.cc, there is a possible out of bounds write due to a heap buffer overflow.

9.8
2022-02-11 CVE-2022-23425 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0

Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station.

9.8
2022-02-11 CVE-2022-24927 Samsung Improper Privilege Management vulnerability in Samsung Video Player

Improper privilege management vulnerability in Samsung Video Player prior to version 7.3.15.30 allows attackers to execute video files without permission.

9.8
2022-02-11 CVE-2020-13675 Drupal Unrestricted Upload of File with Dangerous Type vulnerability in Drupal

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs.

9.8
2022-02-11 CVE-2020-36062 Phpgurukul Use of Hard-coded Credentials vulnerability in PHPgurukul Dairy Farm Shop Management System 1.0

Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised.

9.8
2022-02-11 CVE-2021-38679 Qnap Improper Authentication vulnerability in Qnap Kazoo Server 4.10.12/4.10.9/4.11.20

An improper authentication vulnerability has been reported to affect QNAP NAS running Kazoo Server.

9.8
2022-02-11 CVE-2022-24112 Apache Authentication Bypass by Spoofing vulnerability in Apache Apisix

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API.

9.8
2022-02-11 CVE-2021-35068 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Lack of null check while freeing the device information buffer in the Bluetooth HFP protocol can lead to a NULL pointer dereference in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables

9.8
2022-02-11 CVE-2022-24961 Portainer Unspecified vulnerability in Portainer

In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.

9.8
2022-02-11 CVE-2022-24954 Foxit Out-of-bounds Write vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have a Stack-Based Buffer Overflow related to XFA, for the 'subform colSpan="-2"' and 'draw colSpan="1"' substrings.

9.8
2022-02-11 CVE-2022-24955 Foxit Uncontrolled Search Path Element vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have an Uncontrolled Search Path Element for DLL files.

9.8
2022-02-10 CVE-2021-45364 Statamic Unspecified vulnerability in Statamic

A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php.

9.8
2022-02-10 CVE-2022-24568 Xxyopen Server-Side Request Forgery (SSRF) vulnerability in Xxyopen Novel-Plus 3.6.0

Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Request Forgery (SSRF) via user-supplied crafted input.

9.8
2022-02-10 CVE-2022-20699 Cisco Improper Validation of Specified Quantity in Input vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-10 CVE-2022-20700 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-10 CVE-2022-20705 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-10 CVE-2022-20711 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-10 CVE-2022-20712 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-10 CVE-2022-20738 Cisco Unspecified vulnerability in Cisco Umbrella Secure web Gateway

A vulnerability in the Cisco Umbrella Secure Web Gateway service could allow an unauthenticated, remote attacker to bypass the file inspection feature.

9.8
2022-02-10 CVE-2022-20749 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

9.8
2022-02-09 CVE-2021-26616 Secuwiz OS Command Injection vulnerability in Secuwiz Secuwayssl U 2.0.0.4/2.0.0.8

An OS command injection was found in SecuwaySSL, when special characters injection on execute command with runCommand arguments.

9.8
2022-02-09 CVE-2021-39994 Huawei Unspecified vulnerability in Huawei Emui 12.0.0

There is an arbitrary address access vulnerability with the product line test code.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.

9.8
2022-02-09 CVE-2021-39997 Huawei Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui 12.0.0

There is a vulnerability of unstrict input parameter verification in the audio assembly.Successful exploitation of this vulnerability may cause out-of-bounds access.

9.8
2022-02-09 CVE-2022-0162 TP Link Cleartext Transmission of Sensitive Information vulnerability in Tp-Link Tl-Wr841N Firmware 3.16.9

The vulnerability exists in TP-Link TL-WR841N V11 3.16.9 Build 160325 Rel.62500n wireless router due to transmission of authentication information in cleartextbase64 format.

9.8
2022-02-09 CVE-2022-22532 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling.

9.8
2022-02-09 CVE-2022-22810 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials.

9.8
2022-02-09 CVE-2022-22813 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-798: Use of Hard-coded Credentials vulnerability exists.

9.8
2022-02-09 CVE-2022-24310 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages.

9.8
2022-02-09 CVE-2022-24311 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by inserting at beginning of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message.

9.8
2022-02-09 CVE-2022-24312 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by adding at end of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message.

9.8
2022-02-09 CVE-2022-24313 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message.

9.8
2022-02-09 CVE-2022-23631 Blitzjs Unspecified vulnerability in Blitzjs Blitz and Superjson

superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON.

9.8
2022-02-09 CVE-2021-45330 Gitea Incomplete Cleanup vulnerability in Gitea

An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.

9.8
2022-02-09 CVE-2021-45331 Gitea Improper Authentication vulnerability in Gitea

An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges.

9.8
2022-02-09 CVE-2022-24677 Hyphp Unspecified vulnerability in Hyphp Hybbs2

Admin.php in HYBBS2 through 2.3.2 allows remote code execution because it writes plugin-related configuration information to conf.php.

9.8
2022-02-08 CVE-2022-0139 Radare Unspecified vulnerability in Radare Radare2

Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0.

9.8
2022-02-08 CVE-2021-45327 Gitea Interpretation Conflict vulnerability in Gitea

Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API.

9.8
2022-02-08 CVE-2022-23340 Joplin Project Unspecified vulnerability in Joplin Project Joplin 2.6.10

Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results.

9.8
2022-02-07 CVE-2021-25114 Strangerstudios SQL Injection vulnerability in Strangerstudios Paid Memberships PRO

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection

9.8
2022-02-07 CVE-2021-43925 Synology SQL Injection vulnerability in Synology Diskstation Manager

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

9.8
2022-02-07 CVE-2021-43926 Synology SQL Injection vulnerability in Synology Diskstation Manager

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

9.8
2022-02-07 CVE-2021-43927 Synology SQL Injection vulnerability in Synology Diskstation Manager

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

9.8
2022-02-12 CVE-2022-0290 Google Use After Free vulnerability in Google Chrome

Use after free in Site isolation in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

9.6
2022-02-12 CVE-2022-0097 Google
Fedoraproject
Inappropriate implementation in DevTools in Google Chrome prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to to potentially allow extension to escape the sandbox via a crafted HTML page.
9.6
2022-02-08 CVE-2022-21241 CSV Project Cross-site Scripting vulnerability in Csv+ Project Csv+

Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag.

9.6
2022-02-11 CVE-2021-22805 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages.

9.1
2022-02-11 CVE-2021-22823 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages.

9.1
2022-02-11 CVE-2021-39635 Google Incorrect Default Permissions vulnerability in Google Android

ims_ex is a vendor system service used to manage VoLTE in unisoc devices,But it does not verify the caller's permissions,so that normal apps (No phone permissions) can obtain some VoLTE sensitive information and manage VoLTE calls.Product: AndroidVersions: Android SoCAndroid ID: A-206492634

9.1
2022-02-11 CVE-2021-44521 Apache Incorrect Permission Assignment for Critical Resource vulnerability in Apache Cassandra

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host.

9.1
2022-02-11 CVE-2022-23806 Golang
Netapp
Debian
Unchecked Return Value vulnerability in multiple products

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

9.1
2022-02-09 CVE-2022-22544 SAP Unspecified vulnerability in SAP Solution Manager 7.20

Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720, allows an administrator to execute code on all connected Diagnostics Agents and browse files on their systems.

9.1
2022-02-09 CVE-2022-0525 Mruby Out-of-bounds Read vulnerability in Mruby

Out-of-bounds Read in Homebrew mruby prior to 3.2.

9.1

212 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-12 CVE-2022-0289 Google Use After Free vulnerability in Google Chrome

Use after free in Safe browsing in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0293 Google Use After Free vulnerability in Google Chrome

Use after free in Web packaging in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0295 Google Use After Free vulnerability in Google Chrome

Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced the user to engage is specific user interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0296 Google Use After Free vulnerability in Google Chrome

Use after free in Printing in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced the user to engage is specific user interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0297 Google Use After Free vulnerability in Google Chrome

Use after free in Vulkan in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0298 Google Use After Free vulnerability in Google Chrome

Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0300 Google Use After Free vulnerability in Google Chrome

Use after free in Text Input Method Editor in Google Chrome on Android prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0302 Google Use After Free vulnerability in Google Chrome

Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allowed an attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0304 Google Use After Free vulnerability in Google Chrome

Use after free in Bookmarks in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0306 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in PDFium in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0307 Google Use After Free vulnerability in Google Chrome

Use after free in Optimization Guide in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0308 Google Use After Free vulnerability in Google Chrome

Use after free in Data Transfer in Google Chrome on Chrome OS prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0310 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via specific user interactions.

8.8
2022-02-12 CVE-2022-0311 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0096 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Storage in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0098 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Screen Capture in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to perform specific user gestures to potentially exploit heap corruption via specific user gestures.

8.8
2022-02-12 CVE-2022-0099 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Sign-in in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gestures to potentially exploit heap corruption via specific user gesture.

8.8
2022-02-12 CVE-2022-0100 Google
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in Media streams API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0101 Google
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in Bookmarks in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via specific user gesture.

8.8
2022-02-12 CVE-2022-0102 Google
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0103 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in SwiftShader in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0104 Google
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in ANGLE in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0105 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in PDF Accessibility in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0106 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0107 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in File Manager API in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-12 CVE-2022-0115 Google
Fedoraproject
Use of Uninitialized Resource vulnerability in multiple products

Uninitialized use in File API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

8.8
2022-02-11 CVE-2021-4099 Google Use After Free vulnerability in Google Chrome

Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-11 CVE-2021-4100 Google Out-of-bounds Write vulnerability in Google Chrome

Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-11 CVE-2021-4101 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-11 CVE-2021-4102 Google Use After Free vulnerability in Google Chrome

Use after free in V8 in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-02-11 CVE-2021-46366 Magnolia CMS Open Redirect vulnerability in Magnolia-Cms Magnolia CMS

An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.

8.8
2022-02-11 CVE-2021-22748 Schneider Electric Unspecified vulnerability in Schneider-Electric C-Bus Toolkit 1.15.7/1.15.8

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow a remote code execution when a file is saved.

8.8
2022-02-11 CVE-2022-24289 Apache Deserialization of Untrusted Data vulnerability in Apache Cayenne

Hessian serialization is a network protocol that supports object-based transmission.

8.8
2022-02-10 CVE-2021-44892 Thinkphp Unspecified vulnerability in Thinkphp 3.2.3

A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges.

8.8
2022-02-09 CVE-2021-0162 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

8.8
2022-02-09 CVE-2021-0163 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Consistency within input in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

8.8
2022-02-09 CVE-2021-22954 Concretecms Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS

A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.

8.8
2022-02-09 CVE-2021-33115 Intel Improper Input Validation vulnerability in Intel Uefi Wifi Driver

Improper input validation for some Intel(R) PROSet/Wireless WiFi in UEFI may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

8.8
2022-02-09 CVE-2021-40044 Huawei Unspecified vulnerability in Huawei Emui and Magic UI

There is a permission verification vulnerability in the Bluetooth module.Successful exploitation of this vulnerability may cause unauthorized operations.

8.8
2022-02-09 CVE-2022-22808 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass.

8.8
2022-02-09 CVE-2022-23616 Xwiki Unspecified vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

8.8
2022-02-09 CVE-2021-40360 Siemens Insufficiently Protected Credentials vulnerability in Siemens Simatic PCS 7 and Simatic Wincc

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6).

8.8
2022-02-09 CVE-2021-46360 Ocproducts Unrestricted Upload of File with Dangerous Type vulnerability in Ocproducts Composr

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

8.8
2022-02-09 CVE-2022-24676 Hyphp Unrestricted Upload of File with Dangerous Type vulnerability in Hyphp Hybbs2

update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.

8.8
2022-02-08 CVE-2022-23626 Blog Project Unchecked Return Value vulnerability in Blog Project Blog

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog.

8.8
2022-02-08 CVE-2022-21703 Grafana
Netapp
Fedoraproject
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Grafana is an open-source platform for monitoring and observability.

8.8
2022-02-08 CVE-2021-45326 Gitea Cross-Site Request Forgery (CSRF) vulnerability in Gitea

Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.

8.8
2022-02-08 CVE-2022-23331 Dataease Unspecified vulnerability in Dataease 1.6.1

In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password.

8.8
2022-02-08 CVE-2022-21173 Elecom Unspecified vulnerability in Elecom products

Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier) allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors.

8.8
2022-02-08 CVE-2022-24450 Nats Missing Authorization vulnerability in Nats Server and Nats Streaming Server

NATS nats-server before 2.7.2 has Incorrect Access Control.

8.8
2022-02-07 CVE-2022-23623 Frourio Unspecified vulnerability in Frourio

Frourio is a full stack framework, for TypeScript.

8.8
2022-02-07 CVE-2022-23624 Frourio Unspecified vulnerability in Frourio Frourio-Express

Frourio-express is a minimal full stack framework, for TypeScript.

8.8
2022-02-07 CVE-2021-3835 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.6.0/2.6.1/3.0.0

Buffer overflow in usb device class.

8.8
2022-02-07 CVE-2021-42833 Xylem Use of Hard-coded Credentials vulnerability in Xylem Aquaview 1.60

A Use of Hardcoded Credentials vulnerability exists in AquaView versions 1.60, 7.x, and 8.x that could allow an authenticated local attacker to manipulate users and system settings.

8.8
2022-02-07 CVE-2021-24879 Supportcandy Cross-Site Request Forgery (CSRF) vulnerability in Supportcandy

The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.

8.8
2022-02-07 CVE-2021-43928 Synology Unspecified vulnerability in Synology Mail Station

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in mail sending and receiving component in Synology Mail Station before 20211105-10315 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

8.8
2022-02-11 CVE-2022-0185 Linux
Netapp
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length.

8.4
2022-02-09 CVE-2021-0066 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access.

8.4
2022-02-12 CVE-2022-0114 Google
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out of bounds memory access in Blink Serial API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page and virtual serial port driver.

8.1
2022-02-10 CVE-2022-24647 Cuppacms Path Traversal vulnerability in Cuppacms 1.0

Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function.

8.1
2022-02-10 CVE-2022-20706 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

8.1
2022-02-09 CVE-2021-33113 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and Killer(TM) WiFi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service or information disclosure via adjacent access.

8.1
2022-02-09 CVE-2022-22811 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system?s configurations when an attacker persuades a user to visit a rogue website.

8.1
2022-02-09 CVE-2022-21660 GIN VUE Admin Project Unspecified vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin

Gin-vue-admin is a backstage management system based on vue and gin.

8.1
2022-02-10 CVE-2022-20703 Cisco Improper Certificate Validation vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

8.0
2022-02-10 CVE-2022-20708 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

8.0
2022-02-12 CVE-2022-22765 BD Use of Hard-coded Credentials vulnerability in BD Viper LT System Firmware 2.0/4.0

BD Viper LT system, versions 2.0 and later, contains hardcoded credentials.

7.8
2022-02-12 CVE-2022-0301 Google Use After Free vulnerability in Google Chrome

Heap buffer overflow in DevTools in Google Chrome prior to 97.0.4692.99 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

7.8
2022-02-11 CVE-2021-46363 Magnolia CMS Improper Neutralization of Formula Elements in a CSV File vulnerability in Magnolia-Cms Magnolia CMS

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files.

7.8
2022-02-11 CVE-2021-46364 Magnolia CMS Deserialization of Untrusted Data vulnerability in Magnolia-Cms Magnolia CMS

A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.

7.8
2022-02-11 CVE-2021-46365 Magnolia CMS XXE vulnerability in Magnolia-Cms Magnolia CMS

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.

7.8
2022-02-11 CVE-2021-22796 Schneider Electric Unspecified vulnerability in Schneider-Electric C-Gate Server 2.11.7

A CWE-287: Improper Authentication vulnerability exists that could allow remote code execution when a malicious file is uploaded.

7.8
2022-02-11 CVE-2021-39619 Google Unspecified vulnerability in Google Android 11.0/12.0

In updatePackageMappingsData of UsageStatsService.java, there is a possible way to bypass security and privacy settings of app usage due to an unusual root cause.

7.8
2022-02-11 CVE-2021-39662 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In checkUriPermission of MediaProvider.java , there is a possible way to gain access to the content of media provider collections due to a missing permission check.

7.8
2022-02-11 CVE-2021-39663 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 10.0

In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy.

7.8
2022-02-11 CVE-2021-39668 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 11.0/12.0

In onActivityViewReady of DetailDialog.kt, there is a possible Intent Redirect due to a confused deputy.

7.8
2022-02-11 CVE-2021-39669 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 11.0/12.0

In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack.

7.8
2022-02-11 CVE-2021-39672 Google Unspecified vulnerability in Google Android

In fastboot, there is a possible secure boot bypass due to a configuration error.

7.8
2022-02-11 CVE-2021-39674 Google Use After Free vulnerability in Google Android 10.0/11.0/12.0

In btm_sec_connected and btm_sec_disconnected of btm_sec.cc file , there is a possible use after free.

7.8
2022-02-11 CVE-2021-39676 Google Improper Input Validation vulnerability in Google Android 11.0

In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation.

7.8
2022-02-11 CVE-2022-0483 Acronis Incorrect Permission Assignment for Critical Resource vulnerability in Acronis VSS Doctor

Local privilege escalation due to insecure folder permissions.

7.8
2022-02-11 CVE-2022-22292 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted applications to launch arbitrary activity.

7.8
2022-02-11 CVE-2022-23428 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

An improper boundary check in eden_runtime hal service prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.

7.8
2022-02-11 CVE-2022-23853 KDE Uncontrolled Search Path Element vulnerability in KDE Ktexteditor

The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type.

7.8
2022-02-11 CVE-2021-30309 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Improper size validation of QXDM commands can lead to memory corruption in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

7.8
2022-02-11 CVE-2021-30317 Qualcomm Improper Authentication vulnerability in Qualcomm products

Improper validation of program headers containing ELF metadata can lead to image verification bypass in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

7.8
2022-02-11 CVE-2021-30318 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Improper validation of input when provisioning the HDCP key can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables

7.8
2022-02-11 CVE-2021-30322 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Possible out of bounds write due to improper validation of number of GPIOs configured in an internal parameters array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

7.8
2022-02-11 CVE-2021-30323 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Improper validation of maximum size of data write to EFS file can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

7.8
2022-02-11 CVE-2021-35069 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Improper validation of data length received from DMA buffer can lead to memory corruption.

7.8
2022-02-11 CVE-2021-35074 Qualcomm Integer Overflow or Wraparound vulnerability in Qualcomm products

Possible integer overflow due to improper fragment datatype while calculating number of fragments in a request message in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.8
2022-02-11 CVE-2021-35075 Qualcomm NULL Pointer Dereference vulnerability in Qualcomm products

Possible null pointer dereference due to lack of WDOG structure validation during registration in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.8
2022-02-11 CVE-2021-35077 Qualcomm Use After Free vulnerability in Qualcomm products

Possible use after free scenario in compute offloads to DSP while multiple calls spawn a dynamic process in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.8
2022-02-11 CVE-2022-24958 Linux
Fedoraproject
Netapp
Debian
Release of Invalid Pointer or Reference vulnerability in multiple products

drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release.

7.8
2022-02-10 CVE-2022-0554 VIM
Fedoraproject
Debian
Apple
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.
7.8
2022-02-10 CVE-2022-0016 Paloaltonetworks Improper Handling of Exceptional Conditions vulnerability in Paloaltonetworks Globalprotect

An improper handling of exceptional conditions vulnerability exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under certain circumstances.

7.8
2022-02-10 CVE-2022-0017 Paloaltonetworks Link Following vulnerability in Paloaltonetworks Globalprotect

An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances.

7.8
2022-02-10 CVE-2022-20701 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

7.8
2022-02-09 CVE-2021-0091 Intel
Netapp
Improper access control in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access.
7.8
2022-02-09 CVE-2021-0099 Intel
Netapp
Insufficient control flow management in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.
7.8
2022-02-09 CVE-2021-0116 Netapp
Intel
Out-of-bounds Write vulnerability in multiple products

Out-of-bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-0117 Netapp
Intel
Pointer issues in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
7.8
2022-02-09 CVE-2021-0156 Netapp
Intel
Improper Input Validation vulnerability in multiple products

Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-0164 Intel Unspecified vulnerability in Intel products

Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-22817 Schneider Electric Incorrect Default Permissions vulnerability in Schneider-Electric products

A CWE-276: Incorrect Default Permissions vulnerability exists that could cause unauthorized access to the base installation directory leading to local privilege escalation.

7.8
2022-02-09 CVE-2021-23152 Intel Unspecified vulnerability in Intel Advisor

Improper access control in the Intel(R) Advisor software before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-33101 Intel Uncontrolled Search Path Element vulnerability in Intel Graphics Performance Analyzers

Uncontrolled search path in the Intel(R) GPA software before version 21.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-33129 Intel Incorrect Default Permissions vulnerability in Intel Advisor

Incorrect default permissions in the software installer for the Intel(R) Advisor before version 2021.4.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-33137 Intel Out-of-bounds Write vulnerability in Intel Kernelflinger

Out-of-bounds write in the Intel(R) Kernelflinger project may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2021-37109 Huawei Unspecified vulnerability in Huawei Emui 12.0.0

There is a security protection bypass vulnerability with the modem.Successful exploitation of this vulnerability may cause memory protection failure.

7.8
2022-02-09 CVE-2021-39992 Huawei Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Emui 12.0.0

There is an improper security permission configuration vulnerability on ACPU.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.

7.8
2022-02-09 CVE-2021-44454 Intel Improper Input Validation vulnerability in Intel Quartus Prime

Improper input validation in a third-party component for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2022-20024 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In system service, there is a possible permission bypass due to a missing permission check.

7.8
2022-02-09 CVE-2022-20025 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-02-09 CVE-2022-20026 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-02-09 CVE-2022-20027 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-02-09 CVE-2022-20028 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-02-09 CVE-2022-20031 Google Use After Free vulnerability in Google Android 10.0/11.0

In fb driver, there is a possible memory corruption due to a use after free.

7.8
2022-02-09 CVE-2022-20040 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In power_hal_manager_service, there is a possible permission bypass due to a stack-based buffer overflow.

7.8
2022-02-09 CVE-2022-20041 Google Missing Authorization vulnerability in Google Android

In Bluetooth, there is a possible escalation of privilege due to a missing permission check.

7.8
2022-02-09 CVE-2022-20043 Google Missing Authorization vulnerability in Google Android

In Bluetooth, there is a possible escalation of privilege due to a missing permission check.

7.8
2022-02-09 CVE-2022-20044 Google Use After Free vulnerability in Google Android

In Bluetooth, there is a possible service crash due to a use after free.

7.8
2022-02-09 CVE-2022-20045 Google Use After Free vulnerability in Google Android

In Bluetooth, there is a possible service crash due to a use after free.

7.8
2022-02-09 CVE-2022-21174 Intel Unspecified vulnerability in Intel Quartus Prime

Improper access control in a third-party component of Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2022-21203 Intel Improper Preservation of Permissions vulnerability in Intel Quartus Prime

Improper permissions in the SafeNet Sentinel driver for Intel(R) Quartus(R) Prime Standard Edition before version 21.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2022-21204 Intel Incorrect Default Permissions vulnerability in Intel Quartus Prime

Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2022-21220 Intel XXE vulnerability in Intel Quartus Prime

Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-02-09 CVE-2022-21825 Citrix Unspecified vulnerability in Citrix Workspace

An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation.

7.8
2022-02-09 CVE-2022-22528 SAP Unspecified vulnerability in SAP Adaptive Server Enterprise 16.0

SAP Adaptive Server Enterprise (ASE) - version 16.0, installation makes an entry in the system PATH environment variable in Windows platform which, under certain conditions, allows a Standard User to execute malicious Windows binaries which may lead to privilege escalation on the local system.

7.8
2022-02-09 CVE-2021-40363 Siemens Unspecified vulnerability in Siemens Simatic PCS 7 and Simatic Wincc

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6).

7.8
2022-02-09 CVE-2021-44000 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1).

7.8
2022-02-09 CVE-2021-44016 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1).

7.8
2022-02-09 CVE-2021-44018 Siemens Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1).

7.8
2022-02-09 CVE-2021-46151 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46152 Siemens Type Confusion vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46153 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46154 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46155 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46156 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46157 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46158 Siemens Improper Validation of Specified Quantity in Input vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46159 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46160 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-46161 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1

A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions).

7.8
2022-02-09 CVE-2021-37852 Eset Improper Privilege Management vulnerability in Eset products

ESET products for Windows allows untrusted process to impersonate the client of a pipe, which can be leveraged by attacker to escalate privileges in the context of NT AUTHORITY\SYSTEM.

7.8
2022-02-08 CVE-2022-0520 Radare
Fedoraproject
Use After Free vulnerability in multiple products

Use After Free in NPM radare2.js prior to 5.6.2.

7.8
2022-02-08 CVE-2022-0523 Radare
Fedoraproject
Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2.
7.8
2022-02-07 CVE-2022-23613 Neutrinolabs
Fedoraproject
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

xrdp is an open source remote desktop protocol (RDP) server.

7.8
2022-02-11 CVE-2022-24975 GIT SCM Exposure of Resource to Wrong Sphere vulnerability in Git-Scm GIT

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue.

7.5
2022-02-11 CVE-2021-22785 Schneider Electric Information Exposure vulnerability in Schneider-Electric products

A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device.

7.5
2022-02-11 CVE-2021-22787 Schneider Electric Improper Input Validation vulnerability in Schneider-Electric products

A CWE-20: Improper Input Validation vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request to the web server of the device.

7.5
2022-02-11 CVE-2021-22788 Schneider Electric Out-of-bounds Write vulnerability in Schneider-Electric products

A CWE-787: Out-of-bounds Write vulnerability exists that could cause denial of service when an attacker sends a specially crafted HTTP request to the web server of the device.

7.5
2022-02-11 CVE-2021-22798 Schneider Electric Unspecified vulnerability in Schneider-Electric Conext Combox Firmware

A CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause Sensitive data such as login credentials being exposed when a Network is sniffed.

7.5
2022-02-11 CVE-2021-22800 Schneider Electric Unspecified vulnerability in Schneider-Electric Modicon M218 Firmware 4.3/5.0.0.7/5.1.0.6

A CWE-20: Improper Input Validation vulnerability exists that could cause a Denial of Service when a crafted packet is sent to the controller over network port 1105/TCP.

7.5
2022-02-11 CVE-2021-22804 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause disclosure of arbitrary files being read in the context of the user running IGSS, due to missing validation of user supplied data in network messages.

7.5
2022-02-11 CVE-2021-22806 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could cause data exfiltration and unauthorized access when accessing a malicious website.

7.5
2022-02-11 CVE-2021-22824 Schneider Electric Classic Buffer Overflow vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in denial of service, due to missing length check on user-supplied data from a constructed message received on the network.

7.5
2022-02-11 CVE-2021-39677 Google Out-of-bounds Read vulnerability in Google Android 11.0

In startVideoStream() there is a possibility of an OOB Read in the heap, when the camera buffer is ‘zero’ in size.Product: AndroidVersions: Android-11Android ID: A-205097028

7.5
2022-02-11 CVE-2021-23597 Fastify Unspecified vulnerability in Fastify Fastify-Multipart

This affects the package fastify-multipart before 5.3.1.

7.5
2022-02-11 CVE-2020-13670 Drupal Exposure of Resource to Wrong Sphere vulnerability in Drupal

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

7.5
2022-02-11 CVE-2020-13677 Drupal Unspecified vulnerability in Drupal

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

7.5
2022-02-11 CVE-2021-30326 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.5
2022-02-11 CVE-2022-23772 Golang
Netapp
Debian
Integer Overflow or Wraparound vulnerability in multiple products

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

7.5
2022-02-11 CVE-2022-23773 Golang
Netapp
Interpretation Conflict vulnerability in multiple products

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags.

7.5
2022-02-10 CVE-2022-24646 Phpgurukul SQL Injection vulnerability in PHPgurukul Hospital Management System 4.0

Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters.

7.5
2022-02-10 CVE-2022-23630 Gradle Unspecified vulnerability in Gradle

Gradle is a build tool with a focus on build automation and support for multi-language development.

7.5
2022-02-10 CVE-2022-24916 Optimism Unspecified vulnerability in Optimism Eth-Optimism/L2Geth

Optimism before @eth-optimism/[email protected] allows economic griefing because a balance is duplicated upon contract self-destruction.

7.5
2022-02-10 CVE-2022-20709 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

7.5
2022-02-09 CVE-2021-26613 Tobesoft Improper Input Validation vulnerability in Tobesoft Nexacro

improper input validation vulnerability in nexacro permits copying file to the startup folder using rename method.

7.5
2022-02-09 CVE-2022-0391 Python
Netapp
Fedoraproject
Oracle
Injection vulnerability in multiple products

A flaw was found in Python, specifically within the urllib.parse module.

7.5
2022-02-09 CVE-2022-21205 Intel XXE vulnerability in Intel Quartus Prime

Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access.

7.5
2022-02-09 CVE-2022-22533 SAP Unspecified vulnerability in SAP Netweaver Application Server Java

Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer.

7.5
2022-02-09 CVE-2022-22540 SAP Unspecified vulnerability in SAP Netweaver Application Server Abap

SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database.

7.5
2022-02-09 CVE-2022-22543 SAP Unspecified vulnerability in SAP Netweaver Abap and Netweaver AS Abap

SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack.

7.5
2022-02-09 CVE-2022-24314 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-125: Out-of-bounds Read vulnerability exists that could cause memory leaks potentially resulting in denial of service when an attacker repeatedly sends a specially crafted message.

7.5
2022-02-09 CVE-2022-24315 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service when an attacker repeatedly sends a specially crafted message.

7.5
2022-02-09 CVE-2022-24316 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-665: Improper Initialization vulnerability exists that could cause information exposure when an attacker sends a specially crafted message.

7.5
2022-02-09 CVE-2022-24317 Schneider Electric Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server

A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message.

7.5
2022-02-09 CVE-2022-24318 Schneider Electric Inadequate Encryption Strength vulnerability in Schneider-Electric products

A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used.

7.5
2022-02-09 CVE-2022-24321 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request.

7.5
2022-02-09 CVE-2022-24666 Apple Unspecified vulnerability in Apple Swiftnio Http/2

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame.

7.5
2022-02-09 CVE-2022-24667 Apple Integer Overflow or Wraparound vulnerability in Apple Swiftnio Http/2

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block.

7.5
2022-02-09 CVE-2022-24668 Apple Unspecified vulnerability in Apple Swiftnio Http/2

A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames.

7.5
2022-02-09 CVE-2022-23619 Xwiki Weak Password Recovery Mechanism for Forgotten Password vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

7.5
2022-02-09 CVE-2021-41442 Dlink HTTP Request Smuggling vulnerability in Dlink Dir-X1860 Firmware 1.03

An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.

7.5
2022-02-09 CVE-2021-37194 Siemens Unrestricted Upload of File with Dangerous Type vulnerability in Siemens Comos

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used).

7.5
2022-02-09 CVE-2021-46354 Cybelesoft Exposure of Resource to Wrong Sphere vulnerability in Cybelesoft Thinfinity Virtualui 2.1.28.0/2.1.32.1/2.5.26.2

Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site.

7.5
2022-02-09 CVE-2022-0538 Jenkins Deserialization of Untrusted Data vulnerability in Jenkins

Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.

7.5
2022-02-08 CVE-2022-0524 Publify Project Unspecified vulnerability in Publify Project Publify

Business Logic Errors in GitHub repository publify/publify prior to 9.2.7.

7.5
2022-02-08 CVE-2021-45325 Gitea Server-Side Request Forgery (SSRF) vulnerability in Gitea

Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.

7.5
2022-02-08 CVE-2022-21193 Dounokouno Path Traversal vulnerability in Dounokouno Transmitmail 2.5.0/2.6.0/2.6.1

Directory traversal vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to obtain an arbitrary file on the server via unspecified vectors.

7.5
2022-02-07 CVE-2022-21712 Twisted
Debian
Fedoraproject
twisted is an event-driven networking engine written in Python.
7.5
2022-02-07 CVE-2021-24839 Supportcandy Missing Authorization vulnerability in Supportcandy

The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.

7.5
2022-02-07 CVE-2021-46389 High Resolution Streaming Image Server Project Integer Overflow or Wraparound vulnerability in High Resolution Streaming Image Server Project High Resolution Streaming Image Server

IIPImage High Resolution Streaming Image Server prior to commit 882925b295a80ec992063deffc2a3b0d803c3195 is affected by an integer overflow in iipsrv.fcgi through malformed HTTP query parameters.

7.5
2022-02-07 CVE-2021-46359 Fisco Bcos Unspecified vulnerability in Fisco-Bcos 3.0.0

FISCO-BCOS release-3.0.0-rc2 contains a denial of service vulnerability.

7.5
2022-02-07 CVE-2022-23320 Xerox Improper Authentication vulnerability in Xerox Xmpie Ustore 12.3.7244.0

XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries.

7.5
2022-02-07 CVE-2022-22680 Synology Unspecified vulnerability in Synology Diskstation Manager

Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.

7.5
2022-02-11 CVE-2021-4098 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Chrome

Insufficient data validation in Mojo in Google Chrome prior to 96.0.4664.110 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

7.4
2022-02-09 CVE-2022-22807 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes.

7.4
2022-02-09 CVE-2021-41441 Dlink Improper Resource Shutdown or Release vulnerability in Dlink Dir-X1860 Firmware 1.03

A DoS attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to reboot the router via sending a specially crafted URL to an authenticated victim.

7.4
2022-02-10 CVE-2022-20707 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

7.3
2022-02-11 CVE-2022-0557 Microweber OS Command Injection vulnerability in Microweber

OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

7.2
2022-02-10 CVE-2022-20702 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

7.2
2022-02-09 CVE-2022-23048 Exponentcms Unrestricted Upload of File with Dangerous Type vulnerability in Exponentcms Exponent CMS 2.6.0

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it.

7.2
2022-02-09 CVE-2022-22566 Dell Unspecified vulnerability in Dell products

Select Dell Client Commercial and Consumer platforms contain a pre-boot direct memory access (DMA) vulnerability.

7.2
2022-02-11 CVE-2022-23427 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent.

7.1
2022-02-08 CVE-2022-0518 Radare
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.2.

7.1
2022-02-08 CVE-2022-0519 Radare
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2.

7.1
2022-02-08 CVE-2022-0521 Radare
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2.

7.1
2022-02-08 CVE-2022-0522 Radare
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2.

7.1
2022-02-07 CVE-2021-25095 Ip2Location Unspecified vulnerability in Ip2Location Country Blocker

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

7.1
2022-02-07 CVE-2021-25108 Ip2Location Cross-Site Request Forgery (CSRF) vulnerability in Ip2Location Country Blocker

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

7.1

246 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-10 CVE-2021-44850 AMD Insufficient Verification of Data Authenticity vulnerability in AMD products

On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM.

6.8
2022-02-09 CVE-2022-20034 Google Improper Certificate Validation vulnerability in Google Android 11.0

In Preloader XFLASH, there is a possible escalation of privilege due to an improper certificate validation.

6.8
2022-02-08 CVE-2022-23627 Archisteamfarm Project Incorrect Authorization vulnerability in Archisteamfarm Project Archisteamfarm

ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously.

6.8
2022-02-07 CVE-2021-3861 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.6.0/2.6.1

The RNDIS USB device class includes a buffer overflow vulnerability.

6.8
2022-02-11 CVE-2022-23431 Google Classic Buffer Overflow vulnerability in Google Android 10.0/11.0/12.0

An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.

6.7
2022-02-11 CVE-2022-23432 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution.

6.7
2022-02-11 CVE-2021-30324 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible out of bound write due to lack of boundary check for the maximum size of buffer when sending a DCI packet to remote process in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

6.7
2022-02-11 CVE-2021-30325 Qualcomm Improper Validation of Array Index vulnerability in Qualcomm products

Possible out of bound access of DCI resources due to lack of validation process and resource allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

6.7
2022-02-09 CVE-2021-0103 Intel
Netapp
Insufficient control flow management in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
6.7
2022-02-09 CVE-2021-0107 Intel
Netapp
Unchecked Return Value vulnerability in multiple products

Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0111 Intel
Netapp
NULL Pointer Dereference vulnerability in multiple products

NULL pointer dereference in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0115 Intel
Netapp
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0118 Netapp
Intel
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds read in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0161 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0166 Intel Information Exposure vulnerability in Intel products

Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0167 Intel Unspecified vulnerability in Intel products

Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0168 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2021-0169 Intel Uncontrolled Search Path Element vulnerability in Intel products

Uncontrolled Search Path Element in software for Intel(R) PROSet/Wireless Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-02-09 CVE-2022-20030 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In vow driver, there is a possible out of bounds write due to a stack-based buffer overflow.

6.7
2022-02-09 CVE-2022-20038 Google Out-of-bounds Write vulnerability in Google Android 11.0

In ccu driver, there is a possible memory corruption due to an incorrect bounds check.

6.7
2022-02-09 CVE-2022-20039 Google Integer Overflow or Wraparound vulnerability in Google Android 11.0

In ccu driver, there is a possible memory corruption due to an integer overflow.

6.7
2022-02-09 CVE-2021-0060 Intel
Netapp
Insufficient compartmentalization in HECI subsystem for the Intel(R) SPS before versions SPS_E5_04.01.04.516.0, SPS_E5_04.04.04.033.0, SPS_E5_04.04.03.281.0, SPS_E5_03.01.03.116.0, SPS_E3_05.01.04.309.0, SPS_02.04.00.101.0, SPS_SoC-A_05.00.03.114.0, SPS_SoC-X_04.00.04.326.0, SPS_SoC-X_03.00.03.117.0, IGN_E5_91.00.00.167.0, SPS_PHI_03.01.03.078.0 may allow an authenticated user to potentially enable escalation of privilege via physical access.
6.6
2022-02-09 CVE-2021-0124 Netapp
Intel
Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
6.6
2022-02-09 CVE-2021-0125 Netapp
Intel
Improper Initialization vulnerability in multiple products

Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

6.6
2022-02-12 CVE-2022-0291 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Storage in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0292 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Fenced Frames in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0294 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Push messaging in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0305 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Service Worker API in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0309 Google Incorrect Authorization vulnerability in Google Chrome

Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0108 Google
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0109 Google
Fedoraproject
Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page.
6.5
2022-02-12 CVE-2022-0111 Google
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to incorrectly set origin via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0113 Google
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0117 Google
Fedoraproject
Incorrect Authorization vulnerability in multiple products

Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

6.5
2022-02-12 CVE-2022-0120 Google
Fedoraproject
Origin Validation Error vulnerability in multiple products

Inappropriate implementation in Passwords in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially leak cross-origin data via a malicious website.

6.5
2022-02-11 CVE-2021-39665 Google Out-of-bounds Write vulnerability in Google Android 12.0

In checkSpsUpdated of AAVCAssembler.cpp, there is a possible out of bounds read due to a heap buffer overflow.

6.5
2022-02-11 CVE-2021-39671 Google Use of Uninitialized Resource vulnerability in Google Android 12.0

In code generated by aidl_const_expressions.cpp, there is a possible out of bounds read due to uninitialized data.

6.5
2022-02-11 CVE-2022-24925 Google Improper Input Validation vulnerability in Google Android 12.0

Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged attackers to trigger a permanent denial of service attack on a victim's devices.

6.5
2022-02-11 CVE-2020-13674 Drupal Cross-Site Request Forgery (CSRF) vulnerability in Drupal

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

6.5
2022-02-11 CVE-2020-13676 Drupal Incorrect Authorization vulnerability in Drupal

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

6.5
2022-02-11 CVE-2021-45385 Rockcarry NULL Pointer Dereference vulnerability in Rockcarry Ffjpeg 20211206

A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021-12-06) in bmp_load().

6.5
2022-02-10 CVE-2021-42000 Pingidentity Unspecified vulnerability in Pingidentity Pingfederate

When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.

6.5
2022-02-10 CVE-2022-0011 Paloaltonetworks Interpretation Conflict vulnerability in Paloaltonetworks Pan-Os

PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category.

6.5
2022-02-10 CVE-2022-0018 Paloaltonetworks Information Exposure vulnerability in Paloaltonetworks Globalprotect

An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration.

6.5
2022-02-10 CVE-2022-20680 Cisco Unspecified vulnerability in Cisco Prime Service Catalog

A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device.

6.5
2022-02-10 CVE-2021-37613 Stormshield Unspecified vulnerability in Stormshield Network Security

Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service.

6.5
2022-02-09 CVE-2021-0165 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0172 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0173 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Consistency within input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0174 Intel Improper Input Validation vulnerability in Intel products

Improper Use of Validation Framework in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0175 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0177 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Consistency within input in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0178 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0179 Intel Improper Input Validation vulnerability in Intel products

Improper Use of Validation Framework in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-0183 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Specified Index, Position, or Offset in Input in software for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2021-33068 Intel
Netapp
NULL Pointer Dereference vulnerability in multiple products

Null pointer dereference in subsystem for Intel(R) AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access.

6.5
2022-02-09 CVE-2021-33110 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel(R) Wireless Bluetooth(R) products and Killer(TM) Bluetooth(R) products in Windows 10 and 11 before version 22.80 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-02-09 CVE-2022-22535 SAP Unspecified vulnerability in SAP ERP Human Capital Management 600/604/608

SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area.

6.5
2022-02-09 CVE-2022-22537 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens a manipulated Tagged Image File Format (.tiff, 2d.x3d)) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.5
2022-02-09 CVE-2022-22538 SAP Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens a manipulated Adobe Illustrator file format (.ai, ai.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.5
2022-02-09 CVE-2022-22539 SAP Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9

When a user opens a manipulated JPEG file format (.jpg, 2d.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.

6.5
2022-02-09 CVE-2022-22542 SAP Unspecified vulnerability in SAP S/4Hana 104/105/106

S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality.

6.5
2022-02-09 CVE-2022-22780 Zoom Resource Exhaustion vulnerability in Zoom Meetings

The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3.

6.5
2022-02-09 CVE-2022-23617 Xwiki Unspecified vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.5
2022-02-09 CVE-2021-45106 Siemens Use of Hard-coded Credentials vulnerability in Siemens Sicam Toolbox II

A vulnerability has been identified in SICAM TOOLBOX II (All versions).

6.5
2022-02-09 CVE-2021-3813 Chatwoot Authorization Bypass Through User-Controlled Key vulnerability in Chatwoot

Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.

6.5
2022-02-08 CVE-2021-44864 TP Link Classic Buffer Overflow vulnerability in Tp-Link Wn886N Firmware 1.0.1

TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow.

6.5
2022-02-08 CVE-2021-44956 Rockcarry Out-of-bounds Write vulnerability in Rockcarry Ffjpeg

Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021.

6.5
2022-02-08 CVE-2021-44957 Rockcarry Classic Buffer Overflow vulnerability in Rockcarry Ffjpeg

Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021.

6.5
2022-02-08 CVE-2022-0504 Microweber Unspecified vulnerability in Microweber

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

6.5
2022-02-08 CVE-2022-0505 Microweber Unspecified vulnerability in Microweber

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

6.5
2022-02-07 CVE-2021-24843 Supportcandy Cross-Site Request Forgery (CSRF) vulnerability in Supportcandy

The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.

6.5
2022-02-07 CVE-2021-24928 Rearrange Woocommerce Products Project Unspecified vulnerability in Rearrange Woocommerce products Project Rearrange Woocommerce products

The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post.

6.5
2022-02-07 CVE-2021-24947 Thinkupthemes Unrestricted Upload of File with Dangerous Type vulnerability in Thinkupthemes Responsive Vector Maps

The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server

6.5
2022-02-07 CVE-2021-24993 Etoilewebdesign Cross-Site Request Forgery (CSRF) vulnerability in Etoilewebdesign Ultimate Product Catalog

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

6.5
2022-02-07 CVE-2021-25096 Ip2Location Authorization Bypass Through User-Controlled Key vulnerability in Ip2Location Country Blocker

The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URL

6.5
2022-02-09 CVE-2021-0119 Netapp
Intel
Improper Initialization vulnerability in multiple products

Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

6.2
2022-02-11 CVE-2020-13668 Drupal Cross-site Scripting vulnerability in Drupal

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

6.1
2022-02-11 CVE-2020-13669 Drupal Cross-site Scripting vulnerability in Drupal

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS.

6.1
2022-02-11 CVE-2020-13672 Drupal Cross-site Scripting vulnerability in Drupal

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

6.1
2022-02-11 CVE-2020-13673 Drupal Cross-site Scripting vulnerability in Drupal Entity Embed 8.X1.0/8.X1.1/8.X1.2

The Entity Embed module provides a filter to allow embedding entities in content fields.

6.1
2022-02-11 CVE-2022-0560 Microweber Unspecified vulnerability in Microweber

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

6.1
2022-02-10 CVE-2021-45357 Piwigo Cross-site Scripting vulnerability in Piwigo 12.0.0/12.1.0

Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.

6.1
2022-02-10 CVE-2021-31814 Stormshield Missing Authentication for Critical Function vulnerability in Stormshield Network Security

In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client.

6.1
2022-02-10 CVE-2021-41445 Dlink Cross-site Scripting vulnerability in Dlink Dir-X1860 Firmware 1.03

A reflected cross-site-scripting attack in web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to execute code in the device of the victim via sending a specific URL to the unauthenticated victim.

6.1
2022-02-09 CVE-2022-22534 SAP Cross-site Scripting vulnerability in SAP Netweaver

Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password.

6.1
2022-02-09 CVE-2022-22812 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser.

6.1
2022-02-09 CVE-2022-23622 Xwiki Unspecified vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.1
2022-02-09 CVE-2022-23618 Xwiki Unspecified vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

6.1
2022-02-09 CVE-2022-23102 Siemens Open Redirect vulnerability in Siemens Sinema Remote Connect Server

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0).

6.1
2022-02-09 CVE-2022-23312 Siemens Cross-site Scripting vulnerability in Siemens Spectrum Power 4 4.70

A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP9 Security Patch 1).

6.1
2022-02-09 CVE-2022-0526 Chatwoot Unspecified vulnerability in Chatwoot

Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

6.1
2022-02-09 CVE-2022-0527 Chatwoot Unspecified vulnerability in Chatwoot

Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

6.1
2022-02-09 CVE-2022-24682 Zimbra Improper Encoding or Escaping of Output vulnerability in Zimbra Collaboration

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021.

6.1
2022-02-08 CVE-2021-45329 Gitea Cross-site Scripting vulnerability in Gitea

Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.

6.1
2022-02-08 CVE-2021-45328 Gitea Open Redirect vulnerability in Gitea

Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.

6.1
2022-02-08 CVE-2022-21805 Econosys System Cross-site Scripting vulnerability in Econosys-System PHP Mailform

Reflected cross-site scripting vulnerability in the attached file name of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors.

6.1
2022-02-08 CVE-2022-22142 Econosys System Cross-site Scripting vulnerability in Econosys-System PHP Mailform

Reflected cross-site scripting vulnerability in the checkbox of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors.

6.1
2022-02-08 CVE-2022-22146 Dounokouno Cross-site Scripting vulnerability in Dounokouno Transmitmail 2.5.0/2.6.0/2.6.1

Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors.

6.1
2022-02-07 CVE-2021-45281 Quickbox Cross-site Scripting vulnerability in Quickbox 2.4.8/2.5.8

QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized.

6.1
2022-02-07 CVE-2022-21813 Nvidia Improper Handling of Exceptional Conditions vulnerability in Nvidia products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.

6.1
2022-02-07 CVE-2022-21814 Nvidia Improper Handling of Exceptional Conditions vulnerability in Nvidia products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.

6.1
2022-02-07 CVE-2022-0149 Visser Unspecified vulnerability in Visser Store Exporter for Woocommerce

The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.

6.1
2022-02-07 CVE-2021-24878 Supportcandy Cross-site Scripting vulnerability in Supportcandy

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue

6.1
2022-02-07 CVE-2021-25077 Visser Cross-site Scripting vulnerability in Visser Store Toolkit for Woocommerce

The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting

6.1
2022-02-07 CVE-2022-23184 Octopus Open Redirect vulnerability in Octopus Deploy

In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.

6.1
2022-02-11 CVE-2022-23426 Google Unspecified vulnerability in Google Android 10.0/11.0

A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege.

6.0
2022-02-11 CVE-2022-23634 Puma
Rubyonrails
Debian
Fedoraproject
Improper Resource Shutdown or Release vulnerability in multiple products

Puma is a Ruby/Rack web server built for parallelism.

5.9
2022-02-11 CVE-2022-24968 Mellium Improper Certificate Validation vulnerability in Mellium Xmpp

In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail.

5.9
2022-02-11 CVE-2022-23633 Rubyonrails
Debian
Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products

Action Pack is a framework for handling and responding to web requests.

5.9
2022-02-09 CVE-2022-24319 Schneider Electric Improper Certificate Validation vulnerability in Schneider-Electric products

A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted.

5.9
2022-02-09 CVE-2022-24320 Schneider Electric Improper Certificate Validation vulnerability in Schneider-Electric products

A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted.

5.9
2022-02-09 CVE-2022-0536 Follow Redirects Project Unspecified vulnerability in Follow-Redirects Project Follow-Redirects

Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.

5.9
2022-02-10 CVE-2021-3398 Stormshield Integer Overflow or Wraparound vulnerability in Stormshield Network Security

Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component.

5.8
2022-02-09 CVE-2021-33114 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and Killer(TM) WiFi in Windows 10 and 11 may allow an authenticated user to potentially enable denial of service via adjacent access.

5.7
2022-02-09 CVE-2021-33139 Intel Improper Check for Unusual or Exceptional Conditions vulnerability in Intel products

Improper conditions check in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.100 may allow an authenticated user to potentially enable denial of service via adjacent access.

5.7
2022-02-09 CVE-2021-33155 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.100 may allow an authenticated user to potentially enable denial of service via adjacent access.

5.7
2022-02-11 CVE-2022-22766 BD Use of Hard-coded Credentials vulnerability in BD products

Hardcoded credentials are used in specific BD Pyxis products.

5.5
2022-02-11 CVE-2021-0524 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.0

In isServiceDistractionOptimized of CarPackageManagerService.java, there is a possible disclosure of installed packages due to side channel information disclosure.

5.5
2022-02-11 CVE-2021-39631 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message.

5.5
2022-02-11 CVE-2021-39664 Google Out-of-bounds Read vulnerability in Google Android 12.0

In LoadedPackage::Load of LoadedArsc.cpp, there is a possible out of bounds read due to a missing bounds check.

5.5
2022-02-11 CVE-2021-39666 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In extract of MediaMetricsItem.h, there is a possible out of bounds read due to improper input validation.

5.5
2022-02-11 CVE-2021-39687 Google Out-of-bounds Read vulnerability in Google Android

In HandleTransactionIoEvent of actuator_driver.cc, there is a possible out of bounds read due to a heap buffer overflow.

5.5
2022-02-11 CVE-2021-39688 Google Out-of-bounds Read vulnerability in Google Android

In TBD of TBD, there is a possible out of bounds read due to TBD.

5.5
2022-02-11 CVE-2022-0382 Linux Missing Initialization of Resource vulnerability in Linux Kernel

An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations.

5.5
2022-02-11 CVE-2022-0561 Libtiff
Redhat
Fedoraproject
Debian
Netapp
NULL Pointer Dereference vulnerability in multiple products

Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file.

5.5
2022-02-11 CVE-2022-0562 Libtiff
Fedoraproject
Debian
Netapp
NULL Pointer Dereference vulnerability in multiple products

Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file.

5.5
2022-02-11 CVE-2022-22291 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Logging of excessive data vulnerability in telephony prior to SMR Feb-2022 Release 1 allows privileged attackers to get Cell Location Information through log of user device.

5.5
2022-02-11 CVE-2022-23998 Samsung Incorrect Authorization vulnerability in Samsung Camera

Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status.

5.5
2022-02-11 CVE-2021-45386 Broadcom Reachable Assertion vulnerability in Broadcom Tcpreplay 4.3.4

tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c

5.5
2022-02-11 CVE-2021-45387 Broadcom Reachable Assertion vulnerability in Broadcom Tcpreplay 4.3.4

tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv4() at tree.c.

5.5
2022-02-11 CVE-2021-45402 Linux Exposure of Resource to Wrong Sphere vulnerability in Linux Kernel

The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."

5.5
2022-02-11 CVE-2022-24959 Linux
Debian
Memory Leak vulnerability in multiple products

An issue was discovered in the Linux kernel before 5.16.5.

5.5
2022-02-10 CVE-2022-0019 Paloaltonetworks Insufficiently Protected Credentials vulnerability in Paloaltonetworks Globalprotect

An insufficiently protected credentials vulnerability exists in the Palo Alto Networks GlobalProtect app on Linux that exposes the hashed credentials of GlobalProtect users that saved their password during previous GlobalProtect app sessions to other local users on the system.

5.5
2022-02-10 CVE-2022-0021 Paloaltonetworks Information Exposure Through Log Files vulnerability in Paloaltonetworks Globalprotect

An information exposure through log file vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that logs the cleartext credentials of the connecting GlobalProtect user when authenticating using Connect Before Logon feature.

5.5
2022-02-09 CVE-2021-0072 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-0076 Intel Improper Input Validation vulnerability in Intel products

Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable denial of service via local access.

5.5
2022-02-09 CVE-2021-0127 Netapp
Intel
Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.
5.5
2022-02-09 CVE-2021-0145 Netapp
Intel
Improper Initialization vulnerability in multiple products

Improper initialization of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-0170 Intel Information Exposure vulnerability in Intel products

Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-0171 Intel Unspecified vulnerability in Intel products

Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-33061 Intel Unspecified vulnerability in Intel products

Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-02-09 CVE-2021-33096 Intel Exposure of Resource to Wrong Sphere vulnerability in Intel products

Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-02-09 CVE-2021-33105 Intel Out-of-bounds Read vulnerability in Intel Core I5-8305G Firmware and Core I7-8706G Firmware

Out-of-bounds read in some Intel(R) Core(TM) processors with Radeon(TM) RX Vega M GL integrated graphics before version 21.10 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-33119 Intel Unspecified vulnerability in Intel Realsense Depth Camera Manager 1.5/2.2/3.4

Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-33147 Intel Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Integrated Performance Primitives Cryptography 2018U3.1/2019/2020

Improper conditions check in the Intel(R) IPP Crypto library before version 2021.2 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-33166 Intel Incorrect Default Permissions vulnerability in Intel Retail Experience Tool

Incorrect default permissions for the Intel(R) RXT for Chromebook application, all versions, may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2021-37107 Huawei Out-of-bounds Write vulnerability in Huawei Emui 12.0.0

There is an improper memory access permission configuration on ACPU.Successful exploitation of this vulnerability may cause out-of-bounds access.

5.5
2022-02-09 CVE-2021-37115 Huawei Unspecified vulnerability in Huawei Emui 12.0.0

There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2022-02-09 CVE-2021-39986 Huawei Unspecified vulnerability in Huawei Emui 12.0.0

There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2022-02-09 CVE-2021-39991 Huawei Unspecified vulnerability in Huawei Emui 12.0.0

There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2022-02-09 CVE-2021-40045 Huawei Improper Verification of Cryptographic Signature vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a vulnerability of signature verification mechanism failure in system upgrade through recovery mode.Successful exploitation of this vulnerability may affect service confidentiality.

5.5
2022-02-09 CVE-2022-0529 Unzip Project
Redhat
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

A flaw was found in Unzip.

5.5
2022-02-09 CVE-2022-0530 Unzip Project
Redhat
Fedoraproject
Apple
Debian
A flaw was found in Unzip.
5.5
2022-02-09 CVE-2022-0534 Htmldoc Project
Debian
Out-of-bounds Read vulnerability in multiple products

A vulnerability was found in htmldoc version 1.9.15 where the stack out-of-bounds read takes place in gif_get_code() and occurs when opening a malicious GIF file, which can result in a crash (segmentation fault).

5.5
2022-02-09 CVE-2022-20017 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0

In ion driver, there is a possible information disclosure due to an incorrect bounds check.

5.5
2022-02-09 CVE-2022-20036 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In ion driver, there is a possible information disclosure due to an incorrect bounds check.

5.5
2022-02-09 CVE-2022-20037 Google Improper Input Validation vulnerability in Google Android 10.0/11.0

In ion driver, there is a possible information disclosure due to an incorrect bounds check.

5.5
2022-02-09 CVE-2022-20042 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

In Bluetooth, there is a possible information disclosure due to incorrect error handling.

5.5
2022-02-09 CVE-2022-20046 Google Memory Leak vulnerability in Google Android

In Bluetooth, there is a possible memory corruption due to a logic error.

5.5
2022-02-09 CVE-2022-21133 Intel Out-of-bounds Read vulnerability in Intel Trace Analyzer and Collector 2017/2020

Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-02-09 CVE-2022-21153 Intel Unspecified vulnerability in Intel Capital Global Summit

Improper access control in the Intel(R) Capital Global Summit Android application may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2022-21156 Intel Access of Uninitialized Pointer vulnerability in Intel Trace Analyzer and Collector 2017/2020

Access of uninitialized pointer in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-02-09 CVE-2022-21157 Intel Unspecified vulnerability in Intel Smart Campus

Improper access control in the Intel(R) Smart Campus Android application before version 6.1 may allow authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2022-21218 Intel Improper Handling of Exceptional Conditions vulnerability in Intel Trace Analyzer and Collector 2017/2020

Uncaught exception in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-09 CVE-2022-21226 Intel Out-of-bounds Read vulnerability in Intel Trace Analyzer and Collector 2017/2020

Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable information disclosure via local access.

5.5
2022-02-07 CVE-2022-21815 Nvidia NULL Pointer Dereference vulnerability in Nvidia products

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.

5.5
2022-02-07 CVE-2022-21816 Nvidia Missing Authentication for Critical Function vulnerability in Nvidia Cloud Gaming Virtual GPU and Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service.

5.5
2022-02-11 CVE-2021-4046 Tcman Cross-site Scripting vulnerability in Tcman GIM 8.0.1/8.01

The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks.

5.4
2022-02-11 CVE-2022-23707 Elastic Cross-site Scripting vulnerability in Elastic Kibana

An XSS vulnerability was found in Kibana index patterns.

5.4
2022-02-11 CVE-2022-24926 Samsung Cross-site Scripting vulnerability in Samsung Smarttagplugin

Improper input validation vulnerability in SmartTagPlugin prior to version 1.2.15-6 allows privileged attackers to trigger a XSS on a victim's devices.

5.4
2022-02-11 CVE-2021-46355 Factorfx Cross-site Scripting vulnerability in Factorfx OCS Inventory 2.9.1

OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS).

5.4
2022-02-10 CVE-2021-44970 1234N Cross-site Scripting vulnerability in 1234N Minicms 1.11

MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php.

5.4
2022-02-10 CVE-2022-0020 Paloaltonetworks Cross-site Scripting vulnerability in Paloaltonetworks Cortex Xsoar 6.1.0/6.2.0

A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations.

5.4
2022-02-10 CVE-2022-0558 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

5.4
2022-02-09 CVE-2021-33120 Intel Out-of-bounds Read vulnerability in Intel products

Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom(R) Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access.

5.4
2022-02-09 CVE-2022-22546 SAP Unspecified vulnerability in SAP Businessobjects web Intelligence 420

Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420.

5.4
2022-02-09 CVE-2022-23049 Exponentcms Cross-site Scripting vulnerability in Exponentcms Exponent CMS 2.6.0

Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in.

5.4
2022-02-09 CVE-2022-23620 Xwiki Improper Encoding or Escaping of Output vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

5.4
2022-02-09 CVE-2022-23615 Xwiki Incorrect Authorization vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

5.4
2022-02-09 CVE-2021-44911 Xpressengine Cross-site Scripting vulnerability in Xpressengine

XE before 1.11.6 is vulnerable to Unrestricted file upload via modules/menu/menu.admin.controller.php.

5.4
2022-02-09 CVE-2021-44912 Xpressengine Cross-site Scripting vulnerability in Xpressengine

In XE 1.116, when uploading the Normal button, there is no restriction on the file suffix, which leads to any file uploading to the files directory.

5.4
2022-02-09 CVE-2022-0539 Beanstalk Console Project Cross-site Scripting vulnerability in Beanstalk Console Project Beanstalk Console

Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_console prior to 1.7.14.

5.4
2022-02-09 CVE-2022-23378 Tastyigniter Cross-site Scripting vulnerability in Tastyigniter 3.2.2

A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter.

5.4
2022-02-08 CVE-2021-45919 Std42 Cross-site Scripting vulnerability in Std42 Elfinder

Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.

5.4
2022-02-08 CVE-2022-21702 Grafana
Netapp
Fedoraproject
Cross-site Scripting vulnerability in multiple products

Grafana is an open-source platform for monitoring and observability.

5.4
2022-02-08 CVE-2022-0510 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1.

5.4
2022-02-08 CVE-2022-0509 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1.

5.4
2022-02-08 CVE-2022-0506 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

5.4
2022-02-07 CVE-2022-0148 Premio Cross-site Scripting vulnerability in Premio Mystickyelements

The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.

5.4
2022-02-07 CVE-2021-24880 Supportcandy Cross-site Scripting vulnerability in Supportcandy

The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

5.4
2022-02-07 CVE-2021-25106 Wpeka Cross-site Scripting vulnerability in Wpeka Wplegalpages

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them.

5.4
2022-02-07 CVE-2021-43929 Synology Cross-site Scripting vulnerability in Synology Diskstation Manager

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

5.4
2022-02-11 CVE-2022-23433 Samsung Unspecified vulnerability in Samsung Reminder 11.6.08.6000/12.2.05.6000

Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely.

5.3
2022-02-11 CVE-2022-24002 Samsung Unspecified vulnerability in Samsung Link Sharing

Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.

5.3
2022-02-11 CVE-2022-24003 Samsung Unspecified vulnerability in Samsung Bixby Vision

Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent.

5.3
2022-02-11 CVE-2022-24924 Samsung Unspecified vulnerability in Samsung Livewallpaperservice

An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.

5.3
2022-02-10 CVE-2022-20710 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

5.3
2022-02-10 CVE-2022-24111 Mahara Missing Authentication for Critical Function vulnerability in Mahara

In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.

5.3
2022-02-10 CVE-2021-45901 Servicenow Information Exposure Through Discrepancy vulnerability in Servicenow Jakarta

The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.

5.3
2022-02-09 CVE-2022-22809 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations.

5.3
2022-02-09 CVE-2022-23628 Openpolicyagent Unspecified vulnerability in Openpolicyagent Open Policy Agent

OPA is an open source, general-purpose policy engine.

5.3
2022-02-09 CVE-2021-45286 Zzcms Path Traversal vulnerability in Zzcms 2021

Directory Traversal vulnerability exists in ZZCMS 2021 via the skin parameter in 1) index.php, 2) bottom.php, and 3) top_index.php.

5.3
2022-02-09 CVE-2021-40837 F Secure Unspecified vulnerability in F-Secure products

A vulnerability affecting F-Secure antivirus engine before Capricorn update 2022-02-01_01 was discovered whereby decompression of ACE file causes the scanner service to stop.

5.3
2022-02-08 CVE-2022-0508 Framasoft Unspecified vulnerability in Framasoft Peertube

Server-Side Request Forgery (SSRF) in GitHub repository chocobozzz/peertube prior to f33e515991a32885622b217bf2ed1d1b0d9d6832

5.3
2022-02-08 CVE-2022-21799 Elecom Cross-site Scripting vulnerability in Elecom Wrc-300Febk-R Firmware

Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors.

5.2
2022-02-09 CVE-2022-22567 Dell Insufficient Verification of Data Authenticity vulnerability in Dell products

Select Dell Client Commercial and Consumer platforms are vulnerable to an insufficient verification of data authenticity vulnerability.

5.1
2022-02-09 CVE-2022-22545 SAP Unspecified vulnerability in SAP Netweaver Abap

A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756.

4.9
2022-02-09 CVE-2022-23621 Xwiki Missing Authorization vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

4.9
2022-02-07 CVE-2021-25004 Seur Oficial Project Files or Directories Accessible to External Parties vulnerability in Seur Oficial Project Seur Oficial

The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page.

4.9
2022-02-07 CVE-2022-22679 Synology Path Traversal vulnerability in Synology Diskstation Manager

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.

4.9
2022-02-11 CVE-2021-4035 Wocu Monitoring Cross-site Scripting vulnerability in Wocu-Monitoring Wocu Monitoring

A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor.

4.8
2022-02-10 CVE-2021-44969 Taogogo Cross-site Scripting vulnerability in Taogogo Taocms 3.0.2

Taocms v3.0.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Management Column component.

4.8
2022-02-10 CVE-2022-23321 Xerox Cross-site Scripting vulnerability in Xerox Xmpie Ustore 12.3.7244.0

A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0.

4.8
2022-02-10 CVE-2022-20704 Cisco Out-of-bounds Write vulnerability in Cisco products

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

4.8
2022-02-09 CVE-2022-23047 Exponentcms Cross-site Scripting vulnerability in Exponentcms Exponent CMS 2.6.0

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

4.8
2022-02-08 CVE-2021-20877 Canon Cross-site Scripting vulnerability in Canon products

Cross-site scripting vulnerability in Canon laser printers and small office multifunctional printers (LBP162L/LBP162, MF4890dw, MF269dw/MF265dw/MF264dw/MF262dw, MF249dw/MF245dw/MF244dw/MF242dw/MF232w, and MF229dw/MF224dw/MF222dw sold in Japan, imageCLASS MF Series (MF113W/MF212W/MF217W/MF227DW/MF229DW, MF232W/MF244DW/MF247DW/MF249DW, MF264DW/MF267DW/MF269DW/MF269DW VP, and MF4570DN/MF4570DW/MF4770N/MF4880DW/MF4890DW) and imageCLASS LBP Series (LBP113W/LBP151DW/LBP162DW ) sold in the US, and iSENSYS (LBP162DW, LBP113W, LBP151DW, MF269dw, MF267dw, MF264dw, MF113w, MF249dw, MF247dw, MF244dw, MF237w, MF232w, MF229dw, MF217w, MF212w, MF4780w, and MF4890dw) and imageRUNNER (2206IF, 2204N, and 2204F) sold in Europe) allows remote attackers to inject an arbitrary script via unspecified vectors.

4.8
2022-02-07 CVE-2021-25029 Cluevo Cross-site Scripting vulnerability in Cluevo Learning Management System

The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-02-07 CVE-2021-25105 Ivorysearch Cross-site Scripting vulnerability in Ivorysearch Ivory Search

The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-02-07 CVE-2022-0473 Otrs Cross-site Scripting vulnerability in Otrs

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check.

4.8
2022-02-09 CVE-2021-40015 Huawei Race Condition vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a race condition vulnerability in the binder driver subsystem in the kernel.Successful exploitation of this vulnerability may affect kernel stability.

4.7
2022-02-07 CVE-2021-25103 Gtranslate Cross-site Scripting vulnerability in Gtranslate Translate Wordpress With Gtranslate

The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue.

4.7
2022-02-11 CVE-2022-24001 Google Unspecified vulnerability in Google Android 12.0

Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel.

4.6
2022-02-09 CVE-2021-33107 Intel Insufficiently Protected Credentials vulnerability in Intel products

Insufficiently protected credentials in USB provisioning for Intel(R) AMT SDK before version 16.0.3, Intel(R) SCS before version 12.2 and Intel(R) MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 may allow an unauthenticated user to potentially enable information disclosure via physical access.

4.6
2022-02-11 CVE-2021-44111 S Cart Path Traversal vulnerability in S-Cart

A Directory Traversal vulnerability exists in S-Cart 6.7 via download in sc-admin/backup.

4.4
2022-02-11 CVE-2022-23429 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash.

4.4
2022-02-10 CVE-2022-20630 Cisco Information Exposure Through Log Files vulnerability in Cisco DNA Center

A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text.

4.4
2022-02-09 CVE-2021-0092 Intel
Netapp
Resource Exhaustion vulnerability in multiple products

Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

4.4
2022-02-09 CVE-2021-0093 Intel
Netapp
Incorrect Default Permissions vulnerability in multiple products

Incorrect default permissions in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.

4.4
2022-02-09 CVE-2021-0147 Intel Improper Locking vulnerability in Intel Power Management Controller Pmcfwlbgb021Ww02A

Improper locking in the Power Management Controller (PMC) for some Intel Chipset firmware before versions pmc_fw_lbg_c1-21ww02a and pmc_fw_lbg_b0-21ww02a may allow a privileged user to potentially enable denial of service via local access.

4.4
2022-02-09 CVE-2021-0176 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable denial of service via local access.

4.4
2022-02-09 CVE-2022-20029 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In cmdq driver, there is a possible out of bounds read due to an incorrect bounds check.

4.4
2022-02-09 CVE-2022-20033 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In camera driver, there is a possible out of bounds read due to an incorrect bounds check.

4.4
2022-02-09 CVE-2022-20035 Google Use After Free vulnerability in Google Android 10.0/11.0

In vcu driver, there is a possible information disclosure due to a use after free.

4.4
2022-02-12 CVE-2022-0110 Google
Fedoraproject
Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products

Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2022-02-12 CVE-2022-0112 Google
Fedoraproject
Incorrect security UI in Browser UI in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to display missing URL or incorrect URL via a crafted URL.
4.3
2022-02-12 CVE-2022-0116 Google
Fedoraproject
Inappropriate implementation in Compositing in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
4.3
2022-02-12 CVE-2022-0118 Google
Fedoraproject
Inappropriate implementation in WebShare in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page.
4.3
2022-02-09 CVE-2021-39943 Gitlab Incorrect Authorization vulnerability in Gitlab

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call

4.3
2022-02-09 CVE-2022-23256 Microsoft Unspecified vulnerability in Microsoft Azure Data Explorer

Azure Data Explorer Spoofing Vulnerability

4.3
2022-02-09 CVE-2022-24694 Mahara Files or Directories Accessible to External Parties vulnerability in Mahara

In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders.

4.3
2022-02-08 CVE-2022-21713 Grafana
Netapp
Fedoraproject
Authorization Bypass Through User-Controlled Key vulnerability in multiple products

Grafana is an open-source platform for monitoring and observability.

4.3
2022-02-07 CVE-2022-22931 Apache Path Traversal vulnerability in Apache James 3.6.1

Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations.

4.3
2022-02-07 CVE-2021-25084 Bracketspace Unspecified vulnerability in Bracketspace Advanced Cron Manager

The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example

4.3
2022-02-09 CVE-2022-0532 Kubernetes
Redhat
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier.

4.2
2022-02-09 CVE-2022-20032 Google Race Condition vulnerability in Google Android 10.0/11.0/12.0

In vow driver, there is a possible memory corruption due to a race condition.

4.1

11 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-09 CVE-2022-22779 Keybase Improper Cross-boundary Removal of Sensitive Data vulnerability in Keybase

The Keybase Clients for macOS and Windows before version 5.9.0 fails to properly remove exploded messages initiated by a user.

3.7
2022-02-07 CVE-2022-0474 Otrs Information Exposure vulnerability in Otrs Custom Contact Fields

Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually.

3.5
2022-02-11 CVE-2022-23434 Samsung Unspecified vulnerability in Samsung Bixby 3.7.50.6

A vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent.

3.3
2022-02-11 CVE-2022-23994 Samsung Unspecified vulnerability in Samsung Wear OS

An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.

3.3
2022-02-11 CVE-2022-23995 Samsung Incorrect Default Permissions vulnerability in Samsung Wear OS

Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.

3.3
2022-02-11 CVE-2022-23996 Samsung Incorrect Default Permissions vulnerability in Samsung Wear OS

Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.

3.3
2022-02-11 CVE-2022-23997 Samsung Unspecified vulnerability in Samsung Wear OS

Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission.

3.3
2022-02-11 CVE-2022-23999 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent.

3.3
2022-02-11 CVE-2022-24000 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

PendingIntent hijacking vulnerability in DataUsageReminderReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent.

3.3
2022-02-11 CVE-2022-24923 Samsung Unspecified vulnerability in Samsung Searchwidget

Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.

3.3
2022-02-09 CVE-2021-25939 Arangodb Server-Side Request Forgery (SSRF) vulnerability in Arangodb

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL.

2.7