Weekly Vulnerabilities Reports > February 21 to 27, 2022
Overview
338 new vulnerabilities reported during this period, including 73 critical vulnerabilities and 112 high severity vulnerabilities. This weekly summary report vulnerabilities in 402 products from 169 vendors including Jetbrains, Fedoraproject, Huawei, Debian, and Totolink. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "OS Command Injection", "SQL Injection", and "Integer Overflow or Wraparound".
- 271 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 110 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 212 reported vulnerabilities are exploitable by an anonymous user.
- Jetbrains has the most reported vulnerabilities, with 29 reported vulnerabilities.
- Huawei has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
73 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-25 | CVE-2021-42952 | Zepl | Unspecified vulnerability in Zepl Zepl Notebooks before 2021-10-25 are affected by a sandbox escape vulnerability. | 9.9 |
2022-02-27 | CVE-2021-21708 | PHP | Use After Free vulnerability in PHP In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. | 9.8 |
2022-02-26 | CVE-2022-21706 | Zulip | Unspecified vulnerability in Zulip Server Zulip is an open-source team collaboration tool with topic-based threading. | 9.8 |
2022-02-26 | CVE-2022-25095 | Home Owners Collection Management System Project | Unspecified vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 allows unauthenticated attackers to compromise user accounts via a crafted POST request. | 9.8 |
2022-02-26 | CVE-2022-25096 | Home Owners Collection Management System Project | SQL Injection vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php. | 9.8 |
2022-02-25 | CVE-2022-24442 | Jetbrains | Code Injection vulnerability in Jetbrains Youtrack JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. | 9.8 |
2022-02-25 | CVE-2022-25060 | TP Link | OS Command Injection vulnerability in Tp-Link Tl-Wr840N Firmware 6.20180709 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing. | 9.8 |
2022-02-25 | CVE-2022-25061 | TP Link | OS Command Injection vulnerability in Tp-Link Tl-Wr840N Firmware 6.20180709 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute. | 9.8 |
2022-02-25 | CVE-2022-25064 | TP Link | OS Command Injection vulnerability in Tp-Link Tl-Wr840N Firmware 6.20180709 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr. | 9.8 |
2022-02-25 | CVE-2022-25262 | Jetbrains | Insufficient Verification of Data Authenticity vulnerability in Jetbrains HUB In JetBrains Hub before 2022.1.14434, SAML request takeover was possible. | 9.8 |
2022-02-25 | CVE-2022-25263 | Jetbrains | OS Command Injection vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. | 9.8 |
2022-02-25 | CVE-2021-22426 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a memory address out of bounds in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22429 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a memory address out of bounds in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22430 | Huawei | Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI There is a logic bypass vulnerability in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22431 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a vulnerability when configuring permission isolation in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22432 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a vulnerability when configuring permission isolation in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22433 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a memory address out of bounds in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22434 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Emui, Harmonyos and Magic UI There is a memory address out of bounds vulnerability in smartphones. | 9.8 |
2022-02-25 | CVE-2021-22480 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Harmonyos The interface of a certain HarmonyOS module has an integer overflow vulnerability. | 9.8 |
2022-02-25 | CVE-2021-26617 | Firstmall | Improper Input Validation vulnerability in Firstmall This issues due to insufficient verification of the various input values from user’s input. | 9.8 |
2022-02-25 | CVE-2021-40046 | Huawei | Unspecified vulnerability in Huawei Pcmanager 11.1.1.95 PCManager versions 11.1.1.95 has a privilege escalation vulnerability. | 9.8 |
2022-02-25 | CVE-2022-21798 | GE | Cleartext Transmission of Sensitive Information vulnerability in GE Cimplicity The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system. | 9.8 |
2022-02-25 | CVE-2021-45977 | Jetbrains | Unspecified vulnerability in Jetbrains products JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. | 9.8 |
2022-02-25 | CVE-2022-24331 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. | 9.8 |
2022-02-25 | CVE-2022-24340 | Jetbrains | XXE vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. | 9.8 |
2022-02-24 | CVE-2021-39363 | Honeywell | Command Injection vulnerability in Honeywell Hbw2Per1 Firmware and Hdzp252Di Firmware Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow a video replay attack after ARP cache poisoning has been achieved. | 9.8 |
2022-02-24 | CVE-2020-10640 | Emerson | Missing Authentication for Critical Function vulnerability in Emerson Openenterprise Scada Server 2.8.3/3.1/3.3.3 Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service. | 9.8 |
2022-02-24 | CVE-2021-44663 | Nottingham AC | Unspecified vulnerability in Nottingham.Ac Xerte Online Toolkits A Remote Code Execution (RCE) vulnerability exists in the Xerte Project Xerte through 3.8.4 via a crafted php file through elfinder in connetor.php. | 9.8 |
2022-02-24 | CVE-2022-25003 | Hospital S Patient Records Management System Project | SQL Injection vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0 Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/view_doctor.php. | 9.8 |
2022-02-24 | CVE-2022-25004 | Hospital S Patient Records Management System Project | SQL Injection vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0 Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/manage_doctor.php. | 9.8 |
2022-02-24 | CVE-2022-22794 | Cybonet | SQL Injection vulnerability in Cybonet Pineapp Mail Secure Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. | 9.8 |
2022-02-24 | CVE-2021-44550 | Stanford | Injection vulnerability in Stanford Corenlp 4.3.2 An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159). | 9.8 |
2022-02-24 | CVE-2021-44567 | Rosariosis | SQL Injection vulnerability in Rosariosis An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php. | 9.8 |
2022-02-24 | CVE-2021-44610 | Bloofox | SQL Injection vulnerability in Bloofox Bloofoxcms 0.5.1/0.5.2/0.5.2.1 Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. | 9.8 |
2022-02-24 | CVE-2022-21142 | Appleple | Authentication Bypass by Spoofing vulnerability in Appleple A-Blog CMS Authentication bypass vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.74, Ver.2.9.x series versions prior to Ver.2.9.39, Ver.2.10.x series versions prior to Ver.2.10.43, and Ver.2.11.x series versions prior to Ver.2.11.41 allows a remote unauthenticated attacker to bypass authentication under the specific condition. | 9.8 |
2022-02-24 | CVE-2022-25072 | TP Link | Out-of-bounds Write vulnerability in Tp-Link Archer A54 Firmware 210111 TP-Link Archer A54 Archer A54(US)_V1_210111 routers were discovered to contain a stack overflow in the function DM_ Fillobjbystr(). | 9.8 |
2022-02-24 | CVE-2022-25073 | TP Link | Out-of-bounds Write vulnerability in Tp-Link Tl-Wr841N Firmware 0.9.14.18 TL-WR841Nv14_US_0.9.1_4.18 routers were discovered to contain a stack overflow in the function dm_fillObjByStr(). | 9.8 |
2022-02-24 | CVE-2022-25074 | TP Link | Out-of-bounds Write vulnerability in Tp-Link Tl-Wr902Ac Firmware 191209 TP-Link TL-WR902AC(US)_V3_191209 routers were discovered to contain a stack overflow in the function DM_ Fillobjbystr(). | 9.8 |
2022-02-24 | CVE-2022-25075 | Totolink | OS Command Injection vulnerability in Totolink A3000Ru Firmware V5.9C.2280B20180512 TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25076 | Totolink | OS Command Injection vulnerability in Totolink A800R Firmware V4.1.2Cu.5137B20200730 TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25077 | Totolink | OS Command Injection vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504 TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25078 | Totolink | OS Command Injection vulnerability in Totolink A3600R Firmware 4.1.2Cu.5182B20201102 TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25079 | Totolink | OS Command Injection vulnerability in Totolink A810R Firmware 4.1.2Cu.5182B20201026 TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25080 | Totolink | OS Command Injection vulnerability in Totolink A830R Firmware 5.9C.4729B20191112 TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25081 | Totolink | OS Command Injection vulnerability in Totolink T10 V2 Firmware 5.9C.5061B20200511 TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25082 | Totolink | OS Command Injection vulnerability in Totolink A950Rg Firmware 4.1.2Cu.5204B20210112/5.9C.4050B20190424 TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25083 | Totolink | OS Command Injection vulnerability in Totolink A860R Firmware 4.1.2Cu.5182B20201027 TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25084 | Totolink | OS Command Injection vulnerability in Totolink T6 Firmware 5.9C.4085B20190428 TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. | 9.8 |
2022-02-24 | CVE-2022-25403 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via the component admin.php. | 9.8 |
2022-02-24 | CVE-2022-25404 | Tongda2000 | SQL Injection vulnerability in Tongda2000 11.10 Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete.php via the DELETE_STR parameter. | 9.8 |
2022-02-24 | CVE-2022-25405 | Tongda2000 | SQL Injection vulnerability in Tongda2000 11.10 Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in change_box.php via the DELETE_STR parameter. | 9.8 |
2022-02-24 | CVE-2022-25406 | Tongda2000 | SQL Injection vulnerability in Tongda2000 11.10 Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete_query.php via the DELETE_STR parameter. | 9.8 |
2022-02-24 | CVE-2022-25414 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware V15.03.2.21Cn Tenda AC9 V15.03.2.21_cn was discovered to contain a stack overflow via the parameter NPTR. | 9.8 |
2022-02-24 | CVE-2022-25417 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware V15.03.2.21Cn Tenda AC9 V15.03.2.21_cn was discovered to contain a stack overflow via the function saveparentcontrolinfo. | 9.8 |
2022-02-24 | CVE-2022-25418 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware V15.03.2.21Cn Tenda AC9 V15.03.2.21_cn was discovered to contain a stack overflow via the function openSchedWifi. | 9.8 |
2022-02-24 | CVE-2022-25643 | Seatd Project | Exposure of Resource to Wrong Sphere vulnerability in Seatd Project Seatd seatd-launch in seatd 0.6.x before 0.6.4 allows removing files with escalated privileges when installed setuid root. | 9.8 |
2022-02-24 | CVE-2022-25809 | Amazon | Unspecified vulnerability in Amazon Echo DOT Firmware Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an "Alexa versus Alexa (AvA)" attack. | 9.8 |
2022-02-24 | CVE-2022-25329 | Trendmicro | Use of Hard-coded Credentials vulnerability in Trendmicro products Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. | 9.8 |
2022-02-24 | CVE-2022-25330 | Trendmicro | Integer Overflow or Wraparound vulnerability in Trendmicro products Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve remote code execution. | 9.8 |
2022-02-22 | CVE-2022-21654 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 9.8 |
2022-02-22 | CVE-2022-23608 | Teluu Asterisk Sangoma Debian | PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. | 9.8 |
2022-02-21 | CVE-2021-27797 | Broadcom | Use of Hard-coded Credentials vulnerability in Broadcom Fabric Operating System Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all versions of Brocade Fabric OS v8.0.x and v7.x contain documented hard-coded credentials, which could allow attackers to gain access to the system. | 9.8 |
2022-02-21 | CVE-2022-24553 | Zfaka Project | Unrestricted Upload of File with Dangerous Type vulnerability in Zfaka Project Zfaka An issue was found in Zfaka <= 1.4.5. | 9.8 |
2022-02-21 | CVE-2021-24867 | Accesspressthemes | Unspecified vulnerability in Accesspressthemes products Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. | 9.8 |
2022-02-21 | CVE-2022-0691 | URL Parse Project | Unspecified vulnerability in Url-Parse Project Url-Parse Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. | 9.8 |
2022-02-26 | CVE-2022-25359 | Iclinks | Missing Authentication for Critical Function vulnerability in Iclinks Scadaflex II Firmware and Weblib On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files. | 9.1 |
2022-02-25 | CVE-2022-25260 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains HUB JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). | 9.1 |
2022-02-25 | CVE-2021-22394 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui, Harmonyos and Magic UI There is a buffer overflow vulnerability in smartphones. | 9.1 |
2022-02-25 | CVE-2021-22448 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is an improper verification vulnerability in smartphones. | 9.1 |
2022-02-24 | CVE-2022-25098 | Ectouch | Unspecified vulnerability in Ectouch 2.0 ECTouch v2 suffers from arbitrary file deletion due to insufficient filtering of the filename parameter. | 9.1 |
2022-02-24 | CVE-2022-25402 | Hospital Management System Project | Unspecified vulnerability in Hospital Management System Project Hospital Management System 1.0 An incorrect access control issue in HMS v1.0 allows unauthenticated attackers to read and modify all PHP files. | 9.1 |
2022-02-23 | CVE-2021-4070 | V2Fly | Off-by-one Error vulnerability in V2Fly V2Ray-Core Off-by-one Error in GitHub repository v2fly/v2ray-core prior to 4.44.0. | 9.1 |
2022-02-23 | CVE-2022-0717 | Mruby | Out-of-bounds Read vulnerability in Mruby Out-of-bounds Read in GitHub repository mruby/mruby prior to 3.2. | 9.1 |
112 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-26 | CVE-2021-3967 | Zulip | Unspecified vulnerability in Zulip Improper Access Control in GitHub repository zulip/zulip prior to 4.10. | 8.8 |
2022-02-26 | CVE-2022-25094 | Home Owners Collection Management System Project | Unspecified vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the parameter "cover" in SystemSettings.php. | 8.8 |
2022-02-25 | CVE-2022-24342 | Jetbrains | Cross-Site Request Forgery (CSRF) vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. | 8.8 |
2022-02-25 | CVE-2022-24288 | Apache | OS Command Injection vulnerability in Apache Airflow In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | 8.8 |
2022-02-25 | CVE-2022-24947 | Apache | Cross-Site Request Forgery (CSRF) vulnerability in Apache Jspwiki Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. | 8.8 |
2022-02-24 | CVE-2021-44664 | Xerte | Unrestricted Upload of File with Dangerous Type vulnerability in Xerte An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. | 8.8 |
2022-02-24 | CVE-2022-24707 | Anuko | SQL Injection vulnerability in Anuko Time Tracker Anuko Time Tracker is an open source, web-based time tracking application written in PHP. | 8.8 |
2022-02-24 | CVE-2021-44967 | Limesurvey | Unrestricted Upload of File with Dangerous Type vulnerability in Limesurvey 5.2.4 A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. | 8.8 |
2022-02-24 | CVE-2021-4029 | Zyxel | OS Command Injection vulnerability in Zyxel Nbg6816 Firmware and Nbg6817 Firmware A command injection vulnerability in the CGI program of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary OS commands via a LAN interface. | 8.8 |
2022-02-24 | CVE-2021-4030 | Zyxel | Cross-Site Request Forgery (CSRF) vulnerability in Zyxel Nbg6816 Firmware and Nbg6817 Firmware A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts. | 8.8 |
2022-02-24 | CVE-2022-23176 | Watchguard | Unspecified vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. | 8.8 |
2022-02-24 | CVE-2022-24407 | Cyrusimap Debian Fedoraproject Netapp Oracle | SQL Injection vulnerability in multiple products In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | 8.8 |
2022-02-24 | CVE-2022-25291 | Watchguard | Integer Overflow or Wraparound vulnerability in Watchguard Fireware An integer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to trigger a heap-based buffer overflow and potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image. | 8.8 |
2022-02-24 | CVE-2022-25292 | Watchguard | Out-of-bounds Write vulnerability in Watchguard Fireware A wgagent stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image. | 8.8 |
2022-02-24 | CVE-2022-25293 | Watchguard | Out-of-bounds Write vulnerability in Watchguard Fireware A systemd stack-based buffer overflow in WatchGuard Firebox and XTM appliances allows an authenticated remote attacker to potentially execute arbitrary code by initiating a firmware update with a malicious upgrade image. | 8.8 |
2022-02-24 | CVE-2022-25360 | Watchguard | Unrestricted Upload of File with Dangerous Type vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to upload files to arbitrary locations. | 8.8 |
2022-02-23 | CVE-2022-20650 | Cisco | OS Command Injection vulnerability in Cisco Nx-Os 10.2(1.72)/7.3(8)N1(0.4) A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. | 8.8 |
2022-02-23 | CVE-2022-0729 | VIM Fedoraproject Debian Apple | Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. | 8.8 |
2022-02-22 | CVE-2022-23652 | Clastix | Unspecified vulnerability in Clastix Capsule-Proxy capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. | 8.8 |
2022-02-21 | CVE-2022-23983 | WP BUY | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Buy WP Content Copy Protection & NO Right Click Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin (versions <= 3.4.4). | 8.8 |
2022-02-21 | CVE-2022-24295 | Okta | Code Injection vulnerability in Okta Advanced Server Access Client for Windows Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. | 8.8 |
2022-02-21 | CVE-2021-44142 | Samba Debian Canonical Synology Fedoraproject Redhat | Out-of-bounds Write vulnerability in multiple products The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. | 8.8 |
2022-02-21 | CVE-2021-45008 | Plesk | Improper Preservation of Permissions vulnerability in Plesk 18.0.37 Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. | 8.8 |
2022-02-21 | CVE-2021-25069 | Wpdownloadmanager | Unspecified vulnerability in Wpdownloadmanager Download Manager The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue | 8.8 |
2022-02-21 | CVE-2021-25082 | Sygnoos | Unspecified vulnerability in Sygnoos Popup Builder The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. | 8.8 |
2022-02-21 | CVE-2022-0134 | Bologer | Unspecified vulnerability in Bologer Anycomment The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack | 8.8 |
2022-02-21 | CVE-2022-25297 | Drogon | Files or Directories Accessible to External Parties vulnerability in Drogon This affects the package drogonframework/drogon before 1.7.5. | 8.8 |
2022-02-24 | CVE-2022-24610 | Alecto | Insufficiently Protected Credentials vulnerability in Alecto Dvc-215Ip Firmware Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera. | 8.6 |
2022-02-24 | CVE-2022-21824 | Nodejs Oracle Debian Netapp | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". | 8.2 |
2022-02-25 | CVE-2022-24335 | Jetbrains | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. | 8.1 |
2022-02-25 | CVE-2022-23835 | Visual Voice Mail Project | Exposure of Resource to Wrong Sphere vulnerability in Visual Voice Mail Project Visual Voice Mail The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. | 8.1 |
2022-02-24 | CVE-2022-25838 | Laravel | Authentication Bypass by Capture-replay vulnerability in Laravel Fortify Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept. | 8.1 |
2022-02-26 | CVE-2022-24986 | KDE | Exposure of Resource to Wrong Sphere vulnerability in KDE Kcron KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, but reuses the filename during an editing session. | 7.8 |
2022-02-25 | CVE-2021-44132 | C Data Onu4Ferw Project | Command Injection vulnerability in C-Data Onu4Ferw Project C-Data Onu4Ferw Firmware A command injection vulnerability in the function formImportOMCIShell of C-DATA ONU4FERW V2.1.13_X139 allows attackers to execute arbitrary commands via a crafted file. | 7.8 |
2022-02-25 | CVE-2021-40043 | Huawei | Command Injection vulnerability in Huawei Ais-Bw80H-00 Firmware The laser command injection vulnerability exists on AIS-BW80H-00 versions earlier than AIS-BW80H-00 9.0.3.4(H100SP13C00). | 7.8 |
2022-02-25 | CVE-2022-21209 | Fatek | Out-of-bounds Read vulnerability in Fatek Fvdesigner The affected product is vulnerable to an out-of-bounds read while processing project files, which allows an attacker to craft a project file that would allow arbitrary code execution. | 7.8 |
2022-02-25 | CVE-2022-23921 | GE | Improper Privilege Management vulnerability in GE Proficy Cimplicitiy 11.1 Exploitation of this vulnerability may result in local privilege escalation and code execution. | 7.8 |
2022-02-25 | CVE-2022-23985 | Fatek | Out-of-bounds Write vulnerability in Fatek Fvdesigner The affected product is vulnerable to an out-of-bounds write while processing project files, which allows an attacker to craft a project file that would allow arbitrary code execution. | 7.8 |
2022-02-25 | CVE-2022-25170 | Fatek | Out-of-bounds Write vulnerability in Fatek Fvdesigner The affected product is vulnerable to a stack-based buffer overflow while processing project files, which may allow an attacker to execute arbitrary code | 7.8 |
2022-02-25 | CVE-2022-24345 | Jetbrains | Unspecified vulnerability in Jetbrains Intellij Idea In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. | 7.8 |
2022-02-25 | CVE-2022-24346 | Jetbrains | Unspecified vulnerability in Jetbrains Intellij Idea In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. | 7.8 |
2022-02-24 | CVE-2020-14481 | Rockwellautomation | Inadequate Encryption Strength vulnerability in Rockwellautomation Factorytalk View 10.0 The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. | 7.8 |
2022-02-24 | CVE-2021-26252 | Htmldoc Project Redhat Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in htmldoc in v1.9.12. | 7.8 |
2022-02-24 | CVE-2022-0545 | Blender Debian | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. | 7.8 |
2022-02-24 | CVE-2022-0546 | Blender Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution. | 7.8 |
2022-02-24 | CVE-2022-23104 | WIN 911 | Incorrect Default Permissions vulnerability in Win-911 2021 R1 and Win-911 2021 R2 WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the program Operator Workspace directory, which holds DLL files and executables. | 7.8 |
2022-02-24 | CVE-2022-23922 | WIN 911 | Incorrect Default Permissions vulnerability in Win-911 2021 R1 and Win-911 2021 R2 WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the Program Announcer directory and elevate permissions whenever the program is executed. | 7.8 |
2022-02-24 | CVE-2022-24232 | Hospital S Patient Records Management System Project | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0 A local file inclusion in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 7.8 |
2022-02-24 | CVE-2019-25058 | Usbguard Project Fedoraproject Debian | Incorrect Authorization vulnerability in multiple products An issue was discovered in USBGuard before 1.1.0. | 7.8 |
2022-02-24 | CVE-2022-25099 | Wbce | Unspecified vulnerability in Wbce CMS 1.5.2 A vulnerability in the component /languages/index.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file. | 7.8 |
2022-02-24 | CVE-2022-25101 | Wbce | Unspecified vulnerability in Wbce CMS 1.5.2 A vulnerability in the component /templates/install.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file. | 7.8 |
2022-02-24 | CVE-2022-25636 | Linux Debian Netapp Oracle | Improper Privilege Management vulnerability in multiple products net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. | 7.8 |
2022-02-24 | CVE-2022-24671 | Trendmicro | Link Following vulnerability in Trendmicro Antivirus A link following privilege escalation vulnerability in Trend Micro Antivirus for Max 11.0.2150 and below could allow a local attacker to modify a file during the update process and escalate their privileges. | 7.8 |
2022-02-24 | CVE-2022-24679 | Trendmicro | Link Following vulnerability in Trendmicro products A security link following local privilege escalation vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service, Trend Micro Worry-Free Business Security 10.0 SP1 and Trend Micro Worry-Free Business Security Services agents could allow a local attacker to create an writable folder in an arbitrary location and escalate privileges affected installations. | 7.8 |
2022-02-24 | CVE-2022-24680 | Trendmicro | Link Following vulnerability in Trendmicro products A security link following local privilege escalation vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service, Trend Micro Worry-Free Business Security 10.0 SP1 and Trend Micro Worry-Free Business Security Services agents could allow a local attacker to create a mount point and leverage this for arbitrary folder deletion, leading to escalated privileges on affected installations. | 7.8 |
2022-02-22 | CVE-2021-46162 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1/2022.1.0 A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.1). | 7.8 |
2022-02-22 | CVE-2021-46699 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap 2020.2/2021.1/2022.1.0 A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.1). | 7.8 |
2022-02-22 | CVE-2022-0676 | Radare Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. | 7.8 |
2022-02-21 | CVE-2022-22308 | IBM | Inclusion of Functionality from Untrusted Control Sphere vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics 2.0 is vulnerable to a Remote File Include (RFI) attack. | 7.8 |
2022-02-26 | CVE-2022-23308 | Xmlsoft Fedoraproject Debian Apple Netapp Oracle | Use After Free vulnerability in multiple products valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. | 7.5 |
2022-02-25 | CVE-2022-25062 | TP Link | Integer Overflow or Wraparound vulnerability in Tp-Link Tl-Wr840N Firmware 6.20180709 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain an integer overflow via the function dm_checkString. | 7.5 |
2022-02-25 | CVE-2022-25264 | Jetbrains | Insecure Storage of Sensitive Information vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases. | 7.5 |
2022-02-25 | CVE-2021-22319 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui, Harmonyos and Magic UI There is an improper verification vulnerability in smartphones. | 7.5 |
2022-02-25 | CVE-2021-22395 | Huawei | Code Injection vulnerability in Huawei Emui, Harmonyos and Magic UI There is a code injection vulnerability in smartphones. | 7.5 |
2022-02-25 | CVE-2021-22489 | Huawei | Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI There is a DoS vulnerability in smartphones. | 7.5 |
2022-02-25 | CVE-2021-37027 | Huawei | Unspecified vulnerability in Huawei Emui and Magic UI There is a DoS vulnerability in smartphones. | 7.5 |
2022-02-25 | CVE-2022-0615 | Eset | Use After Free vulnerability in Eset Endpoint Antivirus and Server Security Use-after-free in eset_rtp kernel module used in ESET products for Linux allows potential attacker to trigger denial-of-service condition on the system. | 7.5 |
2022-02-25 | CVE-2022-24327 | Jetbrains | Incorrect Permission Assignment for Critical Resource vulnerability in Jetbrains HUB In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | 7.5 |
2022-02-25 | CVE-2022-24341 | Jetbrains | Insufficient Session Expiration vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. | 7.5 |
2022-02-25 | CVE-2022-25374 | Hashicorp | Information Exposure Through Log Files vulnerability in Hashicorp Terraform Enterprise HashiCorp Terraform Enterprise v202112-1, v202112-2, v202201-1, and v202201-2 were configured to log inbound HTTP requests in a manner that may capture sensitive data. | 7.5 |
2022-02-24 | CVE-2021-39364 | Honeywell | Authentication Bypass by Capture-replay vulnerability in Honeywell Hbw2Per1 Firmware and Hdzp252Di Firmware Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow command spoofing (for camera control) after ARP cache poisoning has been achieved. | 7.5 |
2022-02-24 | CVE-2020-10636 | Emerson | Inadequate Encryption Strength vulnerability in Emerson Openenterprise Scada Server 2.8.3/3.1/3.3.3 Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained. | 7.5 |
2022-02-24 | CVE-2021-3610 | Imagemagick Fedoraproject Redhat | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. | 7.5 |
2022-02-24 | CVE-2021-4021 | Radare | Excessive Iteration vulnerability in Radare Radare2 A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. | 7.5 |
2022-02-24 | CVE-2022-0651 | Veronalabs | SQL Injection vulnerability in Veronalabs WP Statistics The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | 7.5 |
2022-02-24 | CVE-2022-25149 | Veronalabs | SQL Injection vulnerability in Veronalabs WP Statistics The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | 7.5 |
2022-02-24 | CVE-2022-22793 | Cybonet | Unspecified vulnerability in Cybonet Pineapp Mail Secure Cybonet - PineApp Mail Relay Local File Inclusion. | 7.5 |
2022-02-24 | CVE-2022-0732 | 1Byte | Authorization Bypass Through User-Controlled Key vulnerability in 1Byte products The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. | 7.5 |
2022-02-24 | CVE-2020-27467 | Processwire | Path Traversal vulnerability in Processwire A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php. | 7.5 |
2022-02-24 | CVE-2021-25636 | Libreoffice Fedoraproject | Improper Certificate Validation vulnerability in multiple products LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. | 7.5 |
2022-02-24 | CVE-2021-45746 | Webank | Path Traversal vulnerability in Webank Wecube 3.2.1 A Directory Traversal vulnerability exists in WeBankPartners wecube-platform 3.2.1 via the file variable in PluginPackageController.java. | 7.5 |
2022-02-24 | CVE-2022-23986 | Phpuploader Project | SQL Injection vulnerability in PHPuploader Project PHPuploader SQL injection vulnerability in the phpUploader v1.2 and earlier allows a remote unauthenticated attacker to obtain the information in the database via unspecified vectors. | 7.5 |
2022-02-24 | CVE-2022-25104 | Horizontcms Project | Files or Directories Accessible to External Parties vulnerability in Horizontcms Project Horizontcms 1.0.0 HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/. | 7.5 |
2022-02-24 | CVE-2022-25401 | Cuppacms | Unspecified vulnerability in Cuppacms 1.0 The copy function of the file manager in Cuppa CMS v1.0 allows any file to be copied to the current directory, granting attackers read access to arbitrary files. | 7.5 |
2022-02-24 | CVE-2022-25640 | Wolfssl | Improper Certificate Validation vulnerability in Wolfssl In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. | 7.5 |
2022-02-24 | CVE-2022-24678 | Trendmicro | Resource Exhaustion vulnerability in Trendmicro products An security agent resource exhaustion denial-of-service vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service, Trend Micro Worry-Free Business Security 10.0 SP1 and Trend Micro Worry-Free Business Security Services agents could allow an attacker to flood a temporary log location and consume all disk space on affected installations. | 7.5 |
2022-02-24 | CVE-2022-25331 | Trendmicro | Unspecified vulnerability in Trendmicro products Uncaught exceptions that can be generated in Trend Micro ServerProtection 6.0/5.8 Information Server could allow a remote attacker to crash the process. | 7.5 |
2022-02-23 | CVE-2022-24409 | Dell | Unspecified vulnerability in Dell Bsafe Ssl-J Dell BSAFE SSL-J contains remediation for a covert timing channel vulnerability that may be exploited by malicious users to compromise the affected system. | 7.5 |
2022-02-23 | CVE-2022-22336 | IBM | Memory Leak vulnerability in IBM products IBM Sterling External Authentication Server and IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 could allow a remote user to consume resources causing a denial of service due to a resource leak. | 7.5 |
2022-02-23 | CVE-2022-20623 | Cisco | Unspecified vulnerability in Cisco Nx-Os A vulnerability in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software for Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device. | 7.5 |
2022-02-23 | CVE-2022-20624 | Cisco | Improper Input Validation vulnerability in Cisco Nx-Os A vulnerability in the Cisco Fabric Services over IP (CFSoIP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2022-02-23 | CVE-2022-0736 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1. | 7.5 |
2022-02-23 | CVE-2022-0654 | Node Request Retry Project | Unspecified vulnerability in Node-Request-Retry Project Node-Request-Retry Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0. | 7.5 |
2022-02-22 | CVE-2021-43824 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 7.5 |
2022-02-22 | CVE-2021-43825 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 7.5 |
2022-02-22 | CVE-2021-43826 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 7.5 |
2022-02-22 | CVE-2022-21655 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 7.5 |
2022-02-22 | CVE-2022-23612 | Openmrs | Unspecified vulnerability in Openmrs OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. | 7.5 |
2022-02-22 | CVE-2022-23635 | Istio | Improper Validation of Specified Quantity in Input vulnerability in Istio Istio is an open platform to connect, manage, and secure microservices. | 7.5 |
2022-02-21 | CVE-2022-23984 | Gvectors | Information Exposure vulnerability in Gvectors Wpdiscuz Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). | 7.5 |
2022-02-24 | CVE-2021-44531 | Nodejs Oracle | Improper Certificate Validation vulnerability in multiple products Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. | 7.4 |
2022-02-25 | CVE-2022-25328 | OS Command Injection vulnerability in Google Fscrypt The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. | 7.3 | |
2022-02-26 | CVE-2022-26149 | Modx | Unrestricted Upload of File with Dangerous Type vulnerability in Modx Revolution MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator. | 7.2 |
2022-02-24 | CVE-2021-29220 | HP | Classic Buffer Overflow vulnerability in HP ILO Amplifier Pack Multiple buffer overflow security vulnerabilities have been identified in HPE iLO Amplifier Pack version(s): Prior to 2.12. | 7.2 |
2022-02-24 | CVE-2022-23043 | Tribalsystems | Unrestricted Upload of File with Dangerous Type vulnerability in Tribalsystems Zenario 9.2 Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. | 7.2 |
2022-02-23 | CVE-2022-21705 | Octobercms | Unspecified vulnerability in Octobercms October Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. | 7.2 |
2022-02-21 | CVE-2021-4208 | Exportfeed | SQL Injection vulnerability in Exportfeed The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege users | 7.2 |
2022-02-21 | CVE-2022-0228 | Sygnoos | Unspecified vulnerability in Sygnoos Popup Builder The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection | 7.2 |
2022-02-21 | CVE-2022-0255 | Deliciousbrains | SQL Injection vulnerability in Deliciousbrains Database Backup The Database Backup for WordPress plugin before 2.5.1 does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue | 7.2 |
2022-02-24 | CVE-2020-14478 | Rockwellautomation | XXE vulnerability in Rockwellautomation Factorytalk Services Platform A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. | 7.1 |
2022-02-22 | CVE-2022-0713 | Radare Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4. | 7.1 |
2022-02-25 | CVE-2021-22437 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Emui and Magic UI There is a software integer overflow leading to a TOCTOU condition in smartphones. | 7.0 |
151 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-26 | CVE-2022-0764 | Strapi | Unspecified vulnerability in Strapi Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0. | 6.7 |
2022-02-25 | CVE-2022-24328 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS. | 6.5 |
2022-02-25 | CVE-2022-24333 | Jetbrains | Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. | 6.5 |
2022-02-25 | CVE-2022-24337 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions. | 6.5 |
2022-02-24 | CVE-2021-44665 | Xerte | Path Traversal vulnerability in Xerte A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php. | 6.5 |
2022-02-24 | CVE-2021-3596 | Imagemagick Redhat Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. | 6.5 |
2022-02-24 | CVE-2022-23135 | ZTE | Path Traversal vulnerability in ZTE Zxhn F477 Firmware and Zxhn F677 Firmware There is a directory traversal vulnerability in some home gateway products of ZTE. | 6.5 |
2022-02-24 | CVE-2022-24687 | Hashicorp | Unspecified vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. | 6.5 |
2022-02-24 | CVE-2022-23810 | Appleple | Code Injection vulnerability in Appleple A-Blog CMS Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to obtain an arbitrary file on the server via unspecified vectors. | 6.5 |
2022-02-24 | CVE-2022-24599 | Audio File Library Project Debian Fedoraproject | Memory Leak vulnerability in multiple products In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. | 6.5 |
2022-02-24 | CVE-2022-25290 | Watchguard | Unspecified vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to retrieve certificate private keys. | 6.5 |
2022-02-24 | CVE-2022-25363 | Watchguard | Out-of-bounds Write vulnerability in Watchguard Fireware WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to modify privileged management user credentials. | 6.5 |
2022-02-24 | CVE-2022-25638 | Wolfssl | Improper Certificate Validation vulnerability in Wolfssl In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. | 6.5 |
2022-02-23 | CVE-2022-22333 | IBM | Classic Buffer Overflow vulnerability in IBM products IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 and IBM Sterling External Authentication Server are vulnerable a buffer overflow, due to the Jetty based GUI in the Secure Zone not properly validating the sizes of the form content and/or HTTP headers submitted. | 6.5 |
2022-02-23 | CVE-2022-0731 | Dolibarr | Authorization Bypass Through User-Controlled Key vulnerability in Dolibarr Erp/Crm Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0. | 6.5 |
2022-02-23 | CVE-2022-0721 | Microweber | Unspecified vulnerability in Microweber Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3. | 6.5 |
2022-02-23 | CVE-2022-0724 | Microweber | Insecure Storage of Sensitive Information vulnerability in Microweber Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3. | 6.5 |
2022-02-22 | CVE-2022-21657 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 6.5 |
2022-02-22 | CVE-2022-23606 | Envoyproxy | Unspecified vulnerability in Envoyproxy Envoy 1.20.0/1.20.1/1.21.0 Envoy is an open source edge and service proxy, designed for cloud-native applications. | 6.5 |
2022-02-22 | CVE-2022-23654 | Requarks | Unspecified vulnerability in Requarks Wiki.Js Wiki.js is a wiki app built on Node.js. | 6.5 |
2022-02-22 | CVE-2022-0665 | Pimcore | Unspecified vulnerability in Pimcore Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2. | 6.5 |
2022-02-21 | CVE-2021-27796 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System A vulnerability in Brocade Fabric OS versions before Brocade Fabric OS v8.0.1b, v7.4.1d could allow an authenticated attacker within the restricted shell environment (rbash) as either the “user” or “factory” account, to read the contents of any file on the filesystem utilizing one of a few available binaries. | 6.5 |
2022-02-21 | CVE-2021-44568 | Opensuse | Out-of-bounds Write vulnerability in Opensuse Libsolv Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service. | 6.5 |
2022-02-21 | CVE-2022-0708 | Mattermost | Information Exposure vulnerability in Mattermost Mattermost 6.3.0 and earlier fails to protect email addresses of the creator of the team via one of the APIs, which allows authenticated team members to access this information resulting in sensitive & private information disclosure. | 6.5 |
2022-02-24 | CVE-2021-3700 | Spice Space Redhat Fedoraproject Debian | Use After Free vulnerability in multiple products A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. | 6.4 |
2022-02-25 | CVE-2021-23495 | Karma Project | Open Redirect vulnerability in Karma Project Karma The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter. | 6.1 |
2022-02-25 | CVE-2022-25259 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains HUB JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS. | 6.1 |
2022-02-25 | CVE-2022-25261 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2021.2.2 was vulnerable to reflected XSS. | 6.1 |
2022-02-25 | CVE-2021-37504 | Hayageek | Cross-site Scripting vulnerability in Hayageek Jquery Upload File 4.0.11 A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name. | 6.1 |
2022-02-25 | CVE-2021-42244 | Notimoo Project | Cross-site Scripting vulnerability in Notimoo Project Notimoo 1.2 A cross-site scripting (XSS) vulnerability in PaquitoSoftware Notimoo v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted title or message in a notification. | 6.1 |
2022-02-25 | CVE-2022-24330 | Jetbrains | Open Redirect vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. | 6.1 |
2022-02-25 | CVE-2022-24338 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. | 6.1 |
2022-02-25 | CVE-2021-45229 | Apache | Cross-site Scripting vulnerability in Apache Airflow It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. | 6.1 |
2022-02-25 | CVE-2022-24948 | Apache | Cross-site Scripting vulnerability in Apache Jspwiki A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. | 6.1 |
2022-02-25 | CVE-2021-34361 | Qnap | Cross-site Scripting vulnerability in Qnap NAS Proxy Server 1.3.0 A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. | 6.1 |
2022-02-24 | CVE-2021-29216 | HPE | Cross-site Scripting vulnerability in HPE Oneview Global Dashboard A remote cross-site scripting vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. | 6.1 |
2022-02-24 | CVE-2021-29217 | HPE | Open Redirect vulnerability in HPE Oneview Global Dashboard A remote URL redirection vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. | 6.1 |
2022-02-24 | CVE-2022-24709 | Amazon | Unspecified vulnerability in Amazon Awsui/Components-React @awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. | 6.1 |
2022-02-24 | CVE-2020-14502 | Rockwellautomation | Cross-site Scripting vulnerability in Rockwellautomation products The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. | 6.1 |
2022-02-24 | CVE-2021-44662 | Nottingham AC | Cross-site Scripting vulnerability in Nottingham.Ac Xerte Online Toolkits A Site Scripting (XSS) vulnerability exists in the Xerte Project Xerte through 3.8.4 via the link parameter in print.php. | 6.1 |
2022-02-24 | CVE-2022-0653 | Cozmoslabs | Cross-site Scripting vulnerability in Cozmoslabs Profile Builder The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. | 6.1 |
2022-02-24 | CVE-2022-0683 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Essential Addons for Elementor The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. | 6.1 |
2022-02-24 | CVE-2022-0710 | Draftpress | Cross-site Scripting vulnerability in Draftpress Header Footer Code Manager The Header Footer Code Manager plugin <= 1.1.16 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter. | 6.1 |
2022-02-24 | CVE-2022-25305 | Veronalabs | Cross-site Scripting vulnerability in Veronalabs WP Statistics The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | 6.1 |
2022-02-24 | CVE-2022-25306 | Veronalabs | Cross-site Scripting vulnerability in Veronalabs WP Statistics The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | 6.1 |
2022-02-24 | CVE-2022-25307 | Veronalabs | Cross-site Scripting vulnerability in Veronalabs WP Statistics The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | 6.1 |
2022-02-24 | CVE-2022-23916 | Appleple | Cross-site Scripting vulnerability in Appleple A-Blog CMS Cross-site scripting vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-24 | CVE-2022-24374 | Appleple | Cross-site Scripting vulnerability in Appleple A-Blog CMS Cross-site scripting vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-24 | CVE-2022-24435 | Phpuploader Project | Cross-site Scripting vulnerability in PHPuploader Project PHPuploader Cross-site scripting vulnerability in phpUploader v1.2 and earlier allows a remote unauthenticated attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-02-24 | CVE-2021-26092 | Fortinet | Cross-site Scripting vulnerability in Fortinet Fortios and Fortiproxy Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters. | 6.1 |
2022-02-21 | CVE-2022-24564 | Checkmk | Cross-site Scripting vulnerability in Checkmk 2.0.0 Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerability. | 6.1 |
2022-02-21 | CVE-2021-26256 | AYS PRO | Cross-site Scripting vulnerability in Ays-Pro Survey Maker Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Survey Maker WordPress plugin (versions <= 2.0.6). | 6.1 |
2022-02-21 | CVE-2022-0692 | Alltube Project | Unspecified vulnerability in Alltube Project Alltube Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1. | 6.1 |
2022-02-21 | CVE-2021-24921 | Sigmaplugin | Unspecified vulnerability in Sigmaplugin Advanced Database Cleaner The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | 6.1 |
2022-02-21 | CVE-2021-25055 | Feedwordpress Project | Cross-site Scripting vulnerability in Feedwordpress Project Feedwordpress The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter. | 6.1 |
2022-02-21 | CVE-2021-25099 | Givewp | Unspecified vulnerability in Givewp The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-21 | CVE-2021-25100 | Givewp | Unspecified vulnerability in Givewp The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-21 | CVE-2022-0234 | Pluginus | Unspecified vulnerability in Pluginus Woocs The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-21 | CVE-2022-0252 | Givewp | Unspecified vulnerability in Givewp The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-21 | CVE-2022-0288 | AD Inserter Project AD Inserter PRO Project | The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-02-24 | CVE-2021-3607 | Qemu Debian Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. | 6.0 |
2022-02-24 | CVE-2021-3608 | Qemu Debian Fedoraproject | Access of Uninitialized Pointer vulnerability in multiple products A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. | 6.0 |
2022-02-26 | CVE-2020-36516 | Linux Netapp | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products An issue was discovered in the Linux kernel through 5.16.11. | 5.9 |
2022-02-22 | CVE-2022-21656 | Envoyproxy | Type Confusion vulnerability in Envoyproxy Envoy Envoy is an open source edge and service proxy, designed for cloud-native applications. | 5.9 |
2022-02-26 | CVE-2022-22908 | Sangfor | Insufficiently Protected Credentials vulnerability in Sangfor VDI Client 5.4.2.1006 SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields. | 5.5 |
2022-02-26 | CVE-2021-46702 | Torproject | Improper Resource Shutdown or Release vulnerability in Torproject TOR 9.0.7 Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. | 5.5 |
2022-02-25 | CVE-2021-22441 | Huawei | Integer Overflow or Wraparound vulnerability in Huawei Harmonyos Some Huawei products have an integer overflow vulnerability. | 5.5 |
2022-02-25 | CVE-2021-22478 | Huawei | Use After Free vulnerability in Huawei Harmonyos The interface of a certain HarmonyOS module has a UAF vulnerability. | 5.5 |
2022-02-25 | CVE-2021-22479 | Huawei | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Huawei Harmonyos The interface of a certain HarmonyOS module has an invalid address access vulnerability. | 5.5 |
2022-02-25 | CVE-2021-37103 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI There is an improper permission management vulnerability in the Wallet apps. | 5.5 |
2022-02-25 | CVE-2021-38993 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the smbcd daemon to cause a denial of service. | 5.5 |
2022-02-25 | CVE-2022-0247 | Incorrect Permission Assignment for Critical Resource vulnerability in Google Fuchsia 4.1/4.1.1/4.1.2 An issue exists in Fuchsia where VMO data can be modified through access to copy-on-write snapshots. | 5.5 | |
2022-02-25 | CVE-2022-25326 | Resource Exhaustion vulnerability in Google Fscrypt fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. | 5.5 | |
2022-02-25 | CVE-2022-25327 | Incorrect Default Permissions vulnerability in Google Fscrypt The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. | 5.5 | |
2022-02-24 | CVE-2021-43745 | Trillium Notes Project | Unspecified vulnerability in Trillium Notes Project Trillum Notes 0.48.6 A Denial of Service vulnerabilty exists in Trilium Notes 0.48.6 in the setupPage function | 5.5 |
2022-02-24 | CVE-2020-14480 | Rockwellautomation | Cleartext Storage of Sensitive Information vulnerability in Rockwellautomation Factorytalk View 10.0 Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials. | 5.5 |
2022-02-24 | CVE-2022-0544 | Blender Debian | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products An integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. | 5.5 |
2022-02-24 | CVE-2021-38994 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. | 5.5 |
2022-02-24 | CVE-2021-38995 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. | 5.5 |
2022-02-24 | CVE-2022-24613 | Metadata Extractor Project | Improper Handling of Exceptional Conditions vulnerability in Metadata-Extractor Project Metadata-Extractor metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. | 5.5 |
2022-02-24 | CVE-2022-24614 | Metadata Extractor Project | Allocation of Resources Without Limits or Throttling vulnerability in Metadata-Extractor Project Metadata-Extractor When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. | 5.5 |
2022-02-24 | CVE-2022-24615 | Zip4J Project | Improper Handling of Exceptional Conditions vulnerability in Zip4J Project Zip4J zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. | 5.5 |
2022-02-24 | CVE-2022-0695 | Radare Fedoraproject | Resource Exhaustion vulnerability in multiple products Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. | 5.5 |
2022-02-23 | CVE-2022-0476 | Radare Fedoraproject | Resource Exhaustion vulnerability in multiple products Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. | 5.5 |
2022-02-22 | CVE-2022-0714 | VIM Fedoraproject Debian Apple | Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436. | 5.5 |
2022-02-22 | CVE-2022-0712 | Radare Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4. | 5.5 |
2022-02-21 | CVE-2021-4115 | Polkit Project Redhat Fedoraproject Canonical Debian Oracle | There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. | 5.5 |
2022-02-21 | CVE-2022-0696 | VIM Fedoraproject Apple Debian | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4428. | 5.5 |
2022-02-21 | CVE-2022-0563 | Kernel Netapp | Information Exposure Through an Error Message vulnerability in multiple products A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. | 5.5 |
2022-02-21 | CVE-2021-27753 | Hcltech | Path Traversal vulnerability in Hcltech HCL Sametime "Sametime Android PathTraversal Vulnerability" | 5.5 |
2022-02-21 | CVE-2021-27755 | Hcltech | Path Traversal vulnerability in Hcltech HCL Sametime "Sametime Android potential path traversal vulnerability when using File class" | 5.5 |
2022-02-26 | CVE-2022-26146 | Tricentis | Cross-site Scripting vulnerability in Tricentis Qtest Tricentis qTest before 10.4 allows stored XSS by an authenticated attacker. | 5.4 |
2022-02-26 | CVE-2022-0723 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11. | 5.4 |
2022-02-25 | CVE-2022-24710 | Weblate | Unspecified vulnerability in Weblate Weblate is a copyleft software web-based continuous localization system. | 5.4 |
2022-02-25 | CVE-2022-24339 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Teamcity JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. | 5.4 |
2022-02-25 | CVE-2022-24344 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Youtrack JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page. | 5.4 |
2022-02-25 | CVE-2022-24347 | Jetbrains | Cross-site Scripting vulnerability in Jetbrains Youtrack JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon. | 5.4 |
2022-02-25 | CVE-2022-24612 | Eyesofnetwork | Cross-site Scripting vulnerability in Eyesofnetwork 5.311 An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | 5.4 |
2022-02-25 | CVE-2021-34359 | Qnap | Cross-site Scripting vulnerability in Qnap NAS Proxy Server 1.3.0 A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. | 5.4 |
2022-02-24 | CVE-2021-39038 | IBM | Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. | 5.4 |
2022-02-24 | CVE-2022-24708 | Anuko | Unspecified vulnerability in Anuko Time Tracker Anuko Time Tracker is an open source, web-based time tracking application written in PHP. | 5.4 |
2022-02-24 | CVE-2021-44565 | Rosariosis | Cross-site Scripting vulnerability in Rosariosis A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. | 5.4 |
2022-02-24 | CVE-2021-44566 | Rosariosis | Cross-site Scripting vulnerability in Rosariosis A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php. | 5.4 |
2022-02-24 | CVE-2021-44607 | Thedaylightstudio | Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.5.1 A Cross Site Scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 in the Assets page via an SVG file. | 5.4 |
2022-02-24 | CVE-2021-44608 | Bloofox | Cross-site Scripting vulnerability in Bloofox Bloofoxcms 0.5.1/0.5.2/0.5.2.1 Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php. | 5.4 |
2022-02-24 | CVE-2022-24565 | Checkmk | Cross-site Scripting vulnerability in Checkmk 1.6.0/2.0.0 Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. | 5.4 |
2022-02-24 | CVE-2022-24566 | Checkmk | Cross-site Scripting vulnerability in Checkmk 1.6.0/2.0.0 In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS). | 5.4 |
2022-02-24 | CVE-2022-24582 | Accounting Journal Management Project | Cross-site Scripting vulnerability in Accounting Journal Management Project Accounting Journal Management 1.0 Accounting Journal Management 1.0 is vulnerable to XSS-PHPSESSID-Hijacking. | 5.4 |
2022-02-24 | CVE-2022-24620 | Piwigo | Cross-site Scripting vulnerability in Piwigo 12.2.0 Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. | 5.4 |
2022-02-23 | CVE-2022-0726 | Framasoft | Unspecified vulnerability in Framasoft Peertube Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0. | 5.4 |
2022-02-23 | CVE-2022-0727 | Framasoft | Incorrect Authorization vulnerability in Framasoft Peertube Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. | 5.4 |
2022-02-23 | CVE-2022-0719 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3. | 5.4 |
2022-02-21 | CVE-2021-25057 | Translationexchange | Unspecified vulnerability in Translationexchange Translation Exchange The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings. | 5.4 |
2022-02-21 | CVE-2021-25058 | THE Buffer Button Project | Unspecified vulnerability in the Buffer Button Project the Buffer Button The Buffer Button WordPress plugin through 1.0 was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field. | 5.4 |
2022-02-21 | CVE-2021-25060 | Fivestarplugins | Unspecified vulnerability in Fivestarplugins Five Star Business Profile and Schema The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. | 5.4 |
2022-02-21 | CVE-2022-0186 | Machothemes | Unspecified vulnerability in Machothemes Image Photo Gallery Final Tiles Grid The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard | 5.4 |
2022-02-25 | CVE-2022-24329 | Jetbrains Oracle | Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. | 5.3 |
2022-02-25 | CVE-2022-24332 | Jetbrains | Insufficient Session Expiration vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie. | 5.3 |
2022-02-25 | CVE-2022-24334 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server. | 5.3 |
2022-02-25 | CVE-2022-24336 | Jetbrains | Unspecified vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server. | 5.3 |
2022-02-25 | CVE-2022-24594 | Waline | Missing Authorization vulnerability in Waline 1.6.1 In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | 5.3 |
2022-02-24 | CVE-2022-23701 | HPE | Injection vulnerability in HPE Integrated Lights-Out A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. | 5.3 |
2022-02-24 | CVE-2020-10632 | Emerson | Unspecified vulnerability in Emerson Openenterprise Scada Server 2.8.3/3.1/3.3.3 Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner. | 5.3 |
2022-02-24 | CVE-2020-14504 | Rockwellautomation | Improper Authentication vulnerability in Rockwellautomation products The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. | 5.3 |
2022-02-24 | CVE-2021-44532 | Nodejs Oracle Debian | Improper Certificate Validation vulnerability in multiple products Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. | 5.3 |
2022-02-24 | CVE-2021-44533 | Nodejs Oracle Debian | Improper Certificate Validation vulnerability in multiple products Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. | 5.3 |
2022-02-24 | CVE-2022-24633 | Filecloud | Information Exposure vulnerability in Filecloud All versions of FileCloud prior to 21.3 are vulnerable to user enumeration. | 5.3 |
2022-02-24 | CVE-2022-25355 | EC Cube | Improper Control of Dynamically-Managed Code Resources vulnerability in Ec-Cube EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users. | 5.3 |
2022-02-24 | CVE-2022-23655 | Octobercms | Unspecified vulnerability in Octobercms October Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. | 5.3 |
2022-02-21 | CVE-2022-0564 | Qlik | Information Exposure Through Discrepancy vulnerability in Qlik Sense A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. | 5.3 |
2022-02-27 | CVE-2022-0772 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.2.2. | 4.8 |
2022-02-26 | CVE-2022-0763 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3. | 4.8 |
2022-02-24 | CVE-2021-43724 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion CMS A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS through 4.2.1 in the Create Page functionality of the admin Account via a SGV file. | 4.8 |
2022-02-24 | CVE-2021-43943 | Atlassian | Cross-site Scripting vulnerability in Atlassian Jira Service Management Affected versions of Atlassian Jira Service Management Server and Data Center allow attackers with administrator privileges to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the "Object Schema" field of /secure/admin/InsightDefaultCustomFieldConfig.jspa. | 4.8 |
2022-02-21 | CVE-2021-25101 | Anti Malware Security AND Brute Force Firewall Project | Unspecified vulnerability in Anti-Malware Security and Brute-Force Firewall Project Anti-Malware Security and Brute-Force Firewall The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. | 4.8 |
2022-02-21 | CVE-2022-0211 | Getshieldsecurity | Unspecified vulnerability in Getshieldsecurity Shield Security The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | 4.8 |
2022-02-23 | CVE-2022-23651 | Backblaze | Unspecified vulnerability in Backblaze B2 Python Software Development KIT b2-sdk-python is a python library to access cloud storage provided by backblaze. | 4.7 |
2022-02-23 | CVE-2022-23653 | Backblaze | Unspecified vulnerability in Backblaze B2 Command Line Tool B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. | 4.7 |
2022-02-26 | CVE-2020-27958 | OSU | Improper Encoding or Escaping of Output vulnerability in OSU Ohio Supercomputer Center Open Ondemand The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template. | 4.3 |
2022-02-26 | CVE-2022-0762 | Microweber | Unspecified vulnerability in Microweber Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. | 4.3 |
2022-02-25 | CVE-2022-24343 | Jetbrains | Incorrect Default Permissions vulnerability in Jetbrains Youtrack In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. | 4.3 |
2022-02-25 | CVE-2022-0746 | Dolibarr | Unspecified vulnerability in Dolibarr Erp/Crm Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | 4.3 |
2022-02-24 | CVE-2020-10635 | Kuka | Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Kuka SIM PRO 3.1 Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. | 4.3 |
2022-02-24 | CVE-2022-22349 | IBM | Path Traversal vulnerability in IBM Sterling External Authentication Server 3.4.3.2/6.0.2.0/6.0.3.0 IBM Sterling External Authentication Server 3.4.3.2, 6.0.2.0, and 6.0.3.0 is vulnerable to path traversals, due to not properly validating RESTAPI configuration data. | 4.3 |
2022-02-24 | CVE-2022-21179 | EC Cube | Cross-Site Request Forgery (CSRF) vulnerability in Ec-Cube E-Mail Newsletter Management Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via a specially crafted page, and Mail Magazine Templates and/or transmitted history information may be deleted unintendedly. | 4.3 |
2022-02-23 | CVE-2022-20625 | Cisco | Unspecified vulnerability in Cisco Firepower Extensible Operating System A vulnerability in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service (DoS) condition. | 4.3 |
2022-02-21 | CVE-2021-44141 | Samba Redhat Fedoraproject | Link Following vulnerability in multiple products All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. | 4.3 |
2022-02-21 | CVE-2022-25599 | Spiffyplugins | Cross-Site Request Forgery (CSRF) vulnerability in Spiffyplugins Spiffy Calendar Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0). | 4.3 |
2022-02-21 | CVE-2022-0164 | Wpdevart | Missing Authorization vulnerability in Wpdevart Coming Soon and Maintenance Mode The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users | 4.3 |
2022-02-21 | CVE-2022-0199 | Wpdevart | Unspecified vulnerability in Wpdevart Coming Soon and Maintenance Mode The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack | 4.3 |
2022-02-21 | CVE-2022-0313 | WOW Estore | Unspecified vulnerability in Wow-Estore Float Menu The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-02-21 | CVE-2021-25075 | Wpdevart | Unspecified vulnerability in Wpdevart Duplicate Page or Post The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. | 3.5 |
2022-02-21 | CVE-2022-0279 | Bologer | Unspecified vulnerability in Bologer Anycomment The AnyComment WordPress plugin before 0.2.18 is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users | 3.1 |