Weekly Vulnerabilities Reports > February 14 to 20, 2022

Overview

534 new vulnerabilities reported during this period, including 93 critical vulnerabilities and 245 high severity vulnerabilities. This weekly summary report vulnerabilities in 606 products from 213 vendors including Bentley, Fedoraproject, Jenkins, Debian, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Cross-Site Request Forgery (CSRF)", and "Missing Authorization".

  • 341 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 377 reported vulnerabilities are exploitable by an anonymous user.
  • Bentley has the most reported vulnerabilities, with 95 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

93 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-18 CVE-2022-0543 Redis Missing Authorization vulnerability in Redis

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

10.0
2022-02-15 CVE-2021-46250 Scratchoauth2 Project Unspecified vulnerability in Scratchoauth2 Project Scratchoauth2

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

10.0
2022-02-16 CVE-2021-3781 Artifex
Fedoraproject
OS Command Injection vulnerability in multiple products

A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command.

9.9
2022-02-20 CVE-2022-23848 Alluxio Unspecified vulnerability in Alluxio

In Alluxio before 2.7.3, the logserver does not validate the input stream.

9.8
2022-02-19 CVE-2016-1239 Debian Unspecified vulnerability in Debian Duck

duck before 0.10 did not properly handle loading of untrusted code from the current directory.

9.8
2022-02-19 CVE-2022-25130 Totolink Command Injection vulnerability in Totolink T10 Firmware and T6 Firmware

A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25131 Totolink Command Injection vulnerability in Totolink T10 Firmware and T6 Firmware

A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25132 Totolink Command Injection vulnerability in Totolink T10 Firmware and T6 Firmware

A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25133 Totolink Command Injection vulnerability in Totolink T6 Firmware V4.1.5Cu.748B20211015

A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25134 Totolink Command Injection vulnerability in Totolink T6 Firmware V4.1.5Cu.748B20211015

A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25135 Totolink Command Injection vulnerability in Totolink T6 Firmware V4.1.5Cu.748B20211015

A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25136 Totolink Command Injection vulnerability in Totolink T10 Firmware and T6 Firmware

A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-19 CVE-2022-25137 Totolink Command Injection vulnerability in Totolink T10 Firmware and T6 Firmware

A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

9.8
2022-02-18 CVE-2021-29655 Pexip Insufficient Verification of Data Authenticity vulnerability in Pexip Infinity Connect

Pexip Infinity Connect before 1.8.0 omits certain provisioning authenticity checks.

9.8
2022-02-18 CVE-2021-29656 Pexip Improper Certificate Validation vulnerability in Pexip Infinity Connect

Pexip Infinity Connect before 1.8.0 mishandles TLS certificate validation.

9.8
2022-02-18 CVE-2021-46110 Phpgurukul SQL Injection vulnerability in PHPgurukul Online Shopping Portal 3.1

Online Shopping Portal v3.1 was discovered to contain multiple time-based SQL injection vulnerabilities via the email and contactno parameters.

9.8
2022-02-18 CVE-2021-23702 Object Extend Project Unspecified vulnerability in Object-Extend Project Object-Extend 0.5.0

The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.

9.8
2022-02-18 CVE-2022-24047 BMC Improper Authentication vulnerability in BMC Track-It! 20.21.01.102

This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It! 20.21.01.102.

9.8
2022-02-18 CVE-2022-24049 Sonos Out-of-bounds Write vulnerability in Sonos S1 and S2

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems).

9.8
2022-02-18 CVE-2021-46036 Mingsoft Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.4

An arbitrary file upload vulnerability in the component /ms/file/uploadTemplate.do of MCMS v5.2.4 allows attackers to execute arbitrary code.

9.8
2022-02-18 CVE-2021-20325 Redhat Server-Side Request Forgery (SSRF) vulnerability in Redhat Enterprise Linux 8.5.0

Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a security regression compared to the versions shipped in Red Hat Enterprise Linux 8.4.

9.8
2022-02-18 CVE-2021-26618 Tmax Improper Input Validation vulnerability in Tmax Tooffice 3.15.5

An improper input validation leading to arbitrary file creation was discovered in ToWord of ToOffice.

9.8
2022-02-18 CVE-2021-3657 Isync Project
Fedoraproject
Redhat
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A flaw was found in mbsync versions prior to 1.4.4.

9.8
2022-02-18 CVE-2021-45401 Tendacn Command Injection vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multi

A Command injection vulnerability exists in Tenda AC10U AC1200 Smart Dual-band Wireless Router AC10U V1.0 Firmware V15.03.06.49_multi via the setUsbUnload functionality.

9.8
2022-02-18 CVE-2022-21141 Airspan Incorrect Authorization vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions.

9.8
2022-02-18 CVE-2022-21143 Airspan OS Command Injection vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not properly sanitize user input on several locations, which may allow an attacker to inject arbitrary commands.

9.8
2022-02-18 CVE-2022-21196 Airspan Unspecified vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes.

9.8
2022-02-18 CVE-2022-21215 Airspan Server-Side Request Forgery (SSRF) vulnerability in Airspan products

This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves.

9.8
2022-02-18 CVE-2022-25337 Ibexa Injection vulnerability in Ibexa EZ Platform Kernel

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames.

9.8
2022-02-18 CVE-2022-25322 Zerof SQL Injection vulnerability in Zerof web Server 2.0

ZEROF Web Server 2.0 allows /HandleEvent SQL Injection.

9.8
2022-02-18 CVE-2022-0631 Mruby Unspecified vulnerability in Mruby

Heap-based Buffer Overflow in Homebrew mruby prior to 3.2.

9.8
2022-02-18 CVE-2022-0664 Gravitl Unspecified vulnerability in Gravitl Netmaker

Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.

9.8
2022-02-18 CVE-2022-25315 Libexpat Project
Debian
Fedoraproject
Oracle
Siemens
Integer Overflow or Wraparound vulnerability in multiple products

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

9.8
2022-02-18 CVE-2022-22922 TP Link Use of Insufficiently Random Values vulnerability in Tp-Link Tl-Wa850Re Firmware

TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovered to use highly predictable and easily detectable session keys, allowing attackers to gain administrative privileges.

9.8
2022-02-17 CVE-2021-46315 Dlink OS Command Injection vulnerability in Dlink Dir-846 Firmware 100A43/100A53Dla

Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin.

9.8
2022-02-17 CVE-2021-46319 Dlink OS Command Injection vulnerability in Dlink Dir-846 Firmware 100A43/100A53Dla

Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin.

9.8
2022-02-17 CVE-2022-22916 Zoneland Unspecified vulnerability in Zoneland O2Oa 6.4.7

O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

9.8
2022-02-17 CVE-2021-45382 Dlink OS Command Injection vulnerability in Dlink products

A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file.

9.8
2022-02-17 CVE-2021-46314 Dlink OS Command Injection vulnerability in Dlink Dir-846 Firmware 100A43/100A53Dla

A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name.

9.8
2022-02-17 CVE-2022-22912 Plist Project Unspecified vulnerability in Plist Project Plist

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

9.8
2022-02-17 CVE-2021-44868 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 5.1

A problem was found in ming-soft MCMS v5.1.

9.8
2022-02-16 CVE-2022-22880 Jeecg SQL Injection vulnerability in Jeecg Boot 2.3/3.0

Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId.

9.8
2022-02-16 CVE-2022-22881 Jeecg SQL Injection vulnerability in Jeecg Boot 2.3/3.0

Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData.

9.8
2022-02-16 CVE-2022-22885 Hutool Improper Certificate Validation vulnerability in Hutool 5.7.18

Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation.

9.8
2022-02-16 CVE-2022-24984 Jqueryform Unrestricted Upload of File with Dangerous Type vulnerability in Jqueryform

Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution.

9.8
2022-02-16 CVE-2021-43299 Teluu
Debian
Stack overflow in PJSUA API when calling pjsua_player_create.
9.8
2022-02-16 CVE-2021-43300 Teluu
Debian
Stack overflow in PJSUA API when calling pjsua_recorder_create.
9.8
2022-02-16 CVE-2021-43301 Teluu
Debian
Stack overflow in PJSUA API when calling pjsua_playlist_create.
9.8
2022-02-16 CVE-2021-43303 Teluu
Debian
Buffer overflow in PJSUA API when calling pjsua_call_dump.
9.8
2022-02-16 CVE-2021-3242 Duxcms Project SQL Injection vulnerability in Duxcms Project Duxcms 3.1.3

DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability via the component s/tools/SendTpl/index?keyword=.

9.8
2022-02-16 CVE-2021-3773 Linux
Fedoraproject
Redhat
Oracle
A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.
9.8
2022-02-16 CVE-2021-23682 Appwrite
Litespeed JS Project
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1.
9.8
2022-02-16 CVE-2022-23358 Easycms SQL Injection vulnerability in Easycms 1.6

EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php.

9.8
2022-02-16 CVE-2022-0559 Radare
Fedoraproject
Use After Free vulnerability in multiple products

Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2.

9.8
2022-02-16 CVE-2022-25235 Libexpat Project
Debian
Fedoraproject
Oracle
Siemens
Improper Encoding or Escaping of Output vulnerability in multiple products

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

9.8
2022-02-16 CVE-2022-25236 Libexpat Project
Debian
Oracle
Siemens
Exposure of Resource to Wrong Sphere vulnerability in multiple products

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

9.8
2022-02-15 CVE-2021-33945 Ricoh Out-of-bounds Write vulnerability in Ricoh products

RICOH Printer series SP products 320DN, SP 325DNw, SP 320SN, SP 320SFN, SP 325SNw, SP 325SFNw, SP 330SN, Aficio SP 3500SF, SP 221S, SP 220SNw, SP 221SNw, SP 221SF, SP 220SFNw, SP 221SFNw v1.06 were discovered to contain a stack buffer overflow in the file /etc/wpa_supplicant.conf.

9.8
2022-02-15 CVE-2021-37354 Xerox Out-of-bounds Write vulnerability in Xerox Phaser 4622 Firmware 35.013.01.000

Xerox Phaser 4622 v35.013.01.000 was discovered to contain a buffer overflow in the function sub_3226AC via the TIMEZONE variable.

9.8
2022-02-15 CVE-2021-46262 Tenda Out-of-bounds Write vulnerability in Tenda Ac11 Firmware 02.03.01.104Cn

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the PPPoE module.

9.8
2022-02-15 CVE-2021-46263 Tenda Out-of-bounds Write vulnerability in Tenda Ac11 Firmware 02.03.01.104Cn

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wifiTime module.

9.8
2022-02-15 CVE-2021-46264 Tenda Out-of-bounds Write vulnerability in Tenda Ac11 Firmware 02.03.01.104Cn

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the onlineList module.

9.8
2022-02-15 CVE-2021-46265 Tenda Out-of-bounds Write vulnerability in Tenda Ac11 Firmware 02.03.01.104Cn

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wanBasicCfg module.

9.8
2022-02-15 CVE-2021-46321 Tenda Out-of-bounds Write vulnerability in Tenda Ac11 Firmware 02.03.01.104Cn

Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wifiBasicCfg module.

9.8
2022-02-15 CVE-2021-43049 Tibco Unspecified vulnerability in Tibco Businessconnect 1.1.0

The Database component of TIBCO Software Inc.'s TIBCO BusinessConnect Container Edition contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to obtain the usernames and passwords of users of the affected system.

9.8
2022-02-15 CVE-2022-22770 Tibco Unspecified vulnerability in Tibco Auditsafe 1.1.0

The Web Server component of TIBCO Software Inc.'s TIBCO AuditSafe contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute API methods on the affected system.

9.8
2022-02-14 CVE-2021-45005 Artifex Out-of-bounds Write vulnerability in Artifex Mujs 1.1.3

Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow which is caused by conflicting JumpList of nested try/finally statements.

9.8
2022-02-14 CVE-2021-46461 Nginx Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nginx NJS

njs through 0.7.0, used in NGINX, was discovered to contain an out-of-bounds array access via njs_vmcode_typeof in /src/njs_vmcode.c.

9.8
2022-02-14 CVE-2021-46463 F5 Type Confusion vulnerability in F5 NJS

njs through 0.7.1, used in NGINX, was discovered to contain a control flow hijack caused by a Type Confusion vulnerability in njs_promise_perform_then().

9.8
2022-02-14 CVE-2021-4201 Forgerock Improper Authentication vulnerability in Forgerock Access Management

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions.

9.8
2022-02-14 CVE-2022-0582 Wireshark
Fedoraproject
Debian
NULL Pointer Dereference vulnerability in multiple products

Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

9.8
2022-02-14 CVE-2022-23992 Broadcom Improper Input Validation vulnerability in Broadcom Xcom Data Transport 11.6

XCOM Data Transport for Windows, Linux, and UNIX 11.6 releases contain a vulnerability due to insufficient input validation that could potentially allow remote attackers to execute arbitrary commands with elevated privileges.

9.8
2022-02-14 CVE-2022-24704 Accel PPP Classic Buffer Overflow vulnerability in Accel-Ppp 1.10.0/1.12.0

The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suffers from a buffer overflow vulnerability, whereby user input len is copied into a fixed buffer &attr->val.integer without any bound checks.

9.8
2022-02-14 CVE-2022-24705 Accel PPP Classic Buffer Overflow vulnerability in Accel-Ppp 1.10.0/1.12.0

The rad_packet_recv function in radius/packet.c suffers from a memcpy buffer overflow, resulting in an overly-large recvfrom into a fixed buffer that causes a buffer overflow and overwrites arbitrary memory.

9.8
2022-02-14 CVE-2022-25139 F5 Use After Free vulnerability in F5 NJS

njs through 0.7.0, used in NGINX, was discovered to contain a heap use-after-free in njs_await_fulfilled.

9.8
2022-02-14 CVE-2022-22295 Metinfo SQL Injection vulnerability in Metinfo 7.5.0

Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter.

9.8
2022-02-14 CVE-2022-23335 Metinfo SQL Injection vulnerability in Metinfo 7.5.0

Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter.

9.8
2022-02-14 CVE-2022-23336 S CMS SQL Injection vulnerability in S-Cms 5.0

S-CMS v5.0 was discovered to contain a SQL injection vulnerability in member_pay.php via the O_id parameter.

9.8
2022-02-14 CVE-2022-23337 Dedecms SQL Injection vulnerability in Dedecms 5.7.87

DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerability in article_coonepage_rule.php via the ids parameter.

9.8
2022-02-14 CVE-2022-23389 Publiccms OS Command Injection vulnerability in Publiccms 4.0

PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter.

9.8
2022-02-14 CVE-2022-23390 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS Forum

An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files.

9.8
2022-02-14 CVE-2022-23902 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere 11.10

Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in export_data.php via the d_name parameter.

9.8
2022-02-14 CVE-2022-24206 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere 11.10

Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in /mobile_seal/get_seal.php via the DEVICE_LIST parameter.

9.8
2022-02-14 CVE-2022-24988 Galois 2P8 Project Off-by-one Error vulnerability in Galois 2P8 Project Galois 2P8 0.1.0/0.1.1

In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector.

9.8
2022-02-14 CVE-2021-45420 Emerson Exposure of Resource to Wrong Sphere vulnerability in Emerson Dixell Xweb-500 Firmware

Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi.

9.8
2022-02-14 CVE-2022-0570 Mruby Unspecified vulnerability in Mruby

Heap-based Buffer Overflow in Homebrew mruby prior to 3.2.

9.8
2022-02-14 CVE-2022-24977 Impresscms Path Traversal vulnerability in Impresscms

ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script.

9.8
2022-02-20 CVE-2022-0686 URL Parse Project Unspecified vulnerability in Url-Parse Project Url-Parse

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

9.1
2022-02-18 CVE-2021-46063 Mingsoft Code Injection vulnerability in Mingsoft Mcms 5.2.5

MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.

9.1
2022-02-18 CVE-2021-26619 Bigfile Path Traversal vulnerability in Bigfile Bigfileagent

An path traversal vulnerability leading to delete arbitrary files was discovered in BigFileAgent.

9.1
2022-02-18 CVE-2022-0671 Redhat Server-Side Request Forgery (SSRF) vulnerability in Redhat Vscode-Xml

A flaw was found in vscode-xml in versions prior to 0.19.0.

9.1
2022-02-17 CVE-2022-0623 Mruby Unspecified vulnerability in Mruby

Out-of-bounds Read in Homebrew mruby prior to 3.2.

9.1
2022-02-16 CVE-2021-43302 Teluu
Debian
Read out-of-bounds in PJSUA API when calling pjsua_recorder_create.
9.1
2022-02-14 CVE-2022-24976 Atheme Improper Authentication vulnerability in Atheme

Atheme IRC Services before 7.2.12, when used in conjunction with InspIRCd, allows authentication bypass by ending an IRC handshake at a certain point during a challenge-response login sequence.

9.1

245 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-19 CVE-2022-23375 Wikidocs Unrestricted Upload of File with Dangerous Type vulnerability in Wikidocs 0.1.18

WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability.

8.8
2022-02-19 CVE-2021-44302 Baicloud CMS Project SQL Injection vulnerability in Baicloud-Cms Project Baicloud-Cms 2.5.7

BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection vulnerabilities via the tongji and baidu_map parameters in /user/ztconfig.php.

8.8
2022-02-18 CVE-2022-23642 Sourcegraph Missing Authorization vulnerability in Sourcegraph

Sourcegraph is a code search and navigation engine.

8.8
2022-02-18 CVE-2022-23650 Gravitl Use of Hard-coded Credentials vulnerability in Gravitl Netmaker

Netmaker is a platform for creating and managing virtual overlay networks using WireGuard.

8.8
2022-02-18 CVE-2022-24046 Sonos Integer Underflow (Wrap or Wraparound) vulnerability in Sonos S1 and S2

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems).

8.8
2022-02-18 CVE-2022-24354 TP Link Unspecified vulnerability in Tp-Link Ac1750 Firmware 190726/201029/201030

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 1.1.4 Build 20211022 rel.59103(5553) routers.

8.8
2022-02-18 CVE-2022-24355 TP Link Out-of-bounds Write vulnerability in Tp-Link Tl-Wr940N Firmware 3.20.1/62111113.20.1/63.19.1

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers.

8.8
2022-02-18 CVE-2022-24356 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader Foxit reader 11.0.1.0719 macOS.

8.8
2022-02-18 CVE-2022-24357 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24358 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24359 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24360 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24361 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24362 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24363 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24364 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24365 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24366 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24367 Foxit Use After Free vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24369 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2022-24971 Foxit Out-of-bounds Read vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543.

8.8
2022-02-18 CVE-2020-25718 Samba
Fedoraproject
Missing Authorization vulnerability in multiple products

A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC (read-only domain controller).

8.8
2022-02-18 CVE-2020-25722 Samba
Debian
Fedoraproject
Canonical
Incorrect Authorization vulnerability in multiple products

Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data.

8.8
2022-02-18 CVE-2021-4093 Linux
Redhat
Fedoraproject
Canonical
Out-of-bounds Write vulnerability in multiple products

A flaw was found in the KVM's AMD code for supporting the Secure Encrypted Virtualization-Encrypted State (SEV-ES).

8.8
2022-02-18 CVE-2021-41599 Github Unspecified vulnerability in Github Enterprise Server

A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site.

8.8
2022-02-17 CVE-2021-44730 Canonical
Fedoraproject
Debian
Link Following vulnerability in multiple products

snapd 2.54.2 did not properly validate the location of the snap-confine binary.

8.8
2022-02-16 CVE-2022-24985 Jqueryform Unspecified vulnerability in Jqueryform

Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to bypass authentication and access the administrative section of other forms hosted on the same web server.

8.8
2022-02-16 CVE-2022-23644 Joinbookwyrm Unspecified vulnerability in Joinbookwyrm Bookwyrm

BookWyrm is a decentralized social network for tracking reading habits and reviewing books.

8.8
2022-02-16 CVE-2021-39297 HP Unspecified vulnerability in HP products

Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.

8.8
2022-02-16 CVE-2021-39298 HP Unspecified vulnerability in HP products

A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware.

8.8
2022-02-16 CVE-2021-39299 HP Unspecified vulnerability in HP products

Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.

8.8
2022-02-16 CVE-2021-39300 HP Unspecified vulnerability in HP products

Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.

8.8
2022-02-16 CVE-2021-39301 HP Unspecified vulnerability in HP products

Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.

8.8
2022-02-16 CVE-2022-24663 PHP Everywhere Project Code Injection vulnerability in PHP Everywhere Project PHP Everywhere

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.

8.8
2022-02-16 CVE-2022-24664 PHP Everywhere Project Code Injection vulnerability in PHP Everywhere Project PHP Everywhere

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts.

8.8
2022-02-16 CVE-2022-24665 PHP Everywhere Project Code Injection vulnerability in PHP Everywhere Project PHP Everywhere

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts.

8.8
2022-02-16 CVE-2021-26726 Valmet Use of Insufficiently Random Values vulnerability in Valmet DNA 2012/2021

A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517, allows an attacker to execute commands with SYSTEM privileges This issue affects: Valmet DNA versions from Collection 2012 until Collection 2021.

8.8
2022-02-16 CVE-2022-25241 Filecloud Cross-Site Request Forgery (CSRF) vulnerability in Filecloud

In FileCloud before 21.3, the CSV user import functionality is vulnerable to Cross-Site Request Forgery (CSRF).

8.8
2022-02-16 CVE-2022-25242 Filecloud Cross-Site Request Forgery (CSRF) vulnerability in Filecloud

In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery (CSRF).

8.8
2022-02-16 CVE-2022-0611 Snipeitapp Unspecified vulnerability in Snipeitapp Snipe-It

Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.

8.8
2022-02-15 CVE-2022-25173 Jenkins OS Command Injection vulnerability in Jenkins Pipeline: Groovy

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

8.8
2022-02-15 CVE-2022-25174 Jenkins OS Command Injection vulnerability in Jenkins Pipeline:Shared Groovy Libraries

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

8.8
2022-02-15 CVE-2022-25175 Jenkins OS Command Injection vulnerability in Jenkins Pipeline: Multibranch

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

8.8
2022-02-15 CVE-2022-25181 Jenkins Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries

A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.

8.8
2022-02-15 CVE-2022-25182 Jenkins Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries

A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured.

8.8
2022-02-15 CVE-2022-25183 Jenkins Unspecified vulnerability in Jenkins Pipeline:Shared Groovy Libraries

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.

8.8
2022-02-15 CVE-2022-25192 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Snow Commander

A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Commander Plugin 1.10 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-02-15 CVE-2022-25194 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Autonomiq

A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials.

8.8
2022-02-15 CVE-2022-25198 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins SCP Publisher 1.8

A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.

8.8
2022-02-15 CVE-2022-25199 Jenkins Missing Authorization vulnerability in Jenkins SCP Publisher 1.8

A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

8.8
2022-02-15 CVE-2022-25200 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Checkmarx

A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-02-15 CVE-2022-25205 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Dbcharts 0.4/0.5.2

A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers to connect to an attacker-specified database via JDBC using attacker-specified credentials and to determine if a class is available in the Jenkins instance.

8.8
2022-02-15 CVE-2022-25206 Jenkins Missing Authorization vulnerability in Jenkins Dbcharts 0.4/0.5.2

A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.

8.8
2022-02-15 CVE-2022-25207 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Chef Sinatra

A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

8.8
2022-02-15 CVE-2022-25208 Jenkins Missing Authorization vulnerability in Jenkins Chef Sinatra

A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

8.8
2022-02-15 CVE-2022-25209 Jenkins XXE vulnerability in Jenkins Chef Sinatra

Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.8
2022-02-15 CVE-2022-25211 Jenkins Missing Authorization vulnerability in Jenkins Swamp

A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server using attacker-specified credentials.

8.8
2022-02-15 CVE-2022-25212 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Swamp

A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plugin 1.2.6 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.

8.8
2022-02-15 CVE-2021-41552 Commscope Command Injection vulnerability in Commscope products

CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection.

8.8
2022-02-15 CVE-2022-23384 Yzmcms Cross-Site Request Forgery (CSRF) vulnerability in Yzmcms 6.3

YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add

8.8
2022-02-14 CVE-2022-0580 Librenms Unspecified vulnerability in Librenms

Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0.

8.8
2022-02-14 CVE-2019-16864 Enterprisedt Command Injection vulnerability in Enterprisedt Completeftp Server

CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP before 12.1.4 allows Remote Code Execution by leveraging a Windows user account that has SSH access.

8.8
2022-02-14 CVE-2022-22854 Hospital S Patient Records Management System Project Missing Authorization vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

An access control issue in hprms/admin/?page=user/list of Hospital Patient Record Management System v1.0 allows attackers to escalate privileges via accessing and editing the user list.

8.8
2022-02-14 CVE-2022-0190 Acnam Unspecified vulnerability in Acnam AD Invalid Click Protector

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.6 is affected by a SQL Injection in the id parameter of the delete action.

8.8
2022-02-18 CVE-2021-46037 Mingsoft Unspecified vulnerability in Mingsoft Mcms 5.2.4

MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.

8.1
2022-02-18 CVE-2020-25717 Samba
Debian
Fedoraproject
Redhat
Canonical
Improper Input Validation vulnerability in multiple products

A flaw was found in the way Samba maps domain users to local users.

8.1
2022-02-16 CVE-2022-23636 Bytecodealliance Unspecified vulnerability in Bytecodealliance Wasmtime

Wasmtime is an open source runtime for WebAssembly & WASI.

8.1
2022-02-15 CVE-2022-23639 Crossbeam Project Unspecified vulnerability in Crossbeam Project Crossbeam

crossbeam-utils provides atomics, synchronization primitives, scoped threads, and other utilities for concurrent programming in Rust.

8.1
2022-02-20 CVE-2022-25372 Pritunl Improper Privilege Management vulnerability in Pritunl Pritunl-Client-Electron

Pritunl Client through 1.2.3019.52 on Windows allows local privilege escalation, related to an ACL entry for CREATOR OWNER in platform_windows.go.

7.8
2022-02-20 CVE-2022-0685 VIM
Fedoraproject
Debian
Apple
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.
7.8
2022-02-19 CVE-2022-0409 Showdoc Unspecified vulnerability in Showdoc

Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.

7.8
2022-02-19 CVE-2022-25366 Cryptomator Untrusted Search Path vulnerability in Cryptomator

Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements.

7.8
2022-02-19 CVE-2022-25365 Docker Unspecified vulnerability in Docker

Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files.

7.8
2022-02-19 CVE-2021-45082 Cobbler Project
Suse
Opensuse
Fedoraproject
Command Injection vulnerability in multiple products

An issue was discovered in Cobbler before 3.3.1.

7.8
2022-02-18 CVE-2021-46562 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46563 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46564 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46565 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46566 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46567 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46568 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46569 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46570 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.16.0.80.

7.8
2022-02-18 CVE-2021-46571 Bentley Use After Free vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.16.0.80.

7.8
2022-02-18 CVE-2021-46572 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46573 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46574 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46575 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46576 Bentley Out-of-bounds Write vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46577 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46578 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46579 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46580 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46581 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46582 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46583 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46584 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46585 Bentley Out-of-bounds Write vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46586 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46587 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46588 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46590 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46591 Bentley Out-of-bounds Read vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46592 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46597 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46598 Bentley Out-of-bounds Write vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46601 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46603 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46604 Bentley Out-of-bounds Write vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46605 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46606 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46609 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46612 Bentley Out-of-bounds Read vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46613 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46614 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

Bentley MicroStation CONNECT 10.16.0.80 J2K File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability.

7.8
2022-02-18 CVE-2021-46617 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46619 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46621 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46622 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46625 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46626 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46627 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46631 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46633 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46634 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46635 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46636 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46638 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46639 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46640 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46641 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46643 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46644 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46645 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46646 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46647 Bentley Out-of-bounds Write vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46648 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

7.8
2022-02-18 CVE-2021-46652 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46653 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46655 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2021-46656 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75.

7.8
2022-02-18 CVE-2022-24048 Mariadb
Fedoraproject
MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability.
7.8
2022-02-18 CVE-2022-24050 Mariadb
Fedoraproject
MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability.
7.8
2022-02-18 CVE-2022-24051 Mariadb
Fedoraproject
MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability.
7.8
2022-02-18 CVE-2022-24052 Mariadb
Fedoraproject
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability.
7.8
2022-02-18 CVE-2022-24056 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

7.8
2022-02-18 CVE-2022-24057 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

7.8
2022-02-18 CVE-2022-24058 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

7.8
2022-02-18 CVE-2022-24059 Santesoft Out-of-bounds Write vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

7.8
2022-02-18 CVE-2022-24062 Santesoft Use After Free vulnerability in Santesoft Dicom Viewer PRO

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 13.2.0.21165.

7.8
2022-02-18 CVE-2022-24063 Santesoft Out-of-bounds Write vulnerability in Santesoft Dicom Viewer PRO

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 13.2.0.21165.

7.8
2022-02-18 CVE-2022-24064 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.8

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro 11.8.8.0.

7.8
2022-02-18 CVE-2021-44968 Iobit Use After Free vulnerability in Iobit Advanced Systemcare 15

A Use after Free vulnerability exists in IOBit Advanced SystemCare 15 pro via requests sent in sequential order using the IOCTL driver codes, which could let a malicious user execute arbitrary code or a Denial of Service (system crash).

7.8
2022-02-18 CVE-2022-0646 Linux
Netapp
Use After Free vulnerability in multiple products

A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device.

7.8
2022-02-18 CVE-2020-8107 Bitdefender Unspecified vulnerability in Bitdefender Antivirus Plus, Internet Security and Total Security

A Process Control vulnerability in ProductAgentUI.exe as used in Bitdefender Antivirus Plus allows an attacker to tamper with product settings via a specially crafted DLL file.

7.8
2022-02-17 CVE-2021-44731 Canonical
Fedoraproject
Debian
Race Condition vulnerability in multiple products

A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap.

7.8
2022-02-17 CVE-2021-4120 Canonical
Fedoraproject
Improper Input Validation vulnerability in multiple products

snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement.

7.8
2022-02-17 CVE-2021-46368 Trigonesoft Unquoted Search Path or Element vulnerability in Trigonesoft Remote System Monitor 3.61

TRIGONE Remote System Monitor 3.61 is vulnerable to an unquoted path service allowing local users to launch processes with elevated privileges.

7.8
2022-02-17 CVE-2022-0629 VIM
Fedoraproject
Apple
Debian
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8
2022-02-16 CVE-2022-25265 Linux
Netapp
Improper Control of Dynamically-Managed Code Resources vulnerability in multiple products

In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20).

7.8
2022-02-16 CVE-2021-3560 Polkit Project
Debian
Canonical
Redhat
Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user.

7.8
2022-02-16 CVE-2021-3578 Isync Project
Fedoraproject
Debian
Incorrect Type Conversion or Cast vulnerability in multiple products

A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response.

7.8
2022-02-16 CVE-2021-3760 Linux
Fedoraproject
Debian
Netapp
Use After Free vulnerability in multiple products

A flaw was found in the Linux kernel.

7.8
2022-02-16 CVE-2022-25255 QT Unspecified vulnerability in QT

In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.

7.8
2022-02-16 CVE-2020-6917 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

7.8
2022-02-16 CVE-2020-6918 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

7.8
2022-02-16 CVE-2020-6919 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

7.8
2022-02-16 CVE-2020-6921 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

7.8
2022-02-16 CVE-2020-6922 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

7.8
2022-02-16 CVE-2021-21958 Hancom Out-of-bounds Write vulnerability in Hancom Office 2020 11.0.0.2353

A heap-based buffer overflow vulnerability exists in the Hword HwordApp.dll functionality of Hancom Office 2020 11.0.0.2353.

7.8
2022-02-16 CVE-2021-22042 Vmware Incorrect Authorization vulnerability in VMWare Cloud Foundation and Esxi

VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets.

7.8
2022-02-16 CVE-2021-3551 Dogtagpki
Fedoraproject
Oracle
Redhat
Cleartext Storage of Sensitive Information vulnerability in multiple products

A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file.

7.8
2022-02-16 CVE-2021-4106 Snowsoftware Unspecified vulnerability in Snowsoftware Snow Inventory Java Scanner 1.0

A vulnerability in Snow Inventory Java Scanner allows an attacker to run malicious code at a higher level of privileges.

7.8
2022-02-16 CVE-2022-22945 Vmware OS Command Injection vulnerability in VMWare Cloud Foundation and NSX Data Center

VMware NSX Edge contains a CLI shell injection vulnerability.

7.8
2022-02-16 CVE-2022-23188 Adobe Unspecified vulnerability in Adobe Illustrator

Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted malicious file, potentially resulting in arbitrary code execution in the context of the current user.

7.8
2022-02-16 CVE-2022-23203 Adobe Unspecified vulnerability in Adobe Photoshop

Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) are affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user.

7.8
2022-02-16 CVE-2022-23803 Kicad
Fedoraproject
Debian
A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadXYCoord coordinate parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010.
7.8
2022-02-16 CVE-2022-23804 Kicad
Fedoraproject
Debian
A stack-based buffer overflow vulnerability exists in the Gerber Viewer gerber and excellon ReadIJCoord coordinate parsing functionality of KiCad EDA 6.0.1 and master commit de006fc010.
7.8
2022-02-15 CVE-2021-42713 Splashtop Exposure of Resource to Wrong Sphere vulnerability in Splashtop 3.4.6.1

Splashtop Remote Client (Personal Edition) through 3.4.6.1 creates a Temporary File in a Directory with Insecure Permissions.

7.8
2022-02-15 CVE-2021-42714 Splashtop Exposure of Resource to Wrong Sphere vulnerability in Splashtop 3.4.8.3

Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.

7.8
2022-02-15 CVE-2021-43050 Tibco Unspecified vulnerability in Tibco Businessconnect 1.1.0

The Auth Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Container Edition contains an easily exploitable vulnerability that allows an unauthenticated attacker with local access to obtain administrative usernames and passwords for the affected system.

7.8
2022-02-15 CVE-2021-42712 Splashtop Exposure of Resource to Wrong Sphere vulnerability in Splashtop Streamer 3.3.8.0

Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions.

7.8
2022-02-15 CVE-2021-43940 Atlassian Uncontrolled Search Path Element vulnerability in Atlassian Confluence Data Center

Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer.

7.8
2022-02-14 CVE-2022-23410 Axis Uncontrolled Search Path Element vulnerability in Axis IP Utility 4.17.0

AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking.

7.8
2022-02-14 CVE-2022-25150 Malwarebytes Improper Privilege Management vulnerability in Malwarebytes Binisoft Windows Firewall Control

In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, programs executed from the Tools tab can be used to escalate privileges.

7.8
2022-02-14 CVE-2021-45444 ZSH
Fedoraproject
Debian
Apple
In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument.
7.8
2022-02-14 CVE-2022-0572 VIM
Fedoraproject
Debian
Apple
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

7.8
2022-02-19 CVE-2016-20013 Sha256Crypt Project
Sha512Crypt Project
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

7.5
2022-02-19 CVE-2022-24980 Kitodo Server-Side Request Forgery (SSRF) vulnerability in Kitodo Kitodo.Presentation 3.1.2

An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3.

7.5
2022-02-18 CVE-2017-0371 Mediawiki Unspecified vulnerability in Mediawiki

MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.28.x before 1.28.1 allows remote attackers to discover the IP addresses of Wiki visitors via a style="background-image: attr(title url);" attack within a DIV element that has an attacker-controlled URL in the title attribute.

7.5
2022-02-18 CVE-2022-23228 Pexip Allocation of Resources Without Limits or Throttling vulnerability in Pexip Infinity

Pexip Infinity before 27.0 has improper WebRTC input validation.

7.5
2022-02-18 CVE-2021-46082 Moxa Memory Leak vulnerability in Moxa products

Moxa TN-5900 v3.1 series routers, MGate 5109 v2.2 series protocol gateways, and MGate 5101-PBM-MN v2.1 series protocol gateways were discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via crafted packets.

7.5
2022-02-18 CVE-2021-38935 IBM Weak Password Requirements vulnerability in IBM Maximo Asset Management 7.6.1.2

IBM Maximo Asset Management 7.6.1.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

7.5
2022-02-18 CVE-2021-4091 Port389
Redhat
Double Free vulnerability in multiple products

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches.

7.5
2022-02-18 CVE-2022-0138 Airspan Deserialization of Untrusted Data vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created.

7.5
2022-02-18 CVE-2022-21176 Airspan SQL Injection vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not properly sanitize user input, which may allow an attacker to perform a SQL injection and obtain sensitive information.

7.5
2022-02-18 CVE-2022-23982 Quadlayers Information Exposure vulnerability in Quadlayers Perfect Brands for Woocommerce

The vulnerability discovered in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4) allows server information exposure.

7.5
2022-02-18 CVE-2022-25335 Rigoblock Incorrect Authorization vulnerability in Rigoblock Drago

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances.

7.5
2022-02-18 CVE-2022-0666 Microweber Unspecified vulnerability in Microweber

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

7.5
2022-02-18 CVE-2022-25298 Webcc Project Path Traversal vulnerability in Webcc Project Webcc 0.2.0

This affects the package sprinfall/webcc before 0.3.0.

7.5
2022-02-18 CVE-2022-25299 Cesanta Files or Directories Accessible to External Parties vulnerability in Cesanta Mongoose

This affects the package cesanta/mongoose before 7.6.

7.5
2022-02-18 CVE-2022-0660 Microweber Unspecified vulnerability in Microweber

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

7.5
2022-02-18 CVE-2022-25314 Libexpat Project
Debian
Fedoraproject
Oracle
Siemens
Integer Overflow or Wraparound vulnerability in multiple products

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

7.5
2022-02-17 CVE-2022-22914 Ovidentia Path Traversal vulnerability in Ovidentia 6.0.0

An incorrect access control issue in the component FileManager of Ovidentia CMS 6.0 allows authenticated attackers to to view and download content in the upload directory via path traversal.

7.5
2022-02-17 CVE-2022-23646 Vercel Unspecified vulnerability in Vercel Next.Js

Next.js is a React framework.

7.5
2022-02-17 CVE-2021-46247 Asus Use of Hard-coded Credentials vulnerability in Asus Cmax6000 Firmware 1.02.00

The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from ASUS CMAX6000 v1.02.00.

7.5
2022-02-17 CVE-2021-39034 IBM Unspecified vulnerability in IBM MQ

IBM MQ 9.1 LTS is vulnerable to a denial of service attack caused by an issue within the channel process.

7.5
2022-02-17 CVE-2022-24683 Hashicorp Unspecified vulnerability in Hashicorp Nomad

HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root.

7.5
2022-02-17 CVE-2022-20653 Cisco Unspecified vulnerability in Cisco Asyncos

A vulnerability in the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.5
2022-02-17 CVE-2022-20750 Cisco Improper Input Validation vulnerability in Cisco Redundancy Configuration Manager

A vulnerability in the checkpoint manager implementation of Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software could allow an unauthenticated, remote attacker to cause the checkpoint manager process to restart upon receipt of malformed TCP data.

7.5
2022-02-17 CVE-2022-23632 Traefik
Oracle
Traefik is an HTTP reverse proxy and load balancer.
7.5
2022-02-16 CVE-2022-25271 Drupal
Fedoraproject
Improper Input Validation vulnerability in multiple products

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation.

7.5
2022-02-16 CVE-2022-24983 Jqueryform Path Traversal vulnerability in Jqueryform

Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response.

7.5
2022-02-16 CVE-2021-22043 Vmware Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in VMWare Esxi and Fusion

VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled.

7.5
2022-02-16 CVE-2021-22050 Vmware Allocation of Resources Without Limits or Throttling vulnerability in VMWare Esxi 6.5/6.7

ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy.

7.5
2022-02-16 CVE-2022-0513 Veronalabs SQL Injection vulnerability in Veronalabs WP Statistics

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4.

7.5
2022-02-16 CVE-2022-22792 Mobisoft Mobiplus Project Unspecified vulnerability in Mobisoft - Mobiplus Project Mobisoft - Mobiplus

MobiSoft - MobiPlus User Take Over and Improper Handling of url Parameters Attacker can navigate to specific url which will expose all the users and password in clear text.

7.5
2022-02-16 CVE-2021-45391 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn

A Buffer Overflow vulnerability exists in Tenda Router AX12 V22.03.01.21_CN in the sub_422CE4 function in the goform/setIPv6Status binary file /usr/sbin/httpd via the conType parameter, which causes a Denial of Service.

7.5
2022-02-15 CVE-2021-35380 Solari Path Traversal vulnerability in Solari Termtalk Server 3.24.0.2

A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore).

7.5
2022-02-15 CVE-2022-21698 Prometheus
Fedoraproject
RDO Project
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

7.5
2022-02-15 CVE-2022-24226 Phpgurukul SQL Injection vulnerability in PHPgurukul Hospital Management System 4.0

Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php.

7.5
2022-02-15 CVE-2021-43734 Keking Path Traversal vulnerability in Keking Kkfileview 4.0.0

kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host.

7.5
2022-02-15 CVE-2022-23317 Helpsystems Improper Authentication vulnerability in Helpsystems Cobalt Strike

CobaltStrike <=4.5 HTTP(S) listener does not determine whether the request URL begins with "/", and attackers can obtain relevant information by specifying the URL.

7.5
2022-02-14 CVE-2021-46462 F5 Unspecified vulnerability in F5 NJS

njs through 0.7.1, used in NGINX, was discovered to contain a segmentation violation via njs_object_set_prototype in /src/njs_object.c.

7.5
2022-02-14 CVE-2022-0581 Wireshark
Fedoraproject
Debian
Use After Free vulnerability in multiple products

Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

7.5
2022-02-14 CVE-2022-0583 Wireshark
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

7.5
2022-02-14 CVE-2022-0586 Wireshark
Fedoraproject
Debian
Infinite Loop vulnerability in multiple products

Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

7.5
2022-02-14 CVE-2019-25057 R3 Unspecified vulnerability in R3 Corda 4.0

In Corda before 4.1, the meaning of serialized data can be modified via an attacker-controlled CustomSerializer.

7.5
2022-02-14 CVE-2021-45348 Attendance Management System Project Unspecified vulnerability in Attendance Management System Project Attendance Management System 1.0

An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash).

7.5
2022-02-14 CVE-2021-45347 Zzcms Improper Authentication vulnerability in Zzcms 8.2

An Incorrect Access Control vulnerability exists in zzcms 8.2, which lets a malicious user bypass authentication by changing the user name in the cookie to use any password.

7.5
2022-02-14 CVE-2021-45392 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn

A Buffer Overflow vulnerability exists in Tenda Router AX12 V22.03.01.21_CN in the sub_422CE4 function in page /goform/setIPv6Status via the prefixDelegate parameter, which causes a Denial of Service.

7.5
2022-02-14 CVE-2021-46371 Antd Admin Project Missing Authentication for Critical Function vulnerability in Antd-Admin Project Antd-Admin 5.5.0

antd-admin 5.5.0 is affected by an incorrect access control vulnerability.

7.5
2022-02-14 CVE-2021-45421 Emerson Information Exposure vulnerability in Emerson Dixell Xweb-500 Firmware

Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing.

7.5
2022-02-14 CVE-2022-0214 Custom Popup Builder Project Improper Validation of Specified Quantity in Input vulnerability in Custom Popup Builder Project Custom Popup Builder

The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog

7.5
2022-02-18 CVE-2021-20322 Linux
Fedoraproject
Debian
Netapp
Oracle
Use of Insufficiently Random Values vulnerability in multiple products

A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports.

7.4
2022-02-18 CVE-2020-25719 Samba
Debian
Fedoraproject
Canonical
Redhat
Race Condition vulnerability in multiple products

A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication.

7.2
2022-02-18 CVE-2020-8242 Expressionengine SQL Injection vulnerability in Expressionengine

Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection.

7.2
2022-02-15 CVE-2022-23604 X26 Cogs Project Unspecified vulnerability in X26-Cogs Project X26-Cogs

x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot.

7.2
2022-02-20 CVE-2021-45083 Cobbler Project
Fedoraproject
Incorrect Default Permissions vulnerability in multiple products

An issue was discovered in Cobbler before 3.3.1.

7.1
2022-02-19 CVE-2022-0630 Mruby Unspecified vulnerability in Mruby

Out-of-bounds Read in Homebrew mruby prior to 3.2.

7.1
2022-02-18 CVE-2021-46062 Mingsoft Unspecified vulnerability in Mingsoft Mcms 5.2.5

MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulnerability via the component oldFileName.

7.1
2022-02-18 CVE-2021-4090 Linux
Netapp
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel.

7.1
2022-02-17 CVE-2022-23318 Pcf2Bdf Project Out-of-bounds Write vulnerability in Pcf2Bdf Project Pcf2Bdf 1.04/1.05

A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attacker to trigger unsafe memory access via a specially crafted PCF font file.

7.1
2022-02-16 CVE-2021-3752 Linux
Redhat
Fedoraproject
Netapp
Debian
Oracle
Race Condition vulnerability in multiple products

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition.

7.1
2022-02-16 CVE-2022-23202 Adobe Unspecified vulnerability in Adobe Creative Cloud Desktop Application 2.4/2.5/2.7.0.13

Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user.

7.0

187 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-16 CVE-2021-22040 Vmware Use After Free vulnerability in VMWare products

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.

6.7
2022-02-16 CVE-2021-22041 Vmware Unspecified vulnerability in VMWare products

VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller.

6.7
2022-02-20 CVE-2021-46701 Premid Origin Validation Error vulnerability in Premid 2.2.0

PreMiD 2.2.0 allows unintended access via the websocket transport.

6.5
2022-02-20 CVE-2021-45007 Plesk Cross-Site Request Forgery (CSRF) vulnerability in Plesk 18.0.37

Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel.

6.5
2022-02-19 CVE-2021-46700 Libsixel Project Double Free vulnerability in Libsixel Project Libsixel 1.8.6

In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free.

6.5
2022-02-18 CVE-2021-40841 Liveconfig Path Traversal vulnerability in Liveconfig

A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server.

6.5
2022-02-18 CVE-2022-24368 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.1.0.52543.

6.5
2022-02-18 CVE-2022-24370 Foxit Unspecified vulnerability in Foxit PDF Editor and PDF Reader

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader Foxit reader 11.0.1.0719 macOS.

6.5
2022-02-18 CVE-2021-3930 Qemu
Redhat
Debian
Off-by-one Error vulnerability in multiple products

An off-by-one error was found in the SCSI device emulation in QEMU.

6.5
2022-02-18 CVE-2022-0585 Wireshark
Fedoraproject
Debian
Excessive Iteration vulnerability in multiple products

Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allow denial of service via packet injection or crafted capture file

6.5
2022-02-18 CVE-2022-0673 Eclipse Path Traversal vulnerability in Eclipse Lemminx

A flaw was found in LemMinX in versions prior to 0.19.0.

6.5
2022-02-18 CVE-2022-21800 Airspan Inadequate Encryption Strength vulnerability in Airspan products

MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 uses the MD5 algorithm to hash the passwords before storing them but does not salt the hash.

6.5
2022-02-18 CVE-2022-0451 Dart Incorrect Authorization vulnerability in Dart Software Development KIT

Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects.

6.5
2022-02-18 CVE-2022-25313 Libexpat Project
Debian
Fedoraproject
Oracle
Siemens
Uncontrolled Recursion vulnerability in multiple products

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

6.5
2022-02-17 CVE-2022-0633 Updraftplus Incorrect Authorization vulnerability in Updraftplus

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.

6.5
2022-02-17 CVE-2022-25270 Drupal Incorrect Authorization vulnerability in Drupal

The Quick Edit module does not properly check entity access in some circumstances.

6.5
2022-02-16 CVE-2022-24982 Jqueryform Insufficiently Protected Credentials vulnerability in Jqueryform

Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users.

6.5
2022-02-16 CVE-2019-4291 IBM Inadequate Encryption Strength vulnerability in IBM Maximo Anywhere 7.6.4.0

IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse engineer the application due to the lack of binary protection precautions.

6.5
2022-02-16 CVE-2021-3557 Argoproj
Redhat
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

A flaw was found in argocd.

6.5
2022-02-16 CVE-2022-0613 URI JS Project
Fedoraproject
Authorization Bypass Through User-Controlled Key vulnerability in multiple products

Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.

6.5
2022-02-15 CVE-2021-46249 Scratchoauth2 Project Authorization Bypass Through User-Controlled Key vulnerability in Scratchoauth2 Project Scratchoauth2

An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.

6.5
2022-02-15 CVE-2021-46252 Scratch Wiki Cross-Site Request Forgery (CSRF) vulnerability in Scratch-Wiki Scratch Confirmaccount V3

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.

6.5
2022-02-15 CVE-2022-23643 Sourcegraph Information Exposure Through Discrepancy vulnerability in Sourcegraph

Sourcegraph is a code search and navigation engine.

6.5
2022-02-15 CVE-2022-23641 Discourse Infinite Loop vulnerability in Discourse

Discourse is an open source discussion platform.

6.5
2022-02-15 CVE-2022-25176 Jenkins Link Following vulnerability in Jenkins Pipeline: Groovy

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

6.5
2022-02-15 CVE-2022-25177 Jenkins Link Following vulnerability in Jenkins Pipeline:Shared Groovy Libraries

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

6.5
2022-02-15 CVE-2022-25178 Jenkins Path Traversal vulnerability in Jenkins Pipeline:Shared Groovy Libraries

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

6.5
2022-02-15 CVE-2022-25179 Jenkins Link Following vulnerability in Jenkins Pipeline: Multibranch

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

6.5
2022-02-15 CVE-2022-25184 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Pipeline: Build Step

Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

6.5
2022-02-15 CVE-2022-25186 Jenkins Unspecified vulnerability in Jenkins Hashicorp Vault

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

6.5
2022-02-15 CVE-2022-25187 Jenkins Improper Cross-boundary Removal of Sensitive Data vulnerability in Jenkins Support Core

Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle.

6.5
2022-02-15 CVE-2022-25193 Jenkins Missing Authorization vulnerability in Jenkins Snow Commander

Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-02-15 CVE-2022-25197 Jenkins Unspecified vulnerability in Jenkins Hashicorp Vault

Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

6.5
2022-02-15 CVE-2022-25201 Jenkins Missing Authorization vulnerability in Jenkins Checkmarx

Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-02-15 CVE-2022-25210 Jenkins Improper Synchronization vulnerability in Jenkins Convertigo Mobile Platform 1.0/1.1

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.

6.5
2022-02-15 CVE-2021-44960 Svgpp NULL Pointer Dereference vulnerability in Svgpp 1.3.0

In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.

6.5
2022-02-15 CVE-2022-24684 Hashicorp Unspecified vulnerability in Hashicorp Nomad

HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents.

6.5
2022-02-15 CVE-2022-0587 Librenms Unspecified vulnerability in Librenms

Improper Authorization in Packagist librenms/librenms prior to 22.2.0.

6.5
2022-02-15 CVE-2022-0588 Librenms Unspecified vulnerability in Librenms

Missing Authorization in Packagist librenms/librenms prior to 22.2.0.

6.5
2022-02-15 CVE-2021-43941 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira Data Center and Jira Server

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin.

6.5
2022-02-14 CVE-2022-0579 Snipeitapp Unspecified vulnerability in Snipeitapp Snipe-It

Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.

6.5
2022-02-14 CVE-2021-39080 IBM Unspecified vulnerability in IBM Cognos Analytics Mobile

Due to weak obfuscation, IBM Cognos Analytics Mobile for Android application prior to version 1.1.14 , an attacker could be able to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used.

6.5
2022-02-14 CVE-2022-24110 Accellion Unspecified vulnerability in Accellion Managed File Transfer

Kiteworks MFT 7.5 may allow an unauthorized user to reset other users' passwords.

6.5
2022-02-14 CVE-2021-25115 WP Photo Album Plus Project Unspecified vulnerability in WP Photo Album Plus Project WP Photo Album Plus

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS).

6.4
2022-02-14 CVE-2022-0565 Pimcore Unspecified vulnerability in Pimcore

Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.

6.4
2022-02-18 CVE-2021-3948 Konveyor
Redhat
Incorrect Default Permissions vulnerability in multiple products

An incorrect default permissions vulnerability was found in the mig-controller.

6.3
2022-02-20 CVE-2022-22126 Nasa Unspecified vulnerability in Nasa Openmct

Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Web Page” element, that allows the injection of malicious JavaScript into the ‘URL’ field.

6.1
2022-02-20 CVE-2022-23053 Nasa Unspecified vulnerability in Nasa Openmct

Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Condition Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field.

6.1
2022-02-20 CVE-2022-23054 Nasa Unspecified vulnerability in Nasa Openmct

Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the “Summary Widget” element, that allows the injection of malicious JavaScript into the ‘URL’ field.

6.1
2022-02-19 CVE-2022-0690 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

6.1
2022-02-19 CVE-2022-23376 Wikidocs Cross-site Scripting vulnerability in Wikidocs 0.1.18

WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on different pages.

6.1
2022-02-19 CVE-2022-0678 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

6.1
2022-02-19 CVE-2022-25256 SAS Cross-site Scripting vulnerability in SAS web Report Studio 4.4

SAS Web Report Studio 4.4 allows XSS.

6.1
2022-02-18 CVE-2021-20315 Gnome
Centos
Improper Locking vulnerability in multiple products

A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the "Application menu" or "Window list" GNOME extensions are enabled.

6.1
2022-02-18 CVE-2021-30650 Broadcom Cross-site Scripting vulnerability in Broadcom Layer7 API Management Oauth Toolkit 4.4

A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques.

6.1
2022-02-18 CVE-2022-25323 Zerof Cross-site Scripting vulnerability in Zerof web Server 2.0

ZEROF Web Server 2.0 allows /admin.back XSS.

6.1
2022-02-18 CVE-2022-23647 Prismjs Unspecified vulnerability in Prismjs Prism

Prism is a syntax highlighting library.

6.1
2022-02-18 CVE-2022-25317 Cerebrate Project Cross-site Scripting vulnerability in Cerebrate-Project Cerebrate

An issue was discovered in Cerebrate through 1.4.

6.1
2022-02-18 CVE-2022-25321 Cerebrate Project Cross-site Scripting vulnerability in Cerebrate-Project Cerebrate

An issue was discovered in Cerebrate through 1.4.

6.1
2022-02-17 CVE-2014-8597 PHP Fusion Cross-site Scripting vulnerability in PHP-Fusion PHPfusion 7.02.07

A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel.

6.1
2022-02-17 CVE-2022-20659 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

6.1
2022-02-16 CVE-2022-24981 Jqueryform Cross-site Scripting vulnerability in Jqueryform

A reflected cross-site scripting (XSS) vulnerability in forms generated by JQueryForm.com before 2022-02-05 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to admin.php.

6.1
2022-02-15 CVE-2021-46251 Scratchoauth2 Project Cross-site Scripting vulnerability in Scratchoauth2 Project Scratchoauth2

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

6.1
2022-02-15 CVE-2022-24589 Burden Project Cross-site Scripting vulnerability in Burden Project Burden 3.0

Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function.

6.1
2022-02-15 CVE-2022-24227 Boltwire Cross-site Scripting vulnerability in Boltwire 7.10/8.00

A cross-site scripting (XSS) vulnerability in BoltWire v7.10 and v 8.00 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters.

6.1
2022-02-15 CVE-2022-0597 Microweber Unspecified vulnerability in Microweber

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

6.1
2022-02-14 CVE-2022-23391 Pybbs Project Cross-site Scripting vulnerability in Pybbs Project Pybbs 6.0

A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Search box.

6.1
2022-02-14 CVE-2022-23638 SVG Sanitizer Project Unspecified vulnerability in Svg-Sanitizer Project Svg-Sanitizer

svg-sanitizer is a SVG/XML sanitizer written in PHP.

6.1
2022-02-14 CVE-2021-43106 Compassplus Improper Encoding or Escaping of Output vulnerability in Compassplus products

A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways.

6.1
2022-02-14 CVE-2022-23367 Fulusso Project Cross-site Scripting vulnerability in Fulusso Project Fulusso 1.1

Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js.

6.1
2022-02-14 CVE-2021-24874 Brevo Unspecified vulnerability in Brevo Newsletter, Smtp, Email Marketing and Subscribe

The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

6.1
2022-02-14 CVE-2021-25033 Noptin Unspecified vulnerability in Noptin

The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue

6.1
2022-02-14 CVE-2021-25107 Accesspressthemes Unspecified vulnerability in Accesspressthemes Form Store to DB

The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin

6.1
2022-02-14 CVE-2022-0176 Wpbeaveraddons Unspecified vulnerability in Wpbeaveraddons Powerpack Lite for Beaver Builder

The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-02-14 CVE-2022-0193 Really Simple Plugins Unspecified vulnerability in Really-Simple-Plugins Complianz

The Complianz WordPress plugin before 6.0.0 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-02-14 CVE-2022-0201 Permalink Manager Lite Project
Permalink Manager Project
The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue
6.1
2022-02-14 CVE-2022-0206 Newstatpress Project Unspecified vulnerability in Newstatpress Project Newstatpress

The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

6.1
2022-02-14 CVE-2022-0208 Mappresspro Unspecified vulnerability in Mappresspro Mappress

The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting

6.1
2022-02-14 CVE-2022-0212 10Web Unspecified vulnerability in 10Web Spidercalendar

The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue.

6.1
2022-02-14 CVE-2022-0571 Phoronix Media
Fedoraproject
Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-test-suite/phoronix-test-suite prior to 10.8.2.
6.1
2022-02-14 CVE-2022-0576 Librenms Unspecified vulnerability in Librenms

Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms prior to 22.1.0.

6.1
2022-02-20 CVE-2021-45081 Cobbler Project Cleartext Transmission of Sensitive Information vulnerability in Cobbler Project Cobbler

An issue was discovered in Cobbler through 3.3.1.

5.9
2022-02-18 CVE-2016-2124 Samba
Debian
Fedoraproject
Redhat
Canonical
Improper Authentication vulnerability in multiple products

A flaw was found in the way samba implemented SMB1 authentication.

5.9
2022-02-18 CVE-2021-39026 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Guardium Data Encryption 5.0.0.2/5.0.0.3

IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

5.9
2022-02-14 CVE-2022-24686 Hashicorp Race Condition vulnerability in Hashicorp Nomad

HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5 artifact download functionality has a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination.

5.9
2022-02-20 CVE-2022-25375 Linux
Debian
Improper Validation of Specified Quantity in Input vulnerability in multiple products

An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10.

5.5
2022-02-19 CVE-2022-0632 Mruby Unspecified vulnerability in Mruby

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

5.5
2022-02-18 CVE-2022-23645 Swtpm Project
Redhat
Fedoraproject
swtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
5.5
2022-02-18 CVE-2021-46589 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46593 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46594 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46595 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46596 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46610 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46611 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46615 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46616 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46618 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46620 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46623 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46624 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46628 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46629 Bentley Out-of-bounds Read vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46630 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46632 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46637 Bentley Out-of-bounds Read vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46642 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2021-46649 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46650 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46651 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

5.5
2022-02-18 CVE-2021-46654 Bentley Unspecified vulnerability in Bentley Microstation and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley View 10.15.0.75.

5.5
2022-02-18 CVE-2022-24055 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

5.5
2022-02-18 CVE-2022-24060 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

5.5
2022-02-18 CVE-2022-24061 Santesoft Unspecified vulnerability in Santesoft Dicom Viewer PRO 11.8.7

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro 11.8.7.0.

5.5
2022-02-18 CVE-2021-20320 Linux
Fedoraproject
Redhat
A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf_jit_comp.c in the Linux kernel.
5.5
2022-02-18 CVE-2021-3947 Qemu Out-of-bounds Read vulnerability in Qemu 6.0.0/6.1.0/6.2.0

A stack-buffer-overflow was found in QEMU in the NVME component.

5.5
2022-02-18 CVE-2022-0672 Eclipse Information Exposure vulnerability in Eclipse Lemminx

A flaw was found in LemMinX in versions prior to 0.19.0.

5.5
2022-02-17 CVE-2021-3155 Canonical Incorrect Default Permissions vulnerability in Canonical Snapd

snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions.

5.5
2022-02-17 CVE-2022-23319 Pcf2Bdf Project Improper Validation of Specified Quantity in Input vulnerability in Pcf2Bdf Project Pcf2Bdf 1.04/1.05

A segmentation fault during PCF file parsing in pcf2bdf versions >=1.05 allows an attacker to trigger a program crash via a specially crafted PCF font file.

5.5
2022-02-17 CVE-2022-22899 Coreftp Out-of-bounds Write vulnerability in Coreftp Core FTP 2.0

Core FTP / SFTP Server v2 Build 725 was discovered to allow unauthenticated attackers to cause a Denial of Service (DoS) via a crafted packet through the SSH service.

5.5
2022-02-17 CVE-2022-22901 Jerryscript Reachable Assertion vulnerability in Jerryscript

There is an Assertion in 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at parser_parse_function_arguments in /js/js-parser.c of JerryScript commit a6ab5e9.

5.5
2022-02-16 CVE-2020-6920 HP Unspecified vulnerability in HP Support Assistant 8.1.40.3/8.7.50/8.7.50.3

Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software.

5.5
2022-02-16 CVE-2022-0617 Linux
Debian
NULL Pointer Dereference vulnerability in multiple products

A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image.

5.5
2022-02-16 CVE-2022-0614 Mruby Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mruby

Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2.

5.5
2022-02-14 CVE-2021-44879 Linux NULL Pointer Dereference vulnerability in Linux Kernel

In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.

5.5
2022-02-18 CVE-2021-40840 Liveconfig Cross-site Scripting vulnerability in Liveconfig 2.12.2

A Stored XSS issue exists in the admin/users user administration form in LiveConfig 2.12.2.

5.4
2022-02-18 CVE-2021-46372 Erudika Cross-site Scripting vulnerability in Erudika Scoold 1.47.2

Scoold 1.47.2 is a Q&A/knowledge base platform written in Java.

5.4
2022-02-18 CVE-2021-46108 Dlink Cross-site Scripting vulnerability in Dlink Dsl-2730E Firmware Ct20131125

D-Link DSL-2730E CT-20131125 devices allow XSS via the username parameter to the password page in the maintenance configuration.

5.4
2022-02-16 CVE-2022-22853 Hospital S Patient Records Management System Project Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the Name field.

5.4
2022-02-16 CVE-2022-0612 Livehelperchat Unspecified vulnerability in Livehelperchat Live Helper Chat

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

5.4
2022-02-15 CVE-2022-25185 Jenkins Cross-site Scripting vulnerability in Jenkins Generic Webhook Trigger

Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build cause when using the webhook, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-02-15 CVE-2022-25189 Jenkins Cross-site Scripting vulnerability in Jenkins Custom Checkbox Parameter 1.0/1.1

Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-02-15 CVE-2022-25191 Jenkins Cross-site Scripting vulnerability in Jenkins Agent Server Parameter 1.0

Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-02-15 CVE-2022-25196 Jenkins Open Redirect vulnerability in Jenkins Gitlab Authentication

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

5.4
2022-02-15 CVE-2022-25203 Jenkins Cross-site Scripting vulnerability in Jenkins Team Views 0.9.0

Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission.

5.4
2022-02-15 CVE-2022-25204 Jenkins Unspecified vulnerability in Jenkins Doktor

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists.

5.4
2022-02-15 CVE-2022-24585 Pluxml Cross-site Scripting vulnerability in Pluxml 5.8.7

A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.

5.4
2022-02-15 CVE-2022-24587 Pluxml Cross-site Scripting vulnerability in Pluxml 5.8.7

A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.

5.4
2022-02-15 CVE-2022-24588 Flatpress Cross-site Scripting vulnerability in Flatpress 1.2.1

Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.

5.4
2022-02-15 CVE-2022-24590 Backdropcms Cross-site Scripting vulnerability in Backdropcms Backdrop 1.21.1

A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.

5.4
2022-02-15 CVE-2022-24586 Pluxml Cross-site Scripting vulnerability in Pluxml 5.8.7

A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.

5.4
2022-02-15 CVE-2021-46557 Vicidial Cross-site Scripting vulnerability in Vicidial 2.14783A

Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.

5.4
2022-02-15 CVE-2021-46558 Issabel Cross-site Scripting vulnerability in Issabel PBX 20200102

Multiple cross-site scripting (XSS) vulnerabilities in the Add User module of Issabel PBX 20200102 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the username and password fields.

5.4
2022-02-15 CVE-2022-0589 Librenms Unspecified vulnerability in Librenms

Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms prior to 22.1.0.

5.4
2022-02-14 CVE-2022-23637 K Link Cross-site Scripting vulnerability in K-Link K-Box

K-Box is a web-based application to manage documents, images, videos and geodata.

5.4
2022-02-14 CVE-2021-39079 IBM Cross-site Scripting vulnerability in IBM Cognos Analytics Mobile

IBM Cognos Analytics Mobile for Android applications prior to version 1.1.14 is vulnerable to cross-site scripting.

5.4
2022-02-14 CVE-2021-24446 Wpchill Unspecified vulnerability in Wpchill Remove Footer Credit

The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation

5.4
2022-02-14 CVE-2021-25018 Najeebmedia Unspecified vulnerability in Najeebmedia Ppom for Woocommerce

The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings.

5.4
2022-02-14 CVE-2022-0200 Themify Unspecified vulnerability in Themify Portfolio Post 1.1.6

Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting

5.4
2022-02-14 CVE-2022-0575 Librenms Unspecified vulnerability in Librenms

Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms prior to 22.2.0.

5.4
2022-02-19 CVE-2022-0689 Microweber Unspecified vulnerability in Microweber

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.

5.3
2022-02-19 CVE-2022-24979 Mittwald Authorization Bypass Through User-Controlled Key vulnerability in Mittwald Varnishcache

An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3.

5.3
2022-02-18 CVE-2022-25358 Awful Salmonella TAR Project Path Traversal vulnerability in Awful-Salmonella-Tar Project Awful-Salmonella-Tar 0.0.2/0.0.3

A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4.

5.3
2022-02-18 CVE-2022-25336 Ibexa Authorization Bypass Through User-Controlled Key vulnerability in Ibexa EZ Platform Kernel

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows Insecure Direct Object Reference (IDOR) attacks against image files because the image path and filename can be correctly deduced.

5.3
2022-02-18 CVE-2022-25319 Cerebrate Project Unspecified vulnerability in Cerebrate-Project Cerebrate

An issue was discovered in Cerebrate through 1.4.

5.3
2022-02-18 CVE-2022-25320 Cerebrate Project Unspecified vulnerability in Cerebrate-Project Cerebrate

An issue was discovered in Cerebrate through 1.4.

5.3
2022-02-17 CVE-2022-0639 URL Parse Project Unspecified vulnerability in Url-Parse Project Url-Parse

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.

5.3
2022-02-17 CVE-2022-24953 Pear Argument Injection or Modification vulnerability in Pear Crypt GPG

The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.

5.3
2022-02-17 CVE-2022-0622 Snipeitapp Unspecified vulnerability in Snipeitapp Snipe-It

Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.

5.3
2022-02-16 CVE-2021-21966 TI Use of Uninitialized Resource vulnerability in TI products

An information disclosure vulnerability exists in the HTTP Server /ping.html functionality of Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0.

5.3
2022-02-14 CVE-2021-45310 Sangoma Information Exposure vulnerability in Sangoma Switchvox 102409

Sangoma Technologies Corporation Switchvox Version 102409 is affected by an information disclosure vulnerability due to an improper access restriction.

5.3
2022-02-14 CVE-2022-0512 URL Parse Project Unspecified vulnerability in Url-Parse Project Url-Parse

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

5.3
2022-02-14 CVE-2022-0188 Niteothemes Missing Authentication for Critical Function vulnerability in Niteothemes CMP

The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.

5.3
2022-02-20 CVE-2022-0688 Microweber Unspecified vulnerability in Microweber

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.

4.9
2022-02-16 CVE-2021-4134 Radykal SQL Injection vulnerability in Radykal Fancy Product Designer

The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.

4.9
2022-02-15 CVE-2022-25202 Jenkins Cross-site Scripting vulnerability in Jenkins Promoted Builds (Simple) 1.7/1.8/1.9

Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

4.8
2022-02-14 CVE-2021-24904 Lenderd Unspecified vulnerability in Lenderd Mortgage Calculators WP

The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-02-14 CVE-2021-25050 Wpchill Unspecified vulnerability in Wpchill Remove Footer Credit

The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

4.8
2022-02-18 CVE-2021-20321 Linux
Redhat
Debian
Race Condition vulnerability in multiple products

A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS.

4.7
2022-02-16 CVE-2021-3753 Linux
Redhat
Netapp
A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE).
4.7
2022-02-16 CVE-2022-25258 Linux
Fedoraproject
Debian
Netapp
NULL Pointer Dereference vulnerability in multiple products

An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10.

4.6
2022-02-16 CVE-2019-4351 IBM Unspecified vulnerability in IBM Maximo Anywhere 7.6.4.0

IBM Maximo Anywhere 7.6.4.0 applications could disclose sensitive information to a user with physical access to the device.

4.6
2022-02-18 CVE-2022-23981 Quadlayers Unspecified vulnerability in Quadlayers Perfect Brands for Woocommerce

The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4).

4.3
2022-02-18 CVE-2022-25318 Cerebrate Project Incorrect Authorization vulnerability in Cerebrate-Project Cerebrate

An issue was discovered in Cerebrate through 1.4.

4.3
2022-02-17 CVE-2022-0638 Microweber Unspecified vulnerability in Microweber

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

4.3
2022-02-15 CVE-2022-25180 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Pipeline: Groovy

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

4.3
2022-02-15 CVE-2022-25188 Jenkins Path Traversal vulnerability in Jenkins Fortify

Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.

4.3
2022-02-15 CVE-2022-25190 Jenkins Missing Authorization vulnerability in Jenkins Conjur Secrets

A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2022-02-15 CVE-2022-25195 Jenkins Missing Authorization vulnerability in Jenkins Autonomiq

A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

4.3
2022-02-15 CVE-2022-0596 Microweber Unspecified vulnerability in Microweber

Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.

4.3
2022-02-15 CVE-2021-43948 Atlassian Unspecified vulnerability in Atlassian Jira Service Management

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature.

4.3
2022-02-15 CVE-2021-43950 Atlassian Unspecified vulnerability in Atlassian Jira Service Management

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature.

4.3
2022-02-15 CVE-2021-43953 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Data Center and Jira

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

4.3
2022-02-15 CVE-2021-43952 Atlassian Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Jira Server

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint.

4.3
2022-02-14 CVE-2021-45346 Sqlite
Netapp
Memory Leak vulnerability in multiple products

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information.

4.3
2022-02-14 CVE-2021-25110 Futuriowp Unspecified vulnerability in Futuriowp Futurio Extra

The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address.

4.3
2022-02-14 CVE-2022-0569 Snipeitapp Unspecified vulnerability in Snipeitapp Snipe-It

Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.

4.3

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-02-14 CVE-2021-25014 Vowelweb Unspecified vulnerability in Vowelweb Ibtana

The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.

3.5
2022-02-18 CVE-2022-23649 Sigstore Unspecified vulnerability in Sigstore Cosign

Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project.

3.3
2022-02-18 CVE-2021-46599 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

3.3
2022-02-18 CVE-2021-46600 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

3.3
2022-02-18 CVE-2021-46602 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

3.3
2022-02-18 CVE-2021-46607 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

3.3
2022-02-18 CVE-2021-46608 Bentley Unspecified vulnerability in Bentley Microstation, Microstation Connect and View

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80.

3.3
2022-02-14 CVE-2021-25109 Futuriowp SQL Injection vulnerability in Futuriowp Futurio Extra

The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link.

2.7
2022-02-16 CVE-2019-4352 IBM Unspecified vulnerability in IBM Maximo Anywhere 7.6.4.0

IBM Maximo Anywhere 7.6.4.0 applications could allow obfuscation of the application source code.

2.4