Weekly Vulnerabilities Reports > February 7 to 13, 2022
Overview
538 new vulnerabilities reported during this period, including 69 critical vulnerabilities and 212 high severity vulnerabilities. This weekly summary report vulnerabilities in 2548 products from 143 vendors including Google, Intel, Fedoraproject, Schneider Electric, and Netapp. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Improper Input Validation", "Use After Free", and "Out-of-bounds Read".
- 321 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 84 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 305 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 108 reported vulnerabilities.
- Schneider Electric has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
69 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-09 | CVE-2022-22536 | SAP | Unspecified vulnerability in SAP products SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. | 10.0 |
2022-02-11 | CVE-2021-42940 | Projeqtor | Cross-site Scripting vulnerability in Projeqtor A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to upload a SVG file containing malicious JavaScript code. | 9.9 |
2022-02-09 | CVE-2021-36302 | Dell | Improper Privilege Management vulnerability in Dell EMC Integrated System for Microsoft Azure Stack HUB Firmware All Dell EMC Integrated System for Microsoft Azure Stack Hub versions contain a privilege escalation vulnerability. | 9.9 |
2022-02-11 | CVE-2021-46361 | Magnolia CMS | Unspecified vulnerability in Magnolia-Cms Magnolia CMS An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload. | 9.8 |
2022-02-11 | CVE-2021-46362 | Magnolia CMS | Code Injection vulnerability in Magnolia-Cms Magnolia CMS A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter. | 9.8 |
2022-02-11 | CVE-2021-20001 | Skolelinux Debian | Incorrect Default Permissions vulnerability in multiple products It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation. | 9.8 |
2022-02-11 | CVE-2021-23555 | VM2 Project | Unspecified vulnerability in VM2 Project VM2 The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine. | 9.8 |
2022-02-11 | CVE-2020-26728 | Tenda | Unspecified vulnerability in Tenda AC9 Firmware 15.03.05.19(6318)Cn/15.03.06.42Multi A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request. | 9.8 |
2022-02-11 | CVE-2020-14521 | Mitsubishielectric | Incorrect Default Permissions vulnerability in Mitsubishielectric products Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. | 9.8 |
2022-02-11 | CVE-2020-14523 | Mitsubishielectric | Path Traversal vulnerability in Mitsubishielectric products Multiple Mitsubishi Electric Factory Automation products have a vulnerability that allows an attacker to execute arbitrary code. | 9.8 |
2022-02-11 | CVE-2021-22801 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Connexium Network Manager A CWE-269: Improper Privilege Management vulnerability exists that could cause an arbitrary command execution when the software is configured with specially crafted event actions. | 9.8 |
2022-02-11 | CVE-2021-22802 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution due to missing length check on user supplied data, when a constructed message is received on the network. | 9.8 |
2022-02-11 | CVE-2021-22803 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could lead to remote code execution through a number of paths, when an attacker, writes arbitrary files to folders in context of the DC module, by sending constructed messages on the network. | 9.8 |
2022-02-11 | CVE-2021-31932 | Nokia | Unspecified vulnerability in Nokia BTS TRS web Console Ftmw20Fp22019.08.160010 Nokia BTS TRS web console FTM_W20_FP2_2019.08.16_0010 allows Authentication Bypass. | 9.8 |
2022-02-11 | CVE-2021-34235 | TSG Solutions | SQL Injection vulnerability in Tsg-Solutions Tokheim Profleet Dialog 11.005.02 Tokheim Profleet DiaLOG 11.005.02 is affected by SQL Injection. | 9.8 |
2022-02-11 | CVE-2021-39616 | Unspecified vulnerability in Google Android Summary:Product: AndroidVersions: Android SoCAndroid ID: A-204686438 | 9.8 | |
2022-02-11 | CVE-2021-39658 | Incorrect Default Permissions vulnerability in Google Android ismsEx service is a vendor service in unisoc equipment?ismsEx service is an extension of sms system service,but it does not check the permissions of the caller,resulting in permission leaks?Third-party apps can use this service to arbitrarily modify and set system properties?Product: AndroidVersions: Android SoCAndroid ID: A-207479207 | 9.8 | |
2022-02-11 | CVE-2021-39675 | Out-of-bounds Write vulnerability in Google Android 12.0 In GKI_getbuf of gki_buffer.cc, there is a possible out of bounds write due to a heap buffer overflow. | 9.8 | |
2022-02-11 | CVE-2022-23425 | Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0 Improper input validation in Exynos baseband prior to SMR Feb-2022 Release 1 allows attackers to send arbitrary NAS signaling messages with fake base station. | 9.8 | |
2022-02-11 | CVE-2022-24927 | Samsung | Improper Privilege Management vulnerability in Samsung Video Player Improper privilege management vulnerability in Samsung Video Player prior to version 7.3.15.30 allows attackers to execute video files without permission. | 9.8 |
2022-02-11 | CVE-2020-13675 | Drupal | Unrestricted Upload of File with Dangerous Type vulnerability in Drupal Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. | 9.8 |
2022-02-11 | CVE-2020-36062 | Phpgurukul | Use of Hard-coded Credentials vulnerability in PHPgurukul Dairy Farm Shop Management System 1.0 Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised. | 9.8 |
2022-02-11 | CVE-2021-38679 | Qnap | Improper Authentication vulnerability in Qnap Kazoo Server 4.10.12/4.10.9/4.11.20 An improper authentication vulnerability has been reported to affect QNAP NAS running Kazoo Server. | 9.8 |
2022-02-11 | CVE-2022-24112 | Apache | Authentication Bypass by Spoofing vulnerability in Apache Apisix An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. | 9.8 |
2022-02-11 | CVE-2021-35068 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Lack of null check while freeing the device information buffer in the Bluetooth HFP protocol can lead to a NULL pointer dereference in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
2022-02-11 | CVE-2022-24961 | Portainer | Unspecified vulnerability in Portainer In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days. | 9.8 |
2022-02-11 | CVE-2022-24954 | Foxit | Out-of-bounds Write vulnerability in Foxit PDF Editor and PDF Reader Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have a Stack-Based Buffer Overflow related to XFA, for the 'subform colSpan="-2"' and 'draw colSpan="1"' substrings. | 9.8 |
2022-02-11 | CVE-2022-24955 | Foxit | Uncontrolled Search Path Element vulnerability in Foxit PDF Editor and PDF Reader Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have an Uncontrolled Search Path Element for DLL files. | 9.8 |
2022-02-10 | CVE-2021-45364 | Statamic | Unspecified vulnerability in Statamic A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php. | 9.8 |
2022-02-10 | CVE-2022-24568 | Xxyopen | Server-Side Request Forgery (SSRF) vulnerability in Xxyopen Novel-Plus 3.6.0 Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Request Forgery (SSRF) via user-supplied crafted input. | 9.8 |
2022-02-10 | CVE-2022-20699 | Cisco | Improper Validation of Specified Quantity in Input vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-10 | CVE-2022-20700 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-10 | CVE-2022-20705 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-10 | CVE-2022-20711 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-10 | CVE-2022-20712 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-10 | CVE-2022-20738 | Cisco | Unspecified vulnerability in Cisco Umbrella Secure web Gateway A vulnerability in the Cisco Umbrella Secure Web Gateway service could allow an unauthenticated, remote attacker to bypass the file inspection feature. | 9.8 |
2022-02-10 | CVE-2022-20749 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 9.8 |
2022-02-09 | CVE-2021-26616 | Secuwiz | OS Command Injection vulnerability in Secuwiz Secuwayssl U 2.0.0.4/2.0.0.8 An OS command injection was found in SecuwaySSL, when special characters injection on execute command with runCommand arguments. | 9.8 |
2022-02-09 | CVE-2021-39994 | Huawei | Unspecified vulnerability in Huawei Emui 12.0.0 There is an arbitrary address access vulnerability with the product line test code.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | 9.8 |
2022-02-09 | CVE-2021-39997 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui 12.0.0 There is a vulnerability of unstrict input parameter verification in the audio assembly.Successful exploitation of this vulnerability may cause out-of-bounds access. | 9.8 |
2022-02-09 | CVE-2022-0162 | TP Link | Cleartext Transmission of Sensitive Information vulnerability in Tp-Link Tl-Wr841N Firmware 3.16.9 The vulnerability exists in TP-Link TL-WR841N V11 3.16.9 Build 160325 Rel.62500n wireless router due to transmission of authentication information in cleartextbase64 format. | 9.8 |
2022-02-09 | CVE-2022-22532 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Java In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. | 9.8 |
2022-02-09 | CVE-2022-22810 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. | 9.8 |
2022-02-09 | CVE-2022-22813 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-798: Use of Hard-coded Credentials vulnerability exists. | 9.8 |
2022-02-09 | CVE-2022-24310 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. | 9.8 |
2022-02-09 | CVE-2022-24311 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by inserting at beginning of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. | 9.8 |
2022-02-09 | CVE-2022-24312 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by adding at end of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. | 9.8 |
2022-02-09 | CVE-2022-24313 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. | 9.8 |
2022-02-09 | CVE-2022-23631 | Blitzjs | Unspecified vulnerability in Blitzjs Blitz and Superjson superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. | 9.8 |
2022-02-09 | CVE-2021-45330 | Gitea | Incomplete Cleanup vulnerability in Gitea An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse. | 9.8 |
2022-02-09 | CVE-2021-45331 | Gitea | Improper Authentication vulnerability in Gitea An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. | 9.8 |
2022-02-09 | CVE-2022-24677 | Hyphp | Unspecified vulnerability in Hyphp Hybbs2 Admin.php in HYBBS2 through 2.3.2 allows remote code execution because it writes plugin-related configuration information to conf.php. | 9.8 |
2022-02-08 | CVE-2022-0139 | Radare | Unspecified vulnerability in Radare Radare2 Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0. | 9.8 |
2022-02-08 | CVE-2021-45327 | Gitea | Interpretation Conflict vulnerability in Gitea Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. | 9.8 |
2022-02-08 | CVE-2022-23340 | Joplin Project | Unspecified vulnerability in Joplin Project Joplin 2.6.10 Joplin 2.6.10 allows remote attackers to execute system commands through malicious code in user search results. | 9.8 |
2022-02-07 | CVE-2021-25114 | Strangerstudios | SQL Injection vulnerability in Strangerstudios Paid Memberships PRO The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection | 9.8 |
2022-02-07 | CVE-2021-43925 | Synology | SQL Injection vulnerability in Synology Diskstation Manager Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. | 9.8 |
2022-02-07 | CVE-2021-43926 | Synology | SQL Injection vulnerability in Synology Diskstation Manager Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. | 9.8 |
2022-02-07 | CVE-2021-43927 | Synology | SQL Injection vulnerability in Synology Diskstation Manager Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. | 9.8 |
2022-02-12 | CVE-2022-0290 | Use After Free vulnerability in Google Chrome Use after free in Site isolation in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | 9.6 | |
2022-02-12 | CVE-2022-0097 | Google Fedoraproject | Inappropriate implementation in DevTools in Google Chrome prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to to potentially allow extension to escape the sandbox via a crafted HTML page. | 9.6 |
2022-02-08 | CVE-2022-21241 | CSV Project | Cross-site Scripting vulnerability in Csv+ Project Csv+ Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag. | 9.6 |
2022-02-11 | CVE-2021-22805 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. | 9.1 |
2022-02-11 | CVE-2021-22823 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. | 9.1 |
2022-02-11 | CVE-2021-39635 | Incorrect Default Permissions vulnerability in Google Android ims_ex is a vendor system service used to manage VoLTE in unisoc devices,But it does not verify the caller's permissions,so that normal apps (No phone permissions) can obtain some VoLTE sensitive information and manage VoLTE calls.Product: AndroidVersions: Android SoCAndroid ID: A-206492634 | 9.1 | |
2022-02-11 | CVE-2021-44521 | Apache | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Cassandra When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. | 9.1 |
2022-02-11 | CVE-2022-23806 | Golang Netapp Debian | Unchecked Return Value vulnerability in multiple products Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | 9.1 |
2022-02-09 | CVE-2022-22544 | SAP | Unspecified vulnerability in SAP Solution Manager 7.20 Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720, allows an administrator to execute code on all connected Diagnostics Agents and browse files on their systems. | 9.1 |
2022-02-09 | CVE-2022-0525 | Mruby | Out-of-bounds Read vulnerability in Mruby Out-of-bounds Read in Homebrew mruby prior to 3.2. | 9.1 |
212 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-12 | CVE-2022-0289 | Use After Free vulnerability in Google Chrome Use after free in Safe browsing in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0293 | Use After Free vulnerability in Google Chrome Use after free in Web packaging in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0295 | Use After Free vulnerability in Google Chrome Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced the user to engage is specific user interactions to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0296 | Use After Free vulnerability in Google Chrome Use after free in Printing in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced the user to engage is specific user interactions to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0297 | Use After Free vulnerability in Google Chrome Use after free in Vulkan in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0298 | Use After Free vulnerability in Google Chrome Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0300 | Use After Free vulnerability in Google Chrome Use after free in Text Input Method Editor in Google Chrome on Android prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0302 | Use After Free vulnerability in Google Chrome Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allowed an attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0304 | Use After Free vulnerability in Google Chrome Use after free in Bookmarks in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0306 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in PDFium in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0307 | Use After Free vulnerability in Google Chrome Use after free in Optimization Guide in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0308 | Use After Free vulnerability in Google Chrome Use after free in Data Transfer in Google Chrome on Chrome OS prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0310 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via specific user interactions. | 8.8 | |
2022-02-12 | CVE-2022-0311 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-12 | CVE-2022-0096 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Storage in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0098 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Screen Capture in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to perform specific user gestures to potentially exploit heap corruption via specific user gestures. | 8.8 |
2022-02-12 | CVE-2022-0099 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Sign-in in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gestures to potentially exploit heap corruption via specific user gesture. | 8.8 |
2022-02-12 | CVE-2022-0100 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Media streams API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0101 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Bookmarks in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via specific user gesture. | 8.8 |
2022-02-12 | CVE-2022-0102 | Google Fedoraproject | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0103 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in SwiftShader in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0104 | Google Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in ANGLE in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0105 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in PDF Accessibility in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0106 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0107 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in File Manager API in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-02-12 | CVE-2022-0115 | Google Fedoraproject | Use of Uninitialized Resource vulnerability in multiple products Uninitialized use in File API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | 8.8 |
2022-02-11 | CVE-2021-4099 | Use After Free vulnerability in Google Chrome Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-11 | CVE-2021-4100 | Out-of-bounds Write vulnerability in Google Chrome Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-11 | CVE-2021-4101 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-11 | CVE-2021-4102 | Use After Free vulnerability in Google Chrome Use after free in V8 in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2022-02-11 | CVE-2021-46366 | Magnolia CMS | Open Redirect vulnerability in Magnolia-Cms Magnolia CMS An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials. | 8.8 |
2022-02-11 | CVE-2021-22748 | Schneider Electric | Unspecified vulnerability in Schneider-Electric C-Bus Toolkit 1.15.7/1.15.8 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow a remote code execution when a file is saved. | 8.8 |
2022-02-11 | CVE-2022-24289 | Apache | Deserialization of Untrusted Data vulnerability in Apache Cayenne Hessian serialization is a network protocol that supports object-based transmission. | 8.8 |
2022-02-10 | CVE-2021-44892 | Thinkphp | Unspecified vulnerability in Thinkphp 3.2.3 A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges. | 8.8 |
2022-02-09 | CVE-2021-0162 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2022-02-09 | CVE-2021-0163 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Consistency within input in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2022-02-09 | CVE-2021-22954 | Concretecms | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | 8.8 |
2022-02-09 | CVE-2021-33115 | Intel | Improper Input Validation vulnerability in Intel Uefi Wifi Driver Improper input validation for some Intel(R) PROSet/Wireless WiFi in UEFI may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2022-02-09 | CVE-2021-40044 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a permission verification vulnerability in the Bluetooth module.Successful exploitation of this vulnerability may cause unauthorized operations. | 8.8 |
2022-02-09 | CVE-2022-22808 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. | 8.8 |
2022-02-09 | CVE-2022-23616 | Xwiki | Unspecified vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 8.8 |
2022-02-09 | CVE-2021-40360 | Siemens | Insufficiently Protected Credentials vulnerability in Siemens Simatic PCS 7 and Simatic Wincc A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). | 8.8 |
2022-02-09 | CVE-2021-46360 | Ocproducts | Unrestricted Upload of File with Dangerous Type vulnerability in Ocproducts Composr Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr. | 8.8 |
2022-02-09 | CVE-2022-24676 | Hyphp | Unrestricted Upload of File with Dangerous Type vulnerability in Hyphp Hybbs2 update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive. | 8.8 |
2022-02-08 | CVE-2022-23626 | Blog Project | Unchecked Return Value vulnerability in Blog Project Blog m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. | 8.8 |
2022-02-08 | CVE-2022-21703 | Grafana Netapp Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Grafana is an open-source platform for monitoring and observability. | 8.8 |
2022-02-08 | CVE-2021-45326 | Gitea | Cross-Site Request Forgery (CSRF) vulnerability in Gitea Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests. | 8.8 |
2022-02-08 | CVE-2022-23331 | Dataease | Unspecified vulnerability in Dataease 1.6.1 In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password. | 8.8 |
2022-02-08 | CVE-2022-21173 | Elecom | Unspecified vulnerability in Elecom products Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier) allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors. | 8.8 |
2022-02-08 | CVE-2022-24450 | Nats | Missing Authorization vulnerability in Nats Server and Nats Streaming Server NATS nats-server before 2.7.2 has Incorrect Access Control. | 8.8 |
2022-02-07 | CVE-2022-23623 | Frourio | Unspecified vulnerability in Frourio Frourio is a full stack framework, for TypeScript. | 8.8 |
2022-02-07 | CVE-2022-23624 | Frourio | Unspecified vulnerability in Frourio Frourio-Express Frourio-express is a minimal full stack framework, for TypeScript. | 8.8 |
2022-02-07 | CVE-2021-3835 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.6.0/2.6.1/3.0.0 Buffer overflow in usb device class. | 8.8 |
2022-02-07 | CVE-2021-42833 | Xylem | Use of Hard-coded Credentials vulnerability in Xylem Aquaview 1.60 A Use of Hardcoded Credentials vulnerability exists in AquaView versions 1.60, 7.x, and 8.x that could allow an authenticated local attacker to manipulate users and system settings. | 8.8 |
2022-02-07 | CVE-2021-24879 | Supportcandy | Cross-Site Request Forgery (CSRF) vulnerability in Supportcandy The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it. | 8.8 |
2022-02-07 | CVE-2021-43928 | Synology | Unspecified vulnerability in Synology Mail Station Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in mail sending and receiving component in Synology Mail Station before 20211105-10315 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | 8.8 |
2022-02-11 | CVE-2022-0185 | Linux Netapp | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. | 8.4 |
2022-02-09 | CVE-2021-0066 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access. | 8.4 |
2022-02-12 | CVE-2022-0114 | Google Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out of bounds memory access in Blink Serial API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page and virtual serial port driver. | 8.1 |
2022-02-10 | CVE-2022-24647 | Cuppacms | Path Traversal vulnerability in Cuppacms 1.0 Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function. | 8.1 |
2022-02-10 | CVE-2022-20706 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 8.1 |
2022-02-09 | CVE-2021-33113 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and Killer(TM) WiFi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service or information disclosure via adjacent access. | 8.1 |
2022-02-09 | CVE-2022-22811 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could induce users to perform unintended actions, leading to the override of the system?s configurations when an attacker persuades a user to visit a rogue website. | 8.1 |
2022-02-09 | CVE-2022-21660 | GIN VUE Admin Project | Unspecified vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin Gin-vue-admin is a backstage management system based on vue and gin. | 8.1 |
2022-02-10 | CVE-2022-20703 | Cisco | Improper Certificate Validation vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 8.0 |
2022-02-10 | CVE-2022-20708 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 8.0 |
2022-02-12 | CVE-2022-22765 | BD | Use of Hard-coded Credentials vulnerability in BD Viper LT System Firmware 2.0/4.0 BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. | 7.8 |
2022-02-12 | CVE-2022-0301 | Use After Free vulnerability in Google Chrome Heap buffer overflow in DevTools in Google Chrome prior to 97.0.4692.99 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. | 7.8 | |
2022-02-11 | CVE-2021-46363 | Magnolia CMS | Improper Neutralization of Formula Elements in a CSV File vulnerability in Magnolia-Cms Magnolia CMS An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. | 7.8 |
2022-02-11 | CVE-2021-46364 | Magnolia CMS | Deserialization of Untrusted Data vulnerability in Magnolia-Cms Magnolia CMS A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file. | 7.8 |
2022-02-11 | CVE-2021-46365 | Magnolia CMS | XXE vulnerability in Magnolia-Cms Magnolia CMS An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file. | 7.8 |
2022-02-11 | CVE-2021-22796 | Schneider Electric | Unspecified vulnerability in Schneider-Electric C-Gate Server 2.11.7 A CWE-287: Improper Authentication vulnerability exists that could allow remote code execution when a malicious file is uploaded. | 7.8 |
2022-02-11 | CVE-2021-39619 | Unspecified vulnerability in Google Android 11.0/12.0 In updatePackageMappingsData of UsageStatsService.java, there is a possible way to bypass security and privacy settings of app usage due to an unusual root cause. | 7.8 | |
2022-02-11 | CVE-2021-39662 | Missing Authorization vulnerability in Google Android 11.0/12.0 In checkUriPermission of MediaProvider.java , there is a possible way to gain access to the content of media provider collections due to a missing permission check. | 7.8 | |
2022-02-11 | CVE-2021-39663 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 10.0 In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. | 7.8 | |
2022-02-11 | CVE-2021-39668 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 11.0/12.0 In onActivityViewReady of DetailDialog.kt, there is a possible Intent Redirect due to a confused deputy. | 7.8 | |
2022-02-11 | CVE-2021-39669 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 11.0/12.0 In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack. | 7.8 | |
2022-02-11 | CVE-2021-39672 | Unspecified vulnerability in Google Android In fastboot, there is a possible secure boot bypass due to a configuration error. | 7.8 | |
2022-02-11 | CVE-2021-39674 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 In btm_sec_connected and btm_sec_disconnected of btm_sec.cc file , there is a possible use after free. | 7.8 | |
2022-02-11 | CVE-2021-39676 | Improper Input Validation vulnerability in Google Android 11.0 In writeThrowable of AndroidFuture.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. | 7.8 | |
2022-02-11 | CVE-2022-0483 | Acronis | Incorrect Permission Assignment for Critical Resource vulnerability in Acronis VSS Doctor Local privilege escalation due to insecure folder permissions. | 7.8 |
2022-02-11 | CVE-2022-22292 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted applications to launch arbitrary activity. | 7.8 | |
2022-02-11 | CVE-2022-23428 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 An improper boundary check in eden_runtime hal service prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution. | 7.8 | |
2022-02-11 | CVE-2022-23853 | KDE | Uncontrolled Search Path Element vulnerability in KDE Ktexteditor The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. | 7.8 |
2022-02-11 | CVE-2021-30309 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Improper size validation of QXDM commands can lead to memory corruption in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-02-11 | CVE-2021-30317 | Qualcomm | Improper Authentication vulnerability in Qualcomm products Improper validation of program headers containing ELF metadata can lead to image verification bypass in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | 7.8 |
2022-02-11 | CVE-2021-30318 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Improper validation of input when provisioning the HDCP key can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-02-11 | CVE-2021-30322 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible out of bounds write due to improper validation of number of GPIOs configured in an internal parameters array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-02-11 | CVE-2021-30323 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Improper validation of maximum size of data write to EFS file can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-02-11 | CVE-2021-35069 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Improper validation of data length received from DMA buffer can lead to memory corruption. | 7.8 |
2022-02-11 | CVE-2021-35074 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Possible integer overflow due to improper fragment datatype while calculating number of fragments in a request message in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-02-11 | CVE-2021-35075 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Possible null pointer dereference due to lack of WDOG structure validation during registration in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-02-11 | CVE-2021-35077 | Qualcomm | Use After Free vulnerability in Qualcomm products Possible use after free scenario in compute offloads to DSP while multiple calls spawn a dynamic process in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-02-11 | CVE-2022-24958 | Linux Fedoraproject Netapp Debian | Release of Invalid Pointer or Reference vulnerability in multiple products drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 mishandles dev->buf release. | 7.8 |
2022-02-10 | CVE-2022-0554 | VIM Fedoraproject Debian Apple | Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-02-10 | CVE-2022-0016 | Paloaltonetworks | Improper Handling of Exceptional Conditions vulnerability in Paloaltonetworks Globalprotect An improper handling of exceptional conditions vulnerability exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under certain circumstances. | 7.8 |
2022-02-10 | CVE-2022-0017 | Paloaltonetworks | Link Following vulnerability in Paloaltonetworks Globalprotect An improper link resolution before file access ('link following') vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that enables a local attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges under certain circumstances. | 7.8 |
2022-02-10 | CVE-2022-20701 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 7.8 |
2022-02-09 | CVE-2021-0091 | Intel Netapp | Improper access control in the firmware for some Intel(R) Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-0099 | Intel Netapp | Insufficient control flow management in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-0116 | Netapp Intel | Out-of-bounds Write vulnerability in multiple products Out-of-bounds write in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-0117 | Netapp Intel | Pointer issues in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-0156 | Netapp Intel | Improper Input Validation vulnerability in multiple products Improper input validation in the firmware for some Intel(R) Processors may allow an authenticated user to potentially enable an escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-0164 | Intel | Unspecified vulnerability in Intel products Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-22817 | Schneider Electric | Incorrect Default Permissions vulnerability in Schneider-Electric products A CWE-276: Incorrect Default Permissions vulnerability exists that could cause unauthorized access to the base installation directory leading to local privilege escalation. | 7.8 |
2022-02-09 | CVE-2021-23152 | Intel | Unspecified vulnerability in Intel Advisor Improper access control in the Intel(R) Advisor software before version 2021.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-33101 | Intel | Uncontrolled Search Path Element vulnerability in Intel Graphics Performance Analyzers Uncontrolled search path in the Intel(R) GPA software before version 21.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-33129 | Intel | Incorrect Default Permissions vulnerability in Intel Advisor Incorrect default permissions in the software installer for the Intel(R) Advisor before version 2021.4.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-33137 | Intel | Out-of-bounds Write vulnerability in Intel Kernelflinger Out-of-bounds write in the Intel(R) Kernelflinger project may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2021-37109 | Huawei | Unspecified vulnerability in Huawei Emui 12.0.0 There is a security protection bypass vulnerability with the modem.Successful exploitation of this vulnerability may cause memory protection failure. | 7.8 |
2022-02-09 | CVE-2021-39992 | Huawei | Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Emui 12.0.0 There is an improper security permission configuration vulnerability on ACPU.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | 7.8 |
2022-02-09 | CVE-2021-44454 | Intel | Improper Input Validation vulnerability in Intel Quartus Prime Improper input validation in a third-party component for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2022-20024 | Missing Authorization vulnerability in Google Android 11.0/12.0 In system service, there is a possible permission bypass due to a missing permission check. | 7.8 | |
2022-02-09 | CVE-2022-20025 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-02-09 | CVE-2022-20026 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-02-09 | CVE-2022-20027 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-02-09 | CVE-2022-20028 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-02-09 | CVE-2022-20031 | Use After Free vulnerability in Google Android 10.0/11.0 In fb driver, there is a possible memory corruption due to a use after free. | 7.8 | |
2022-02-09 | CVE-2022-20040 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In power_hal_manager_service, there is a possible permission bypass due to a stack-based buffer overflow. | 7.8 | |
2022-02-09 | CVE-2022-20041 | Missing Authorization vulnerability in Google Android In Bluetooth, there is a possible escalation of privilege due to a missing permission check. | 7.8 | |
2022-02-09 | CVE-2022-20043 | Missing Authorization vulnerability in Google Android In Bluetooth, there is a possible escalation of privilege due to a missing permission check. | 7.8 | |
2022-02-09 | CVE-2022-20044 | Use After Free vulnerability in Google Android In Bluetooth, there is a possible service crash due to a use after free. | 7.8 | |
2022-02-09 | CVE-2022-20045 | Use After Free vulnerability in Google Android In Bluetooth, there is a possible service crash due to a use after free. | 7.8 | |
2022-02-09 | CVE-2022-21174 | Intel | Unspecified vulnerability in Intel Quartus Prime Improper access control in a third-party component of Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2022-21203 | Intel | Improper Preservation of Permissions vulnerability in Intel Quartus Prime Improper permissions in the SafeNet Sentinel driver for Intel(R) Quartus(R) Prime Standard Edition before version 21.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2022-21204 | Intel | Incorrect Default Permissions vulnerability in Intel Quartus Prime Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2022-21220 | Intel | XXE vulnerability in Intel Quartus Prime Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-02-09 | CVE-2022-21825 | Citrix | Unspecified vulnerability in Citrix Workspace An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation. | 7.8 |
2022-02-09 | CVE-2022-22528 | SAP | Unspecified vulnerability in SAP Adaptive Server Enterprise 16.0 SAP Adaptive Server Enterprise (ASE) - version 16.0, installation makes an entry in the system PATH environment variable in Windows platform which, under certain conditions, allows a Standard User to execute malicious Windows binaries which may lead to privilege escalation on the local system. | 7.8 |
2022-02-09 | CVE-2021-40363 | Siemens | Unspecified vulnerability in Siemens Simatic PCS 7 and Simatic Wincc A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V17 (All versions <= V17 Update 4), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). | 7.8 |
2022-02-09 | CVE-2021-44000 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1). | 7.8 |
2022-02-09 | CVE-2021-44016 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1). | 7.8 |
2022-02-09 | CVE-2021-44018 | Siemens | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens Jt2Go, Solid Edge and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.2.0.7), Solid Edge SE2021 (All versions < SE2021MP9), Solid Edge SE2022 (All versions < SE2022MP1), Teamcenter Visualization V13.1 (All versions < V13.1.0.9), Teamcenter Visualization V13.2 (All versions < V13.2.0.7), Teamcenter Visualization V13.3 (All versions < V13.3.0.1). | 7.8 |
2022-02-09 | CVE-2021-46151 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46152 | Siemens | Type Confusion vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46153 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46154 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46155 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46156 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46157 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46158 | Siemens | Improper Validation of Specified Quantity in Input vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46159 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46160 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-46161 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1 A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). | 7.8 |
2022-02-09 | CVE-2021-37852 | Eset | Improper Privilege Management vulnerability in Eset products ESET products for Windows allows untrusted process to impersonate the client of a pipe, which can be leveraged by attacker to escalate privileges in the context of NT AUTHORITY\SYSTEM. | 7.8 |
2022-02-08 | CVE-2022-0520 | Radare Fedoraproject | Use After Free vulnerability in multiple products Use After Free in NPM radare2.js prior to 5.6.2. | 7.8 |
2022-02-08 | CVE-2022-0523 | Radare Fedoraproject | Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. | 7.8 |
2022-02-07 | CVE-2022-23613 | Neutrinolabs Fedoraproject | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products xrdp is an open source remote desktop protocol (RDP) server. | 7.8 |
2022-02-11 | CVE-2022-24975 | GIT SCM | Exposure of Resource to Wrong Sphere vulnerability in Git-Scm GIT The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. | 7.5 |
2022-02-11 | CVE-2021-22785 | Schneider Electric | Information Exposure vulnerability in Schneider-Electric products A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device. | 7.5 |
2022-02-11 | CVE-2021-22787 | Schneider Electric | Improper Input Validation vulnerability in Schneider-Electric products A CWE-20: Improper Input Validation vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request to the web server of the device. | 7.5 |
2022-02-11 | CVE-2021-22788 | Schneider Electric | Out-of-bounds Write vulnerability in Schneider-Electric products A CWE-787: Out-of-bounds Write vulnerability exists that could cause denial of service when an attacker sends a specially crafted HTTP request to the web server of the device. | 7.5 |
2022-02-11 | CVE-2021-22798 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Conext Combox Firmware A CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause Sensitive data such as login credentials being exposed when a Network is sniffed. | 7.5 |
2022-02-11 | CVE-2021-22800 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Modicon M218 Firmware 4.3/5.0.0.7/5.1.0.6 A CWE-20: Improper Input Validation vulnerability exists that could cause a Denial of Service when a crafted packet is sent to the controller over network port 1105/TCP. | 7.5 |
2022-02-11 | CVE-2021-22804 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause disclosure of arbitrary files being read in the context of the user running IGSS, due to missing validation of user supplied data in network messages. | 7.5 |
2022-02-11 | CVE-2021-22806 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could cause data exfiltration and unauthorized access when accessing a malicious website. | 7.5 |
2022-02-11 | CVE-2021-22824 | Schneider Electric | Classic Buffer Overflow vulnerability in Schneider-Electric Interactive Graphical Scada System Data Collector A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in denial of service, due to missing length check on user-supplied data from a constructed message received on the network. | 7.5 |
2022-02-11 | CVE-2021-39677 | Out-of-bounds Read vulnerability in Google Android 11.0 In startVideoStream() there is a possibility of an OOB Read in the heap, when the camera buffer is ‘zero’ in size.Product: AndroidVersions: Android-11Android ID: A-205097028 | 7.5 | |
2022-02-11 | CVE-2021-23597 | Fastify | Unspecified vulnerability in Fastify Fastify-Multipart This affects the package fastify-multipart before 5.3.1. | 7.5 |
2022-02-11 | CVE-2020-13670 | Drupal | Exposure of Resource to Wrong Sphere vulnerability in Drupal Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. | 7.5 |
2022-02-11 | CVE-2020-13677 | Drupal | Unspecified vulnerability in Drupal Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. | 7.5 |
2022-02-11 | CVE-2021-30326 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible assertion due to improper size validation while processing the DownlinkPreemption IE in an RRC Reconfiguration/RRC Setup message in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.5 |
2022-02-11 | CVE-2022-23772 | Golang Netapp Debian | Integer Overflow or Wraparound vulnerability in multiple products Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. | 7.5 |
2022-02-11 | CVE-2022-23773 | Golang Netapp | Interpretation Conflict vulnerability in multiple products cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. | 7.5 |
2022-02-10 | CVE-2022-24646 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Hospital Management System 4.0 Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters. | 7.5 |
2022-02-10 | CVE-2022-23630 | Gradle | Unspecified vulnerability in Gradle Gradle is a build tool with a focus on build automation and support for multi-language development. | 7.5 |
2022-02-10 | CVE-2022-24916 | Optimism | Unspecified vulnerability in Optimism Eth-Optimism/L2Geth Optimism before @eth-optimism/[email protected] allows economic griefing because a balance is duplicated upon contract self-destruction. | 7.5 |
2022-02-10 | CVE-2022-20709 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 7.5 |
2022-02-09 | CVE-2021-26613 | Tobesoft | Improper Input Validation vulnerability in Tobesoft Nexacro improper input validation vulnerability in nexacro permits copying file to the startup folder using rename method. | 7.5 |
2022-02-09 | CVE-2022-0391 | Python Netapp Fedoraproject Oracle | Injection vulnerability in multiple products A flaw was found in Python, specifically within the urllib.parse module. | 7.5 |
2022-02-09 | CVE-2022-21205 | Intel | XXE vulnerability in Intel Quartus Prime Improper restriction of XML external entity reference in DSP Builder Pro for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an unauthenticated user to potentially enable information disclosure via network access. | 7.5 |
2022-02-09 | CVE-2022-22533 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Java Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. | 7.5 |
2022-02-09 | CVE-2022-22540 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. | 7.5 |
2022-02-09 | CVE-2022-22543 | SAP | Unspecified vulnerability in SAP Netweaver Abap and Netweaver AS Abap SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) - versions KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49, does not sufficiently validate sap-passport information, which could lead to a Denial-of-Service attack. | 7.5 |
2022-02-09 | CVE-2022-24314 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-125: Out-of-bounds Read vulnerability exists that could cause memory leaks potentially resulting in denial of service when an attacker repeatedly sends a specially crafted message. | 7.5 |
2022-02-09 | CVE-2022-24315 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service when an attacker repeatedly sends a specially crafted message. | 7.5 |
2022-02-09 | CVE-2022-24316 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-665: Improper Initialization vulnerability exists that could cause information exposure when an attacker sends a specially crafted message. | 7.5 |
2022-02-09 | CVE-2022-24317 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. | 7.5 |
2022-02-09 | CVE-2022-24318 | Schneider Electric | Inadequate Encryption Strength vulnerability in Schneider-Electric products A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. | 7.5 |
2022-02-09 | CVE-2022-24321 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause Denial of Service against the Geo SCADA server when receiving a malformed HTTP request. | 7.5 |
2022-02-09 | CVE-2022-24666 | Apple | Unspecified vulnerability in Apple Swiftnio Http/2 A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. | 7.5 |
2022-02-09 | CVE-2022-24667 | Apple | Integer Overflow or Wraparound vulnerability in Apple Swiftnio Http/2 A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. | 7.5 |
2022-02-09 | CVE-2022-24668 | Apple | Unspecified vulnerability in Apple Swiftnio Http/2 A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC or ORIGIN frames. | 7.5 |
2022-02-09 | CVE-2022-23619 | Xwiki | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 7.5 |
2022-02-09 | CVE-2021-41442 | Dlink | HTTP Request Smuggling vulnerability in Dlink Dir-X1860 Firmware 1.03 An HTTP smuggling attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet. | 7.5 |
2022-02-09 | CVE-2021-37194 | Siemens | Unrestricted Upload of File with Dangerous Type vulnerability in Siemens Comos A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). | 7.5 |
2022-02-09 | CVE-2021-46354 | Cybelesoft | Exposure of Resource to Wrong Sphere vulnerability in Cybelesoft Thinfinity Virtualui 2.1.28.0/2.1.32.1/2.5.26.2 Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. | 7.5 |
2022-02-09 | CVE-2022-0538 | Jenkins | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. | 7.5 |
2022-02-08 | CVE-2022-0524 | Publify Project | Unspecified vulnerability in Publify Project Publify Business Logic Errors in GitHub repository publify/publify prior to 9.2.7. | 7.5 |
2022-02-08 | CVE-2021-45325 | Gitea | Server-Side Request Forgery (SSRF) vulnerability in Gitea Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL. | 7.5 |
2022-02-08 | CVE-2022-21193 | Dounokouno | Path Traversal vulnerability in Dounokouno Transmitmail 2.5.0/2.6.0/2.6.1 Directory traversal vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to obtain an arbitrary file on the server via unspecified vectors. | 7.5 |
2022-02-07 | CVE-2022-21712 | Twisted Debian Fedoraproject | twisted is an event-driven networking engine written in Python. | 7.5 |
2022-02-07 | CVE-2021-24839 | Supportcandy | Missing Authorization vulnerability in Supportcandy The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | 7.5 |
2022-02-07 | CVE-2021-46389 | High Resolution Streaming Image Server Project | Integer Overflow or Wraparound vulnerability in High Resolution Streaming Image Server Project High Resolution Streaming Image Server IIPImage High Resolution Streaming Image Server prior to commit 882925b295a80ec992063deffc2a3b0d803c3195 is affected by an integer overflow in iipsrv.fcgi through malformed HTTP query parameters. | 7.5 |
2022-02-07 | CVE-2021-46359 | Fisco Bcos | Unspecified vulnerability in Fisco-Bcos 3.0.0 FISCO-BCOS release-3.0.0-rc2 contains a denial of service vulnerability. | 7.5 |
2022-02-07 | CVE-2022-23320 | Xerox | Improper Authentication vulnerability in Xerox Xmpie Ustore 12.3.7244.0 XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. | 7.5 |
2022-02-07 | CVE-2022-22680 | Synology | Unspecified vulnerability in Synology Diskstation Manager Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors. | 7.5 |
2022-02-11 | CVE-2021-4098 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Chrome Insufficient data validation in Mojo in Google Chrome prior to 96.0.4664.110 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 7.4 | |
2022-02-09 | CVE-2022-22807 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. | 7.4 |
2022-02-09 | CVE-2021-41441 | Dlink | Improper Resource Shutdown or Release vulnerability in Dlink Dir-X1860 Firmware 1.03 A DoS attack in the web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to reboot the router via sending a specially crafted URL to an authenticated victim. | 7.4 |
2022-02-10 | CVE-2022-20707 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 7.3 |
2022-02-11 | CVE-2022-0557 | Microweber | OS Command Injection vulnerability in Microweber OS Command Injection in Packagist microweber/microweber prior to 1.2.11. | 7.2 |
2022-02-10 | CVE-2022-20702 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 7.2 |
2022-02-09 | CVE-2022-23048 | Exponentcms | Unrestricted Upload of File with Dangerous Type vulnerability in Exponentcms Exponent CMS 2.6.0 Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. | 7.2 |
2022-02-09 | CVE-2022-22566 | Dell | Unspecified vulnerability in Dell products Select Dell Client Commercial and Consumer platforms contain a pre-boot direct memory access (DMA) vulnerability. | 7.2 |
2022-02-11 | CVE-2022-23427 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission via implicit Intent. | 7.1 | |
2022-02-08 | CVE-2022-0518 | Radare Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.2. | 7.1 |
2022-02-08 | CVE-2022-0519 | Radare Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2. | 7.1 |
2022-02-08 | CVE-2022-0521 | Radare Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2. | 7.1 |
2022-02-08 | CVE-2022-0522 | Radare Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2. | 7.1 |
2022-02-07 | CVE-2021-25095 | Ip2Location | Unspecified vulnerability in Ip2Location Country Blocker The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | 7.1 |
2022-02-07 | CVE-2021-25108 | Ip2Location | Cross-Site Request Forgery (CSRF) vulnerability in Ip2Location Country Blocker The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | 7.1 |
246 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-10 | CVE-2021-44850 | AMD | Insufficient Verification of Data Authenticity vulnerability in AMD products On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM. | 6.8 |
2022-02-09 | CVE-2022-20034 | Improper Certificate Validation vulnerability in Google Android 11.0 In Preloader XFLASH, there is a possible escalation of privilege due to an improper certificate validation. | 6.8 | |
2022-02-08 | CVE-2022-23627 | Archisteamfarm Project | Incorrect Authorization vulnerability in Archisteamfarm Project Archisteamfarm ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. | 6.8 |
2022-02-07 | CVE-2021-3861 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.6.0/2.6.1 The RNDIS USB device class includes a buffer overflow vulnerability. | 6.8 |
2022-02-11 | CVE-2022-23431 | Classic Buffer Overflow vulnerability in Google Android 10.0/11.0/12.0 An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution. | 6.7 | |
2022-02-11 | CVE-2022-23432 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw prior to SMR Feb-2022 Release 1 allows arbitrary memory write and code execution. | 6.7 | |
2022-02-11 | CVE-2021-30324 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible out of bound write due to lack of boundary check for the maximum size of buffer when sending a DCI packet to remote process in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 6.7 |
2022-02-11 | CVE-2021-30325 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Possible out of bound access of DCI resources due to lack of validation process and resource allocation in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 6.7 |
2022-02-09 | CVE-2021-0103 | Intel Netapp | Insufficient control flow management in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0107 | Intel Netapp | Unchecked Return Value vulnerability in multiple products Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0111 | Intel Netapp | NULL Pointer Dereference vulnerability in multiple products NULL pointer dereference in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0115 | Intel Netapp | Classic Buffer Overflow vulnerability in multiple products Buffer overflow in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0118 | Netapp Intel | Out-of-bounds Read vulnerability in multiple products Out-of-bounds read in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0161 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0166 | Intel | Information Exposure vulnerability in Intel products Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0167 | Intel | Unspecified vulnerability in Intel products Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0168 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2021-0169 | Intel | Uncontrolled Search Path Element vulnerability in Intel products Uncontrolled Search Path Element in software for Intel(R) PROSet/Wireless Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access. | 6.7 |
2022-02-09 | CVE-2022-20030 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In vow driver, there is a possible out of bounds write due to a stack-based buffer overflow. | 6.7 | |
2022-02-09 | CVE-2022-20038 | Out-of-bounds Write vulnerability in Google Android 11.0 In ccu driver, there is a possible memory corruption due to an incorrect bounds check. | 6.7 | |
2022-02-09 | CVE-2022-20039 | Integer Overflow or Wraparound vulnerability in Google Android 11.0 In ccu driver, there is a possible memory corruption due to an integer overflow. | 6.7 | |
2022-02-09 | CVE-2021-0060 | Intel Netapp | Insufficient compartmentalization in HECI subsystem for the Intel(R) SPS before versions SPS_E5_04.01.04.516.0, SPS_E5_04.04.04.033.0, SPS_E5_04.04.03.281.0, SPS_E5_03.01.03.116.0, SPS_E3_05.01.04.309.0, SPS_02.04.00.101.0, SPS_SoC-A_05.00.03.114.0, SPS_SoC-X_04.00.04.326.0, SPS_SoC-X_03.00.03.117.0, IGN_E5_91.00.00.167.0, SPS_PHI_03.01.03.078.0 may allow an authenticated user to potentially enable escalation of privilege via physical access. | 6.6 |
2022-02-09 | CVE-2021-0124 | Netapp Intel | Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access. | 6.6 |
2022-02-09 | CVE-2021-0125 | Netapp Intel | Improper Initialization vulnerability in multiple products Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access. | 6.6 |
2022-02-12 | CVE-2022-0291 | Unspecified vulnerability in Google Chrome Inappropriate implementation in Storage in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 6.5 | |
2022-02-12 | CVE-2022-0292 | Unspecified vulnerability in Google Chrome Inappropriate implementation in Fenced Frames in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. | 6.5 | |
2022-02-12 | CVE-2022-0294 | Unspecified vulnerability in Google Chrome Inappropriate implementation in Push messaging in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 6.5 | |
2022-02-12 | CVE-2022-0305 | Unspecified vulnerability in Google Chrome Inappropriate implementation in Service Worker API in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | 6.5 | |
2022-02-12 | CVE-2022-0309 | Incorrect Authorization vulnerability in Google Chrome Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | 6.5 | |
2022-02-12 | CVE-2022-0108 | Google Fedoraproject | Origin Validation Error vulnerability in multiple products Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2022-02-12 | CVE-2022-0109 | Google Fedoraproject | Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. | 6.5 |
2022-02-12 | CVE-2022-0111 | Google Fedoraproject | Origin Validation Error vulnerability in multiple products Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to incorrectly set origin via a crafted HTML page. | 6.5 |
2022-02-12 | CVE-2022-0113 | Google Fedoraproject | Origin Validation Error vulnerability in multiple products Inappropriate implementation in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2022-02-12 | CVE-2022-0117 | Google Fedoraproject | Incorrect Authorization vulnerability in multiple products Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 6.5 |
2022-02-12 | CVE-2022-0120 | Google Fedoraproject | Origin Validation Error vulnerability in multiple products Inappropriate implementation in Passwords in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially leak cross-origin data via a malicious website. | 6.5 |
2022-02-11 | CVE-2021-39665 | Out-of-bounds Write vulnerability in Google Android 12.0 In checkSpsUpdated of AAVCAssembler.cpp, there is a possible out of bounds read due to a heap buffer overflow. | 6.5 | |
2022-02-11 | CVE-2021-39671 | Use of Uninitialized Resource vulnerability in Google Android 12.0 In code generated by aidl_const_expressions.cpp, there is a possible out of bounds read due to uninitialized data. | 6.5 | |
2022-02-11 | CVE-2022-24925 | Improper Input Validation vulnerability in Google Android 12.0 Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged attackers to trigger a permanent denial of service attack on a victim's devices. | 6.5 | |
2022-02-11 | CVE-2020-13674 | Drupal | Cross-Site Request Forgery (CSRF) vulnerability in Drupal The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. | 6.5 |
2022-02-11 | CVE-2020-13676 | Drupal | Incorrect Authorization vulnerability in Drupal The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. | 6.5 |
2022-02-11 | CVE-2021-45385 | Rockcarry | NULL Pointer Dereference vulnerability in Rockcarry Ffjpeg 20211206 A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021-12-06) in bmp_load(). | 6.5 |
2022-02-10 | CVE-2021-42000 | Pingidentity | Unspecified vulnerability in Pingidentity Pingfederate When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password. | 6.5 |
2022-02-10 | CVE-2022-0011 | Paloaltonetworks | Interpretation Conflict vulnerability in Paloaltonetworks Pan-Os PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. | 6.5 |
2022-02-10 | CVE-2022-0018 | Paloaltonetworks | Information Exposure vulnerability in Paloaltonetworks Globalprotect An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. | 6.5 |
2022-02-10 | CVE-2022-20680 | Cisco | Unspecified vulnerability in Cisco Prime Service Catalog A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to access sensitive information on an affected device. | 6.5 |
2022-02-10 | CVE-2021-37613 | Stormshield | Unspecified vulnerability in Stormshield Network Security Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service. | 6.5 |
2022-02-09 | CVE-2021-0165 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0172 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0173 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Consistency within input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0174 | Intel | Improper Input Validation vulnerability in Intel products Improper Use of Validation Framework in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0175 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0177 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Consistency within input in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0178 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0179 | Intel | Improper Input Validation vulnerability in Intel products Improper Use of Validation Framework in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-0183 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Specified Index, Position, or Offset in Input in software for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2021-33068 | Intel Netapp | NULL Pointer Dereference vulnerability in multiple products Null pointer dereference in subsystem for Intel(R) AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access. | 6.5 |
2022-02-09 | CVE-2021-33110 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation for some Intel(R) Wireless Bluetooth(R) products and Killer(TM) Bluetooth(R) products in Windows 10 and 11 before version 22.80 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 6.5 |
2022-02-09 | CVE-2022-22535 | SAP | Unspecified vulnerability in SAP ERP Human Capital Management 600/604/608 SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. | 6.5 |
2022-02-09 | CVE-2022-22537 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens a manipulated Tagged Image File Format (.tiff, 2d.x3d)) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.5 |
2022-02-09 | CVE-2022-22538 | SAP | Improper Input Validation vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens a manipulated Adobe Illustrator file format (.ai, ai.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.5 |
2022-02-09 | CVE-2022-22539 | SAP | Unspecified vulnerability in SAP 3D Visual Enterprise Viewer 9 When a user opens a manipulated JPEG file format (.jpg, 2d.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application. | 6.5 |
2022-02-09 | CVE-2022-22542 | SAP | Unspecified vulnerability in SAP S/4Hana 104/105/106 S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality. | 6.5 |
2022-02-09 | CVE-2022-22780 | Zoom | Resource Exhaustion vulnerability in Zoom Meetings The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. | 6.5 |
2022-02-09 | CVE-2022-23617 | Xwiki | Unspecified vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 6.5 |
2022-02-09 | CVE-2021-45106 | Siemens | Use of Hard-coded Credentials vulnerability in Siemens Sicam Toolbox II A vulnerability has been identified in SICAM TOOLBOX II (All versions). | 6.5 |
2022-02-09 | CVE-2021-3813 | Chatwoot | Authorization Bypass Through User-Controlled Key vulnerability in Chatwoot Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2. | 6.5 |
2022-02-08 | CVE-2021-44864 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Wn886N Firmware 1.0.1 TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow. | 6.5 |
2022-02-08 | CVE-2021-44956 | Rockcarry | Out-of-bounds Write vulnerability in Rockcarry Ffjpeg Two Heap based buffer overflow vulnerabilities exist in ffjpeg through 01.01.2021. | 6.5 |
2022-02-08 | CVE-2021-44957 | Rockcarry | Classic Buffer Overflow vulnerability in Rockcarry Ffjpeg Global buffer overflow vulnerability exist in ffjpeg through 01.01.2021. | 6.5 |
2022-02-08 | CVE-2022-0504 | Microweber | Unspecified vulnerability in Microweber Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. | 6.5 |
2022-02-08 | CVE-2022-0505 | Microweber | Unspecified vulnerability in Microweber Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | 6.5 |
2022-02-07 | CVE-2021-24843 | Supportcandy | Cross-Site Request Forgery (CSRF) vulnerability in Supportcandy The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | 6.5 |
2022-02-07 | CVE-2021-24928 | Rearrange Woocommerce Products Project | Unspecified vulnerability in Rearrange Woocommerce products Project Rearrange Woocommerce products The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post. | 6.5 |
2022-02-07 | CVE-2021-24947 | Thinkupthemes | Unrestricted Upload of File with Dangerous Type vulnerability in Thinkupthemes Responsive Vector Maps The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server | 6.5 |
2022-02-07 | CVE-2021-24993 | Etoilewebdesign | Cross-Site Request Forgery (CSRF) vulnerability in Etoilewebdesign Ultimate Product Catalog The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example | 6.5 |
2022-02-07 | CVE-2021-25096 | Ip2Location | Authorization Bypass Through User-Controlled Key vulnerability in Ip2Location Country Blocker The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URL | 6.5 |
2022-02-09 | CVE-2021-0119 | Netapp Intel | Improper Initialization vulnerability in multiple products Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access. | 6.2 |
2022-02-11 | CVE-2020-13668 | Drupal | Cross-site Scripting vulnerability in Drupal Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. | 6.1 |
2022-02-11 | CVE-2020-13669 | Drupal | Cross-site Scripting vulnerability in Drupal Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. | 6.1 |
2022-02-11 | CVE-2020-13672 | Drupal | Cross-site Scripting vulnerability in Drupal Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. | 6.1 |
2022-02-11 | CVE-2020-13673 | Drupal | Cross-site Scripting vulnerability in Drupal Entity Embed 8.X1.0/8.X1.1/8.X1.2 The Entity Embed module provides a filter to allow embedding entities in content fields. | 6.1 |
2022-02-11 | CVE-2022-0560 | Microweber | Unspecified vulnerability in Microweber Open Redirect in Packagist microweber/microweber prior to 1.2.11. | 6.1 |
2022-02-10 | CVE-2021-45357 | Piwigo | Cross-site Scripting vulnerability in Piwigo 12.0.0/12.1.0 Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php. | 6.1 |
2022-02-10 | CVE-2021-31814 | Stormshield | Missing Authentication for Critical Function vulnerability in Stormshield Network Security In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client. | 6.1 |
2022-02-10 | CVE-2021-41445 | Dlink | Cross-site Scripting vulnerability in Dlink Dir-X1860 Firmware 1.03 A reflected cross-site-scripting attack in web application of D-Link DIR-X1860 before v1.10WWB09_Beta allows a remote unauthenticated attacker to execute code in the device of the victim via sending a specific URL to the unauthenticated victim. | 6.1 |
2022-02-09 | CVE-2022-22534 | SAP | Cross-site Scripting vulnerability in SAP Netweaver Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password. | 6.1 |
2022-02-09 | CVE-2022-22812 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a web session compromise when an attacker injects and then executes arbitrary malicious JavaScript code inside the target browser. | 6.1 |
2022-02-09 | CVE-2022-23622 | Xwiki | Unspecified vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 6.1 |
2022-02-09 | CVE-2022-23618 | Xwiki | Unspecified vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 6.1 |
2022-02-09 | CVE-2022-23102 | Siemens | Open Redirect vulnerability in Siemens Sinema Remote Connect Server A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). | 6.1 |
2022-02-09 | CVE-2022-23312 | Siemens | Cross-site Scripting vulnerability in Siemens Spectrum Power 4 4.70 A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP9 Security Patch 1). | 6.1 |
2022-02-09 | CVE-2022-0526 | Chatwoot | Unspecified vulnerability in Chatwoot Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | 6.1 |
2022-02-09 | CVE-2022-0527 | Chatwoot | Unspecified vulnerability in Chatwoot Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | 6.1 |
2022-02-09 | CVE-2022-24682 | Zimbra | Improper Encoding or Escaping of Output vulnerability in Zimbra Collaboration An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. | 6.1 |
2022-02-08 | CVE-2021-45329 | Gitea | Cross-site Scripting vulnerability in Gitea Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field. | 6.1 |
2022-02-08 | CVE-2021-45328 | Gitea | Open Redirect vulnerability in Gitea Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs. | 6.1 |
2022-02-08 | CVE-2022-21805 | Econosys System | Cross-site Scripting vulnerability in Econosys-System PHP Mailform Reflected cross-site scripting vulnerability in the attached file name of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-08 | CVE-2022-22142 | Econosys System | Cross-site Scripting vulnerability in Econosys-System PHP Mailform Reflected cross-site scripting vulnerability in the checkbox of php_mailform versions prior to Version 1.40 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-08 | CVE-2022-22146 | Dounokouno | Cross-site Scripting vulnerability in Dounokouno Transmitmail 2.5.0/2.6.0/2.6.1 Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-07 | CVE-2021-45281 | Quickbox | Cross-site Scripting vulnerability in Quickbox 2.4.8/2.5.8 QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized. | 6.1 |
2022-02-07 | CVE-2022-21813 | Nvidia | Improper Handling of Exceptional Conditions vulnerability in Nvidia products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. | 6.1 |
2022-02-07 | CVE-2022-21814 | Nvidia | Improper Handling of Exceptional Conditions vulnerability in Nvidia products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service. | 6.1 |
2022-02-07 | CVE-2022-0149 | Visser | Unspecified vulnerability in Visser Store Exporter for Woocommerce The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page. | 6.1 |
2022-02-07 | CVE-2021-24878 | Supportcandy | Cross-site Scripting vulnerability in Supportcandy The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2022-02-07 | CVE-2021-25077 | Visser | Cross-site Scripting vulnerability in Visser Store Toolkit for Woocommerce The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-07 | CVE-2022-23184 | Octopus | Open Redirect vulnerability in Octopus Deploy In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | 6.1 |
2022-02-11 | CVE-2022-23426 | Unspecified vulnerability in Google Android 10.0/11.0 A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege. | 6.0 | |
2022-02-11 | CVE-2022-23634 | Puma Rubyonrails Debian Fedoraproject | Improper Resource Shutdown or Release vulnerability in multiple products Puma is a Ruby/Rack web server built for parallelism. | 5.9 |
2022-02-11 | CVE-2022-24968 | Mellium | Improper Certificate Validation vulnerability in Mellium Xmpp In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. | 5.9 |
2022-02-11 | CVE-2022-23633 | Rubyonrails Debian | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products Action Pack is a framework for handling and responding to web requests. | 5.9 |
2022-02-09 | CVE-2022-24319 | Schneider Electric | Improper Certificate Validation vulnerability in Schneider-Electric products A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. | 5.9 |
2022-02-09 | CVE-2022-24320 | Schneider Electric | Improper Certificate Validation vulnerability in Schneider-Electric products A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. | 5.9 |
2022-02-09 | CVE-2022-0536 | Follow Redirects Project | Unspecified vulnerability in Follow-Redirects Project Follow-Redirects Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. | 5.9 |
2022-02-10 | CVE-2021-3398 | Stormshield | Integer Overflow or Wraparound vulnerability in Stormshield Network Security Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component. | 5.8 |
2022-02-09 | CVE-2021-33114 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and Killer(TM) WiFi in Windows 10 and 11 may allow an authenticated user to potentially enable denial of service via adjacent access. | 5.7 |
2022-02-09 | CVE-2021-33139 | Intel | Improper Check for Unusual or Exceptional Conditions vulnerability in Intel products Improper conditions check in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.100 may allow an authenticated user to potentially enable denial of service via adjacent access. | 5.7 |
2022-02-09 | CVE-2021-33155 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.100 may allow an authenticated user to potentially enable denial of service via adjacent access. | 5.7 |
2022-02-11 | CVE-2022-22766 | BD | Use of Hard-coded Credentials vulnerability in BD products Hardcoded credentials are used in specific BD Pyxis products. | 5.5 |
2022-02-11 | CVE-2021-0524 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In isServiceDistractionOptimized of CarPackageManagerService.java, there is a possible disclosure of installed packages due to side channel information disclosure. | 5.5 | |
2022-02-11 | CVE-2021-39631 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. | 5.5 | |
2022-02-11 | CVE-2021-39664 | Out-of-bounds Read vulnerability in Google Android 12.0 In LoadedPackage::Load of LoadedArsc.cpp, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2022-02-11 | CVE-2021-39666 | Out-of-bounds Read vulnerability in Google Android 11.0/12.0 In extract of MediaMetricsItem.h, there is a possible out of bounds read due to improper input validation. | 5.5 | |
2022-02-11 | CVE-2021-39687 | Out-of-bounds Read vulnerability in Google Android In HandleTransactionIoEvent of actuator_driver.cc, there is a possible out of bounds read due to a heap buffer overflow. | 5.5 | |
2022-02-11 | CVE-2021-39688 | Out-of-bounds Read vulnerability in Google Android In TBD of TBD, there is a possible out of bounds read due to TBD. | 5.5 | |
2022-02-11 | CVE-2022-0382 | Linux | Missing Initialization of Resource vulnerability in Linux Kernel An information leak flaw was found due to uninitialized memory in the Linux kernel's TIPC protocol subsystem, in the way a user sends a TIPC datagram to one or more destinations. | 5.5 |
2022-02-11 | CVE-2022-0561 | Libtiff Redhat Fedoraproject Debian Netapp | NULL Pointer Dereference vulnerability in multiple products Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. | 5.5 |
2022-02-11 | CVE-2022-0562 | Libtiff Fedoraproject Debian Netapp | NULL Pointer Dereference vulnerability in multiple products Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. | 5.5 |
2022-02-11 | CVE-2022-22291 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Logging of excessive data vulnerability in telephony prior to SMR Feb-2022 Release 1 allows privileged attackers to get Cell Location Information through log of user device. | 5.5 | |
2022-02-11 | CVE-2022-23998 | Samsung | Incorrect Authorization vulnerability in Samsung Camera Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status. | 5.5 |
2022-02-11 | CVE-2021-45386 | Broadcom | Reachable Assertion vulnerability in Broadcom Tcpreplay 4.3.4 tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c | 5.5 |
2022-02-11 | CVE-2021-45387 | Broadcom | Reachable Assertion vulnerability in Broadcom Tcpreplay 4.3.4 tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv4() at tree.c. | 5.5 |
2022-02-11 | CVE-2021-45402 | Linux | Exposure of Resource to Wrong Sphere vulnerability in Linux Kernel The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." | 5.5 |
2022-02-11 | CVE-2022-24959 | Linux Debian | Memory Leak vulnerability in multiple products An issue was discovered in the Linux kernel before 5.16.5. | 5.5 |
2022-02-10 | CVE-2022-0019 | Paloaltonetworks | Insufficiently Protected Credentials vulnerability in Paloaltonetworks Globalprotect An insufficiently protected credentials vulnerability exists in the Palo Alto Networks GlobalProtect app on Linux that exposes the hashed credentials of GlobalProtect users that saved their password during previous GlobalProtect app sessions to other local users on the system. | 5.5 |
2022-02-10 | CVE-2022-0021 | Paloaltonetworks | Information Exposure Through Log Files vulnerability in Paloaltonetworks Globalprotect An information exposure through log file vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that logs the cleartext credentials of the connecting GlobalProtect user when authenticating using Connect Before Logon feature. | 5.5 |
2022-02-09 | CVE-2021-0072 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-0076 | Intel | Improper Input Validation vulnerability in Intel products Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable denial of service via local access. | 5.5 |
2022-02-09 | CVE-2021-0127 | Netapp Intel | Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access. | 5.5 |
2022-02-09 | CVE-2021-0145 | Netapp Intel | Improper Initialization vulnerability in multiple products Improper initialization of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-0170 | Intel | Information Exposure vulnerability in Intel products Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-0171 | Intel | Unspecified vulnerability in Intel products Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi and Killer(TM) Wi-Fi in Windows 10 and 11 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-33061 | Intel | Unspecified vulnerability in Intel products Insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2022-02-09 | CVE-2021-33096 | Intel | Exposure of Resource to Wrong Sphere vulnerability in Intel products Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2022-02-09 | CVE-2021-33105 | Intel | Out-of-bounds Read vulnerability in Intel Core I5-8305G Firmware and Core I7-8706G Firmware Out-of-bounds read in some Intel(R) Core(TM) processors with Radeon(TM) RX Vega M GL integrated graphics before version 21.10 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-33119 | Intel | Unspecified vulnerability in Intel Realsense Depth Camera Manager 1.5/2.2/3.4 Improper access control in the Intel(R) RealSense(TM) DCM before version 20210625 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-33147 | Intel | Improper Check for Unusual or Exceptional Conditions vulnerability in Intel Integrated Performance Primitives Cryptography 2018U3.1/2019/2020 Improper conditions check in the Intel(R) IPP Crypto library before version 2021.2 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-33166 | Intel | Incorrect Default Permissions vulnerability in Intel Retail Experience Tool Incorrect default permissions for the Intel(R) RXT for Chromebook application, all versions, may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2021-37107 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui 12.0.0 There is an improper memory access permission configuration on ACPU.Successful exploitation of this vulnerability may cause out-of-bounds access. | 5.5 |
2022-02-09 | CVE-2021-37115 | Huawei | Unspecified vulnerability in Huawei Emui 12.0.0 There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality. | 5.5 |
2022-02-09 | CVE-2021-39986 | Huawei | Unspecified vulnerability in Huawei Emui 12.0.0 There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality. | 5.5 |
2022-02-09 | CVE-2021-39991 | Huawei | Unspecified vulnerability in Huawei Emui 12.0.0 There is an unauthorized rewriting vulnerability with the memory access management module on ACPU.Successful exploitation of this vulnerability may affect service confidentiality. | 5.5 |
2022-02-09 | CVE-2021-40045 | Huawei | Improper Verification of Cryptographic Signature vulnerability in Huawei Emui, Harmonyos and Magic UI There is a vulnerability of signature verification mechanism failure in system upgrade through recovery mode.Successful exploitation of this vulnerability may affect service confidentiality. | 5.5 |
2022-02-09 | CVE-2022-0529 | Unzip Project Redhat Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in Unzip. | 5.5 |
2022-02-09 | CVE-2022-0530 | Unzip Project Redhat Fedoraproject Apple Debian | A flaw was found in Unzip. | 5.5 |
2022-02-09 | CVE-2022-0534 | Htmldoc Project Debian | Out-of-bounds Read vulnerability in multiple products A vulnerability was found in htmldoc version 1.9.15 where the stack out-of-bounds read takes place in gif_get_code() and occurs when opening a malicious GIF file, which can result in a crash (segmentation fault). | 5.5 |
2022-02-09 | CVE-2022-20017 | Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0 In ion driver, there is a possible information disclosure due to an incorrect bounds check. | 5.5 | |
2022-02-09 | CVE-2022-20036 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In ion driver, there is a possible information disclosure due to an incorrect bounds check. | 5.5 | |
2022-02-09 | CVE-2022-20037 | Improper Input Validation vulnerability in Google Android 10.0/11.0 In ion driver, there is a possible information disclosure due to an incorrect bounds check. | 5.5 | |
2022-02-09 | CVE-2022-20042 | Improper Handling of Exceptional Conditions vulnerability in Google Android In Bluetooth, there is a possible information disclosure due to incorrect error handling. | 5.5 | |
2022-02-09 | CVE-2022-20046 | Memory Leak vulnerability in Google Android In Bluetooth, there is a possible memory corruption due to a logic error. | 5.5 | |
2022-02-09 | CVE-2022-21133 | Intel | Out-of-bounds Read vulnerability in Intel Trace Analyzer and Collector 2017/2020 Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2022-02-09 | CVE-2022-21153 | Intel | Unspecified vulnerability in Intel Capital Global Summit Improper access control in the Intel(R) Capital Global Summit Android application may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2022-21156 | Intel | Access of Uninitialized Pointer vulnerability in Intel Trace Analyzer and Collector 2017/2020 Access of uninitialized pointer in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable denial of service via local access. | 5.5 |
2022-02-09 | CVE-2022-21157 | Intel | Unspecified vulnerability in Intel Smart Campus Improper access control in the Intel(R) Smart Campus Android application before version 6.1 may allow authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2022-21218 | Intel | Improper Handling of Exceptional Conditions vulnerability in Intel Trace Analyzer and Collector 2017/2020 Uncaught exception in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-09 | CVE-2022-21226 | Intel | Out-of-bounds Read vulnerability in Intel Trace Analyzer and Collector 2017/2020 Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-02-07 | CVE-2022-21815 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia products NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash. | 5.5 |
2022-02-07 | CVE-2022-21816 | Nvidia | Missing Authentication for Critical Function vulnerability in Nvidia Cloud Gaming Virtual GPU and Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where a user in the guest OS can cause a GPU interrupt storm on the hypervisor host, leading to a denial of service. | 5.5 |
2022-02-11 | CVE-2021-4046 | Tcman | Cross-site Scripting vulnerability in Tcman GIM 8.0.1/8.01 The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. | 5.4 |
2022-02-11 | CVE-2022-23707 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana An XSS vulnerability was found in Kibana index patterns. | 5.4 |
2022-02-11 | CVE-2022-24926 | Samsung | Cross-site Scripting vulnerability in Samsung Smarttagplugin Improper input validation vulnerability in SmartTagPlugin prior to version 1.2.15-6 allows privileged attackers to trigger a XSS on a victim's devices. | 5.4 |
2022-02-11 | CVE-2021-46355 | Factorfx | Cross-site Scripting vulnerability in Factorfx OCS Inventory 2.9.1 OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS). | 5.4 |
2022-02-10 | CVE-2021-44970 | 1234N | Cross-site Scripting vulnerability in 1234N Minicms 1.11 MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) vulnerability via /mc-admin/page-edit.php. | 5.4 |
2022-02-10 | CVE-2022-0020 | Paloaltonetworks | Cross-site Scripting vulnerability in Paloaltonetworks Cortex Xsoar 6.1.0/6.2.0 A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. | 5.4 |
2022-02-10 | CVE-2022-0558 | Microweber | Unspecified vulnerability in Microweber Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | 5.4 |
2022-02-09 | CVE-2021-33120 | Intel | Out-of-bounds Read vulnerability in Intel products Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom(R) Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access. | 5.4 |
2022-02-09 | CVE-2022-22546 | SAP | Unspecified vulnerability in SAP Businessobjects web Intelligence 420 Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) - version 420. | 5.4 |
2022-02-09 | CVE-2022-23049 | Exponentcms | Cross-site Scripting vulnerability in Exponentcms Exponent CMS 2.6.0 Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. | 5.4 |
2022-02-09 | CVE-2022-23620 | Xwiki | Improper Encoding or Escaping of Output vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 5.4 |
2022-02-09 | CVE-2022-23615 | Xwiki | Incorrect Authorization vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 5.4 |
2022-02-09 | CVE-2021-44911 | Xpressengine | Cross-site Scripting vulnerability in Xpressengine XE before 1.11.6 is vulnerable to Unrestricted file upload via modules/menu/menu.admin.controller.php. | 5.4 |
2022-02-09 | CVE-2021-44912 | Xpressengine | Cross-site Scripting vulnerability in Xpressengine In XE 1.116, when uploading the Normal button, there is no restriction on the file suffix, which leads to any file uploading to the files directory. | 5.4 |
2022-02-09 | CVE-2022-0539 | Beanstalk Console Project | Cross-site Scripting vulnerability in Beanstalk Console Project Beanstalk Console Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_console prior to 1.7.14. | 5.4 |
2022-02-09 | CVE-2022-23378 | Tastyigniter | Cross-site Scripting vulnerability in Tastyigniter 3.2.2 A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. | 5.4 |
2022-02-08 | CVE-2021-45919 | Std42 | Cross-site Scripting vulnerability in Std42 Elfinder Studio 42 elFinder through 2.1.31 allows XSS via an SVG document. | 5.4 |
2022-02-08 | CVE-2022-21702 | Grafana Netapp Fedoraproject | Cross-site Scripting vulnerability in multiple products Grafana is an open-source platform for monitoring and observability. | 5.4 |
2022-02-08 | CVE-2022-0510 | Pimcore | Unspecified vulnerability in Pimcore Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore prior to 10.3.1. | 5.4 |
2022-02-08 | CVE-2022-0509 | Pimcore | Unspecified vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.3.1. | 5.4 |
2022-02-08 | CVE-2022-0506 | Microweber | Unspecified vulnerability in Microweber Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. | 5.4 |
2022-02-07 | CVE-2022-0148 | Premio | Cross-site Scripting vulnerability in Premio Mystickyelements The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. | 5.4 |
2022-02-07 | CVE-2021-24880 | Supportcandy | Cross-site Scripting vulnerability in Supportcandy The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | 5.4 |
2022-02-07 | CVE-2021-25106 | Wpeka | Cross-site Scripting vulnerability in Wpeka Wplegalpages The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. | 5.4 |
2022-02-07 | CVE-2021-43929 | Synology | Cross-site Scripting vulnerability in Synology Diskstation Manager Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 5.4 |
2022-02-11 | CVE-2022-23433 | Samsung | Unspecified vulnerability in Samsung Reminder 11.6.08.6000/12.2.05.6000 Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely. | 5.3 |
2022-02-11 | CVE-2022-24002 | Samsung | Unspecified vulnerability in Samsung Link Sharing Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity. | 5.3 |
2022-02-11 | CVE-2022-24003 | Samsung | Unspecified vulnerability in Samsung Bixby Vision Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent. | 5.3 |
2022-02-11 | CVE-2022-24924 | Samsung | Unspecified vulnerability in Samsung Livewallpaperservice An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission. | 5.3 |
2022-02-10 | CVE-2022-20710 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 5.3 |
2022-02-10 | CVE-2022-24111 | Mahara | Missing Authentication for Critical Function vulnerability in Mahara In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known. | 5.3 |
2022-02-10 | CVE-2021-45901 | Servicenow | Information Exposure Through Discrepancy vulnerability in Servicenow Jakarta The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists. | 5.3 |
2022-02-09 | CVE-2022-22809 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. | 5.3 |
2022-02-09 | CVE-2022-23628 | Openpolicyagent | Unspecified vulnerability in Openpolicyagent Open Policy Agent OPA is an open source, general-purpose policy engine. | 5.3 |
2022-02-09 | CVE-2021-45286 | Zzcms | Path Traversal vulnerability in Zzcms 2021 Directory Traversal vulnerability exists in ZZCMS 2021 via the skin parameter in 1) index.php, 2) bottom.php, and 3) top_index.php. | 5.3 |
2022-02-09 | CVE-2021-40837 | F Secure | Unspecified vulnerability in F-Secure products A vulnerability affecting F-Secure antivirus engine before Capricorn update 2022-02-01_01 was discovered whereby decompression of ACE file causes the scanner service to stop. | 5.3 |
2022-02-08 | CVE-2022-0508 | Framasoft | Unspecified vulnerability in Framasoft Peertube Server-Side Request Forgery (SSRF) in GitHub repository chocobozzz/peertube prior to f33e515991a32885622b217bf2ed1d1b0d9d6832 | 5.3 |
2022-02-08 | CVE-2022-21799 | Elecom | Cross-site Scripting vulnerability in Elecom Wrc-300Febk-R Firmware Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors. | 5.2 |
2022-02-09 | CVE-2022-22567 | Dell | Insufficient Verification of Data Authenticity vulnerability in Dell products Select Dell Client Commercial and Consumer platforms are vulnerable to an insufficient verification of data authenticity vulnerability. | 5.1 |
2022-02-09 | CVE-2022-22545 | SAP | Unspecified vulnerability in SAP Netweaver Abap A high privileged user who has access to transaction SM59 can read connection details stored with the destination for http calls in SAP NetWeaver Application Server ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756. | 4.9 |
2022-02-09 | CVE-2022-23621 | Xwiki | Missing Authorization vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 4.9 |
2022-02-07 | CVE-2021-25004 | Seur Oficial Project | Files or Directories Accessible to External Parties vulnerability in Seur Oficial Project Seur Oficial The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. | 4.9 |
2022-02-07 | CVE-2022-22679 | Synology | Path Traversal vulnerability in Synology Diskstation Manager Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors. | 4.9 |
2022-02-11 | CVE-2021-4035 | Wocu Monitoring | Cross-site Scripting vulnerability in Wocu-Monitoring Wocu Monitoring A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. | 4.8 |
2022-02-10 | CVE-2021-44969 | Taogogo | Cross-site Scripting vulnerability in Taogogo Taocms 3.0.2 Taocms v3.0.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Management Column component. | 4.8 |
2022-02-10 | CVE-2022-23321 | Xerox | Cross-site Scripting vulnerability in Xerox Xmpie Ustore 12.3.7244.0 A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0. | 4.8 |
2022-02-10 | CVE-2022-20704 | Cisco | Out-of-bounds Write vulnerability in Cisco products Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | 4.8 |
2022-02-09 | CVE-2022-23047 | Exponentcms | Cross-site Scripting vulnerability in Exponentcms Exponent CMS 2.6.0 Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | 4.8 |
2022-02-08 | CVE-2021-20877 | Canon | Cross-site Scripting vulnerability in Canon products Cross-site scripting vulnerability in Canon laser printers and small office multifunctional printers (LBP162L/LBP162, MF4890dw, MF269dw/MF265dw/MF264dw/MF262dw, MF249dw/MF245dw/MF244dw/MF242dw/MF232w, and MF229dw/MF224dw/MF222dw sold in Japan, imageCLASS MF Series (MF113W/MF212W/MF217W/MF227DW/MF229DW, MF232W/MF244DW/MF247DW/MF249DW, MF264DW/MF267DW/MF269DW/MF269DW VP, and MF4570DN/MF4570DW/MF4770N/MF4880DW/MF4890DW) and imageCLASS LBP Series (LBP113W/LBP151DW/LBP162DW ) sold in the US, and iSENSYS (LBP162DW, LBP113W, LBP151DW, MF269dw, MF267dw, MF264dw, MF113w, MF249dw, MF247dw, MF244dw, MF237w, MF232w, MF229dw, MF217w, MF212w, MF4780w, and MF4890dw) and imageRUNNER (2206IF, 2204N, and 2204F) sold in Europe) allows remote attackers to inject an arbitrary script via unspecified vectors. | 4.8 |
2022-02-07 | CVE-2021-25029 | Cluevo | Cross-site Scripting vulnerability in Cluevo Learning Management System The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-02-07 | CVE-2021-25105 | Ivorysearch | Cross-site Scripting vulnerability in Ivorysearch Ivory Search The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-02-07 | CVE-2022-0473 | Otrs | Cross-site Scripting vulnerability in Otrs OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. | 4.8 |
2022-02-09 | CVE-2021-40015 | Huawei | Race Condition vulnerability in Huawei Emui, Harmonyos and Magic UI There is a race condition vulnerability in the binder driver subsystem in the kernel.Successful exploitation of this vulnerability may affect kernel stability. | 4.7 |
2022-02-07 | CVE-2021-25103 | Gtranslate | Cross-site Scripting vulnerability in Gtranslate Translate Wordpress With Gtranslate The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. | 4.7 |
2022-02-11 | CVE-2022-24001 | Unspecified vulnerability in Google Android 12.0 Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel. | 4.6 | |
2022-02-09 | CVE-2021-33107 | Intel | Insufficiently Protected Credentials vulnerability in Intel products Insufficiently protected credentials in USB provisioning for Intel(R) AMT SDK before version 16.0.3, Intel(R) SCS before version 12.2 and Intel(R) MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 may allow an unauthenticated user to potentially enable information disclosure via physical access. | 4.6 |
2022-02-11 | CVE-2021-44111 | S Cart | Path Traversal vulnerability in S-Cart A Directory Traversal vulnerability exists in S-Cart 6.7 via download in sc-admin/backup. | 4.4 |
2022-02-11 | CVE-2022-23429 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 An improper boundary check in audio hal service prior to SMR Feb-2022 Release 1 allows attackers to read invalid memory and it leads to application crash. | 4.4 | |
2022-02-10 | CVE-2022-20630 | Cisco | Information Exposure Through Log Files vulnerability in Cisco DNA Center A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. | 4.4 |
2022-02-09 | CVE-2021-0092 | Intel Netapp | Resource Exhaustion vulnerability in multiple products Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access. | 4.4 |
2022-02-09 | CVE-2021-0093 | Intel Netapp | Incorrect Default Permissions vulnerability in multiple products Incorrect default permissions in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access. | 4.4 |
2022-02-09 | CVE-2021-0147 | Intel | Improper Locking vulnerability in Intel Power Management Controller Pmcfwlbgb021Ww02A Improper locking in the Power Management Controller (PMC) for some Intel Chipset firmware before versions pmc_fw_lbg_c1-21ww02a and pmc_fw_lbg_b0-21ww02a may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2022-02-09 | CVE-2021-0176 | Intel | Improper Input Validation vulnerability in Intel products Improper input validation in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2022-02-09 | CVE-2022-20029 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 In cmdq driver, there is a possible out of bounds read due to an incorrect bounds check. | 4.4 | |
2022-02-09 | CVE-2022-20033 | Out-of-bounds Read vulnerability in Google Android 11.0/12.0 In camera driver, there is a possible out of bounds read due to an incorrect bounds check. | 4.4 | |
2022-02-09 | CVE-2022-20035 | Use After Free vulnerability in Google Android 10.0/11.0 In vcu driver, there is a possible information disclosure due to a use after free. | 4.4 | |
2022-02-12 | CVE-2022-0110 | Google Fedoraproject | Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2022-02-12 | CVE-2022-0112 | Google Fedoraproject | Incorrect security UI in Browser UI in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to display missing URL or incorrect URL via a crafted URL. | 4.3 |
2022-02-12 | CVE-2022-0116 | Google Fedoraproject | Inappropriate implementation in Compositing in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2022-02-12 | CVE-2022-0118 | Google Fedoraproject | Inappropriate implementation in WebShare in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. | 4.3 |
2022-02-09 | CVE-2021-39943 | Gitlab | Incorrect Authorization vulnerability in Gitlab An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call | 4.3 |
2022-02-09 | CVE-2022-23256 | Microsoft | Unspecified vulnerability in Microsoft Azure Data Explorer Azure Data Explorer Spoofing Vulnerability | 4.3 |
2022-02-09 | CVE-2022-24694 | Mahara | Files or Directories Accessible to External Parties vulnerability in Mahara In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders. | 4.3 |
2022-02-08 | CVE-2022-21713 | Grafana Netapp Fedoraproject | Authorization Bypass Through User-Controlled Key vulnerability in multiple products Grafana is an open-source platform for monitoring and observability. | 4.3 |
2022-02-07 | CVE-2022-22931 | Apache | Path Traversal vulnerability in Apache James 3.6.1 Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. | 4.3 |
2022-02-07 | CVE-2021-25084 | Bracketspace | Unspecified vulnerability in Bracketspace Advanced Cron Manager The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example | 4.3 |
2022-02-09 | CVE-2022-0532 | Kubernetes Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. | 4.2 |
2022-02-09 | CVE-2022-20032 | Race Condition vulnerability in Google Android 10.0/11.0/12.0 In vow driver, there is a possible memory corruption due to a race condition. | 4.1 |
11 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-09 | CVE-2022-22779 | Keybase | Improper Cross-boundary Removal of Sensitive Data vulnerability in Keybase The Keybase Clients for macOS and Windows before version 5.9.0 fails to properly remove exploded messages initiated by a user. | 3.7 |
2022-02-07 | CVE-2022-0474 | Otrs | Information Exposure vulnerability in Otrs Custom Contact Fields Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. | 3.5 |
2022-02-11 | CVE-2022-23434 | Samsung | Unspecified vulnerability in Samsung Bixby 3.7.50.6 A vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent. | 3.3 |
2022-02-11 | CVE-2022-23994 | Samsung | Unspecified vulnerability in Samsung Wear OS An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission. | 3.3 |
2022-02-11 | CVE-2022-23995 | Samsung | Incorrect Default Permissions vulnerability in Samsung Wear OS Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission. | 3.3 |
2022-02-11 | CVE-2022-23996 | Samsung | Incorrect Default Permissions vulnerability in Samsung Wear OS Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission. | 3.3 |
2022-02-11 | CVE-2022-23997 | Samsung | Unspecified vulnerability in Samsung Wear OS Unprotected component vulnerability in StTheaterModeDurationAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to disable theater mode without a proper permission. | 3.3 |
2022-02-11 | CVE-2022-23999 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent. | 3.3 | |
2022-02-11 | CVE-2022-24000 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 PendingIntent hijacking vulnerability in DataUsageReminderReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent. | 3.3 | |
2022-02-11 | CVE-2022-24923 | Samsung | Unspecified vulnerability in Samsung Searchwidget Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview. | 3.3 |
2022-02-09 | CVE-2021-25939 | Arangodb | Server-Side Request Forgery (SSRF) vulnerability in Arangodb In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. | 2.7 |