Weekly Vulnerabilities Reports > February 28 to March 6, 2022
Overview
334 new vulnerabilities reported during this period, including 28 critical vulnerabilities and 66 high severity vulnerabilities. This weekly summary report vulnerabilities in 510 products from 196 vendors including Fedoraproject, Redhat, Debian, Netapp, and Linux. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Path Traversal", and "Cross-Site Request Forgery (CSRF)".
- 277 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 148 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 219 reported vulnerabilities are exploitable by an anonymous user.
- Fedoraproject has the most reported vulnerabilities, with 21 reported vulnerabilities.
- Fedoraproject has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
28 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-04 | CVE-2022-0848 | Part DB Project | OS Command Injection vulnerability in Part-Db Project Part-Db OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11. | 10.0 |
2022-03-03 | CVE-2022-22947 | Vmware Oracle | Expression Language Injection vulnerability in multiple products In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. | 10.0 |
2022-03-03 | CVE-2022-0841 | NPM Lockfile Project | OS Command Injection vulnerability in Npm-Lockfile Project Npm-Lockfile 2.0.3/2.0.4 OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4. | 10.0 |
2022-03-02 | CVE-2022-25394 | Medical Store Management System Project | SQL Injection vulnerability in Medical Store Management System Project Medical Store Management System 1.0 Medical Store Management System v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter under customer-add.php. | 10.0 |
2022-03-01 | CVE-2021-4039 | Zyxel | OS Command Injection vulnerability in Zyxel Nwa1100-Nh Firmware A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device. | 10.0 |
2022-03-01 | CVE-2020-12775 | Moica | OS Command Injection vulnerability in Moica Hicos Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. | 10.0 |
2022-03-06 | CVE-2021-46703 | Razorengine Project | Unspecified vulnerability in Razorengine Project Razorengine 3.10.0/4.5.1 In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). | 9.8 |
2022-03-06 | CVE-2022-26495 | Network Block Device Project Debian Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. | 9.8 |
2022-03-06 | CVE-2022-26496 | Network Block Device Project Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. | 9.8 |
2022-03-05 | CVE-2022-0845 | Lightningai | Code Injection vulnerability in Lightningai Pytorch Lightning Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. | 9.8 |
2022-03-04 | CVE-2022-26318 | Watchguard | Unspecified vulnerability in Watchguard Fireware On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. | 9.8 |
2022-03-04 | CVE-2022-0839 | Liquibase Oracle | XXE vulnerability in multiple products Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. | 9.8 |
2022-03-03 | CVE-2022-0730 | Cacti Debian Fedoraproject | Improper Authentication vulnerability in multiple products Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. | 9.8 |
2022-03-03 | CVE-2021-38578 | Tianocore Insyde | Out-of-bounds Write vulnerability in multiple products Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize. | 9.8 |
2022-03-03 | CVE-2021-3762 | Redhat | Path Traversal vulnerability in Redhat Clair and Quay A directory traversal vulnerability was found in the ClairCore engine of Clair. | 9.8 |
2022-03-03 | CVE-2022-24724 | Github Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. | 9.8 |
2022-03-02 | CVE-2022-23640 | Excel Streaming Reader Project | XML Entity Expansion vulnerability in Excel Streaming Reader Project Excel Streaming Reader Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. | 9.8 |
2022-03-02 | CVE-2022-24305 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Sharepoint Manager Plus Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. | 9.8 |
2022-03-01 | CVE-2022-24720 | Image Processing Project Debian | image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. | 9.8 |
2022-02-28 | CVE-2022-24711 | Codeigniter | Improper Input Validation vulnerability in Codeigniter CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. | 9.8 |
2022-03-01 | CVE-2022-25010 | Stepmania | Incorrect Permission Assignment for Critical Resource vulnerability in Stepmania 5.0.12/5.1.0 The component /rootfs in RageFile of Stepmania v5.1b2 and below allows attackers access to the entire file system. | 9.1 |
2022-03-01 | CVE-2021-42767 | Neo4J | Path Traversal vulnerability in Neo4J Awesome Procedures 4.2.0.0/4.3.0.0/4.4.0.0 A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. | 9.1 |
2022-03-04 | CVE-2021-44827 | TP Link | OS Command Injection vulnerability in Tp-Link Archer C20I Firmware There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges. | 9.0 |
2022-03-02 | CVE-2021-41000 | HPE | Command Injection vulnerability in HPE Arubaos-Cx Multiple authenticated remote code execution vulnerabilities were discovered in the AOS-CX command line interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below. | 9.0 |
2022-03-02 | CVE-2021-41001 | HPE | Command Injection vulnerability in HPE Arubaos-Cx An authenticated remote code execution vulnerability was discovered in the AOS-CX Network Analytics Engine (NAE) in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. | 9.0 |
2022-03-01 | CVE-2021-41282 | Pfsense | Injection vulnerability in Pfsense 2.5.2 diag_routes.php in pfSense 2.5.2 allows sed data injection. | 9.0 |
2022-03-01 | CVE-2022-24255 | Extensis | Use of Hard-coded Credentials vulnerability in Extensis Portfolio 4.0 Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which allows attackers to gain administrator privileges. | 9.0 |
2022-03-01 | CVE-2021-43075 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiwlm A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the alarm dashboard and controller config handlers. | 9.0 |
66 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-04 | CVE-2021-3656 | Linux Fedoraproject Redhat | Missing Authorization vulnerability in multiple products A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. | 8.8 |
2022-03-02 | CVE-2021-3738 | Samba | Use After Free vulnerability in Samba In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. | 8.8 |
2022-03-02 | CVE-2022-0819 | Dolibarr | Unspecified vulnerability in Dolibarr Erp/Crm Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. | 8.8 |
2022-03-02 | CVE-2022-0824 | Webmin | Improper Access Control vulnerability in Webmin Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990. | 8.8 |
2022-03-01 | CVE-2022-22300 | Fortinet | Improper Handling of Exceptional Conditions vulnerability in Fortinet Fortianalyzer and Fortimanager A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows attacker to bypass the device policy and force the password-change action for its user. | 8.8 |
2022-03-04 | CVE-2021-32008 | Secomea | Path Traversal vulnerability in Secomea Gatemanager This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions. | 8.5 |
2022-03-02 | CVE-2021-41002 | HPE | Path Traversal vulnerability in HPE Arubaos-Cx Multiple authenticated remote path traversal vulnerabilities were discovered in the AOS-CX command line interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. | 8.5 |
2022-03-04 | CVE-2021-23214 | Postgresql Fedoraproject Redhat | SQL Injection vulnerability in multiple products When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. | 8.1 |
2022-03-06 | CVE-2022-26490 | Linux Fedoraproject Netapp Debian | Classic Buffer Overflow vulnerability in multiple products st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows because of untrusted length parameters. | 7.8 |
2022-03-04 | CVE-2021-3575 | Uclouvain Redhat Fedoraproject | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. | 7.8 |
2022-03-04 | CVE-2022-25623 | Symantec | Unspecified vulnerability in Symantec Management Agent 8.5/8.6 The Symantec Management Agent is susceptible to a privilege escalation vulnerability. | 7.8 |
2022-03-03 | CVE-2021-26259 | Htmldoc Project | Out-of-bounds Write vulnerability in Htmldoc Project Htmldoc 1.9.12 A flaw was found in htmldoc in v1.9.12. | 7.8 |
2022-03-03 | CVE-2021-26948 | Htmldoc Project | NULL Pointer Dereference vulnerability in Htmldoc Project Htmldoc 1.9.11 Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file. | 7.8 |
2022-03-03 | CVE-2022-0492 | Linux Debian Redhat Canonical Fedoraproject Netapp | Missing Authorization vulnerability in multiple products A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. | 7.8 |
2022-03-03 | CVE-2022-26125 | Frrouting | Improper Validation of Specified Quantity in Input vulnerability in Frrouting Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c. | 7.8 |
2022-03-03 | CVE-2022-26126 | Frrouting Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c. | 7.8 |
2022-03-03 | CVE-2022-26127 | Frrouting | Improper Validation of Specified Quantity in Input vulnerability in Frrouting A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c. | 7.8 |
2022-03-03 | CVE-2022-26128 | Frrouting | Improper Validation of Specified Quantity in Input vulnerability in Frrouting A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c. | 7.8 |
2022-03-03 | CVE-2022-26129 | Frrouting | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Frrouting Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c. | 7.8 |
2022-03-03 | CVE-2022-22706 | ARM | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in ARM Bifrost, Midgard and Valhall Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. | 7.8 |
2022-03-02 | CVE-2021-23180 | Htmldoc Project | NULL Pointer Dereference vulnerability in Htmldoc Project Htmldoc A flaw was found in htmldoc in v1.9.12 and before. | 7.8 |
2022-03-02 | CVE-2021-3715 | Linux | Use After Free vulnerability in Linux Kernel A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. | 7.8 |
2022-02-28 | CVE-2020-22845 | Mikrotik | Classic Buffer Overflow vulnerability in Mikrotik Routeros 6.47 A buffer overflow in Mikrotik RouterOS 6.47 allows unauthenticated attackers to cause a denial of service (DOS) via crafted FTP requests. | 7.8 |
2022-03-04 | CVE-2021-40846 | Tradingpaints | Cleartext Transmission of Sensitive Information vulnerability in Tradingpaints Trading Paints 2.0.36/2.0.37 An issue was discovered in Rhinode Trading Paints through 2.0.36. | 7.6 |
2022-03-06 | CVE-2021-46704 | Genieacs | OS Command Injection vulnerability in Genieacs In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). | 7.5 |
2022-03-05 | CVE-2022-24921 | Golang Netapp Debian | Uncontrolled Recursion vulnerability in multiple products regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. | 7.5 |
2022-03-04 | CVE-2021-46384 | Mingsoft | Missing Authentication for Critical Function vulnerability in Mingsoft Mcms https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: RCE. | 7.5 |
2022-03-04 | CVE-2021-3737 | Python Redhat Fedoraproject Canonical Netapp Oracle | Infinite Loop vulnerability in multiple products A flaw was found in python. | 7.5 |
2022-03-04 | CVE-2021-46394 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10 There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. | 7.5 |
2022-03-04 | CVE-2022-26201 | Victor CMS Project | SQL Injection vulnerability in Victor CMS Project Victor CMS 1.0 Victor CMS v1.0 was discovered to contain a SQL injection vulnerability. | 7.5 |
2022-03-04 | CVE-2021-46393 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10 There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. | 7.5 |
2022-03-03 | CVE-2022-0265 | Hazelcast | XXE vulnerability in Hazelcast 5.1 Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. | 7.5 |
2022-03-03 | CVE-2022-21716 | Twistedmatrix Debian Oracle Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Twisted is an event-based framework for internet applications, supporting Python 3.6+. | 7.5 |
2022-03-03 | CVE-2022-23898 | Mingsoft | SQL Injection vulnerability in Mingsoft Mcms 5.2.5 MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. | 7.5 |
2022-03-03 | CVE-2022-23899 | Mingsoft | SQL Injection vulnerability in Mingsoft Mcms 5.2.5 MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java. | 7.5 |
2022-03-03 | CVE-2022-25125 | Mingsoft | SQL Injection vulnerability in Mingsoft Mcms 5.2.4 MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. | 7.5 |
2022-03-03 | CVE-2022-23648 | Linuxfoundation Debian Fedoraproject | containerd is a container runtime available as a daemon for Linux and Windows. | 7.5 |
2022-03-03 | CVE-2022-0528 | Transloadit | Server-Side Request Forgery (SSRF) vulnerability in Transloadit Uppy Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1. | 7.5 |
2022-03-03 | CVE-2022-25089 | Kofax | Improper Privilege Management vulnerability in Kofax Printix 1.3.1106.0 Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData. | 7.5 |
2022-03-02 | CVE-2021-23192 | Samba | Unspecified vulnerability in Samba A flaw was found in the way samba implemented DCE/RPC. | 7.5 |
2022-03-02 | CVE-2022-25396 | Cosmetics AND Beauty Product Online Store Project | SQL Injection vulnerability in Cosmetics and Beauty Product Online Store Project Cosmetics and Beauty Product Online Store 1.0 Cosmetics and Beauty Product Online Store v1.0 was discovered to contain a SQL injection vulnerability via the search parameter. | 7.5 |
2022-03-02 | CVE-2022-25398 | Auto Spare Parts Management Project | SQL Injection vulnerability in Auto Spare Parts Management Project Auto Spare Parts Management 1.0 Auto Spare Parts Management v1.0 was discovered to contain a SQL injection vulnerability via the user parameter. | 7.5 |
2022-03-02 | CVE-2022-25399 | Simple Real Estate Portal System Project | SQL Injection vulnerability in Simple Real Estate Portal System Project Simple Real Estate Portal System 1.0 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter. | 7.5 |
2022-03-02 | CVE-2022-26169 | AIR Cargo Management System Project | SQL Injection vulnerability in AIR Cargo Management System Project AIR Cargo Management System 1.0 Air Cargo Management System v1.0 was discovered to contain a SQL injection vulnerability via the ref_code parameter. | 7.5 |
2022-03-02 | CVE-2022-26170 | Simple Mobile Comparison Website Project | SQL Injection vulnerability in Simple Mobile Comparison Website Project Simple Mobile Comparison Website 1.0 Simple Mobile Comparison Website v1.0 was discovered to contain a SQL injection vulnerability via the search parameter. | 7.5 |
2022-03-02 | CVE-2022-26171 | Bank Management System Project | SQL Injection vulnerability in Bank Management System Project Bank Management System 1.0 Bank Management System v1.o was discovered to contain a SQL injection vulnerability via the email parameter. | 7.5 |
2022-03-02 | CVE-2022-0711 | Haproxy Redhat Debian | Infinite Loop vulnerability in multiple products A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. | 7.5 |
2022-03-02 | CVE-2022-25045 | Home Owners Collection Management System Project | Use of Hard-coded Credentials vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | 7.5 |
2022-03-02 | CVE-2022-23878 | Seacms | Unspecified vulnerability in Seacms 11.5 seacms V11.5 is affected by an arbitrary code execution vulnerability in admin_config.php. | 7.5 |
2022-03-02 | CVE-2022-25016 | Home Owners Collection Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /student_attendance/index.php. | 7.5 |
2022-03-02 | CVE-2022-24306 | Zohocorp | Incorrect Authorization vulnerability in Zohocorp Manageengine Sharepoint Manager Plus Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | 7.5 |
2022-03-01 | CVE-2021-32586 | Fortinet | Improper Input Validation vulnerability in Fortinet Fortimail An improper input validation vulnerability in the web server CGI facilities of FortiMail before 7.0.1 may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests. | 7.5 |
2022-03-01 | CVE-2021-41193 | Wire | Use of Externally-Controlled Format String vulnerability in Wire Wire-Audio Video Signaling wire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger. | 7.5 |
2022-03-01 | CVE-2021-36166 | Fortinet | Use of Insufficiently Random Values vulnerability in Fortinet Fortimail An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties. | 7.5 |
2022-02-28 | CVE-2022-25411 | MAX 3000 | Unrestricted Upload of File with Dangerous Type vulnerability in Max-3000 Maxsite CMS 108 A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file. | 7.5 |
2022-02-28 | CVE-2021-45414 | Datarobot | Unspecified vulnerability in Datarobot A Remote Code Execution (RCE) vulnerability exists in DataRobot through 2021-10-28 because it allows submission of a Docker environment or Java driver. | 7.5 |
2022-02-28 | CVE-2021-43086 | ARM | Out-of-bounds Write vulnerability in ARM Adaptive Scalable Texture Compression Encoder 3.2.0 ARM astcenc 3.2.0 is vulnerable to Buffer Overflow. | 7.5 |
2022-02-28 | CVE-2022-24571 | CAR Driving School Management System Project | SQL Injection vulnerability in CAR Driving School Management System Project CAR Driving School Management System 1.0 Car Driving School Management System v1.0 is affected by SQL injection in the login page. | 7.5 |
2022-02-28 | CVE-2022-0412 | Templateinvaders | SQL Injection vulnerability in Templateinvaders TI Woocommerce Wishlist The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks | 7.5 |
2022-03-06 | CVE-2022-26505 | Readymedia Project Debian | Authentication Bypass by Spoofing vulnerability in multiple products A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. | 7.4 |
2022-03-03 | CVE-2022-22943 | Vmware | Uncontrolled Search Path Element vulnerability in VMWare Tools VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0) contains an uncontrolled search path vulnerability. | 7.2 |
2022-03-03 | CVE-2021-45819 | Wordline | Unquoted Search Path or Element vulnerability in Wordline Hidccemonitorsvc Wordline HIDCCEMonitorSVC before v5.2.4.3 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 7.2 |
2022-03-04 | CVE-2022-25106 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-859 A3 Firmware and Dir-859 Firmware D-Link DIR-859 v1.05 was discovered to contain a stack-based buffer overflow via the function genacgi_main. | 7.1 |
2022-03-04 | CVE-2021-3743 | Linux Fedoraproject Netapp Oracle | Out-of-bounds Read vulnerability in multiple products An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. | 7.1 |
2022-03-03 | CVE-2021-3640 | Linux Debian Fedoraproject Canonical Netapp | Race Condition vulnerability in multiple products A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. | 7.0 |
2022-03-03 | CVE-2021-3609 | Linux Redhat Netapp | Race Condition vulnerability in multiple products .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. | 7.0 |
189 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-04 | CVE-2022-23729 | Improper Authentication vulnerability in Google Android When the device is in factory state, it can be access the shell without adb authentication process. | 6.9 | |
2022-03-03 | CVE-2022-25031 | Rdpsoft | Unquoted Search Path or Element vulnerability in Rdpsoft Remote Desktop Commander Suite Agent Remote Desktop Commander Suite Agent before v4.8 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 6.9 |
2022-03-05 | CVE-2022-25044 | Espruino | Out-of-bounds Write vulnerability in Espruino 2.11.251 Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString. | 6.8 |
2022-03-05 | CVE-2022-25465 | Espruino | Out-of-bounds Write vulnerability in Espruino 2.11 Espruino 2v11 release was discovered to contain a stack buffer overflow via src/jsvar.c in jsvGetNextSibling. | 6.8 |
2022-03-05 | CVE-2022-25069 | Marktext | Cross-site Scripting vulnerability in Marktext 0.16.3 Mark Text v0.16.3 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability which allows attackers to perform remote code execution (RCE) via injecting a crafted payload into /lib/contentState/pasteCtrl.js. | 6.8 |
2022-03-04 | CVE-2022-26484 | Veritas | Path Traversal vulnerability in Veritas Infoscale Operations Manager An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2 Patch 600 and 8.x before 8.0.0 Patch 100. | 6.8 |
2022-03-04 | CVE-2021-20319 | Redhat | Improper Verification of Cryptographic Signature vulnerability in Redhat Coreos-Installer An improper signature verification vulnerability was found in coreos-installer. | 6.8 |
2022-03-04 | CVE-2020-18326 | Intelliants | Cross-Site Request Forgery (CSRF) vulnerability in Intelliants Subrion CMS 4.2.1 Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user. | 6.8 |
2022-03-03 | CVE-2021-44335 | OK File Formats Project | Out-of-bounds Write vulnerability in Ok-File-Formats Project Ok-File-Formats 20210605 David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. | 6.8 |
2022-03-03 | CVE-2021-44343 | OK File Formats Project | Classic Buffer Overflow vulnerability in Ok-File-Formats Project Ok-File-Formats 20210605 David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. | 6.8 |
2022-03-02 | CVE-2021-23191 | Htmldoc Project | NULL Pointer Dereference vulnerability in Htmldoc Project Htmldoc A security issue was found in htmldoc v1.9.12 and before. | 6.8 |
2022-03-02 | CVE-2021-23206 | Htmldoc Project | Out-of-bounds Write vulnerability in Htmldoc Project Htmldoc A flaw was found in htmldoc in v1.9.12 and prior. | 6.8 |
2022-03-02 | CVE-2022-25115 | Home Owners Collection Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 A remote code execution (RCE) vulnerability in the Avatar parameter under /admin/?page=user/manage_user of Home Owners Collection Management System v1.0 allows attackers to execute arbitrary code via a crafted PNG file. | 6.8 |
2022-03-02 | CVE-2022-0675 | Puppet | Improper Input Validation vulnerability in Puppet Firewall In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. | 6.8 |
2022-03-01 | CVE-2021-36171 | Fortinet | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Fortinet Fortiportal The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame. | 6.8 |
2022-02-28 | CVE-2022-25023 | Audio File Project | Out-of-bounds Write vulnerability in Audio File Project Audio File 1.1.0 Audio File commit 004065d was discovered to contain a heap-buffer overflow in the function fouBytesToInt():AudioFile.h. | 6.8 |
2022-02-28 | CVE-2022-26181 | Dropbox | Out-of-bounds Write vulnerability in Dropbox Lepton 1.2.1 Dropbox Lepton v1.2.1-185-g2a08b77 was discovered to contain a heap-buffer-overflow in the function aligned_dealloc():src/lepton/bitops.cc:108. | 6.8 |
2022-02-28 | CVE-2021-44331 | ARM | Out-of-bounds Write vulnerability in ARM Adaptive Scalable Texture Compression Encoder 3.2.0 ARM astcenc 3.2.0 is vulnerable to Buffer Overflow in function encode_ise(). | 6.8 |
2022-02-28 | CVE-2021-44342 | OK File Formats Project | Out-of-bounds Write vulnerability in Ok-File-Formats Project Ok-File-Formats 20210605 David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow via function ok_png_transform_scanline() in "/ok_png.c:494". | 6.8 |
2022-02-28 | CVE-2021-44339 | OK File Formats Project | Out-of-bounds Write vulnerability in Ok-File-Formats Project Ok-File-Formats 20210605 David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. | 6.8 |
2022-02-28 | CVE-2021-44340 | OK File Formats Project | Out-of-bounds Write vulnerability in Ok-File-Formats Project Ok-File-Formats David Brackeen ok-file-formats dev version is vulnerable to Buffer Overflow. | 6.8 |
2022-02-28 | CVE-2022-24712 | Codeigniter | Cross-Site Request Forgery (CSRF) vulnerability in Codeigniter CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. | 6.8 |
2022-02-28 | CVE-2021-44334 | OK File Formats Project | Out-of-bounds Write vulnerability in Ok-File-Formats Project Ok-File-Formats 20210306 David Brackeen ok-file-formats 97f78ca is vulnerable to Buffer Overflow. | 6.8 |
2022-02-28 | CVE-2021-24704 | Orange Form Project | SQL Injection vulnerability in Orange-Form Project Orange-Form In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). | 6.8 |
2022-02-28 | CVE-2021-24803 | Core Tweaks WP Setup Project | Cross-Site Request Forgery (CSRF) vulnerability in Core Tweaks WP Setup Project Core Tweaks WP Setup The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. | 6.8 |
2022-02-28 | CVE-2021-25010 | Postsnippets | Cross-Site Request Forgery (CSRF) vulnerability in Postsnippets Post Snippets The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. | 6.8 |
2022-03-03 | CVE-2022-23849 | Devolutions | Unspecified vulnerability in Devolutions Password HUB 2021.3.3 The biometric lock in Devolutions Password Hub for iOS before 2021.3.4 allows attackers to access the application because of authentication bypass. | 6.6 |
2022-03-04 | CVE-2022-23915 | Weblate | Argument Injection or Modification vulnerability in Weblate The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. | 6.5 |
2022-03-04 | CVE-2022-21828 | Ivanti | Unspecified vulnerability in Ivanti Incapptic Connect A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3. | 6.5 |
2022-03-03 | CVE-2021-3638 | Qemu Fedoraproject | Out-of-bounds Write vulnerability in multiple products An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. | 6.5 |
2022-03-03 | CVE-2021-42950 | Zepl | Unspecified vulnerability in Zepl Remote Code Execution (RCE) vulnerability exists in Zepl Notebooks all previous versions before October 25 2021. | 6.5 |
2022-03-03 | CVE-2022-22909 | Digitaldruid | Code Injection vulnerability in Digitaldruid Hoteldruid 3.0.3 HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module. | 6.5 |
2022-03-02 | CVE-2021-3667 | Redhat Netapp | Improper Locking vulnerability in multiple products An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. | 6.5 |
2022-03-02 | CVE-2021-3677 | Postgresql Redhat Fedoraproject | Information Exposure vulnerability in multiple products A flaw was found in postgresql. | 6.5 |
2022-03-02 | CVE-2021-3772 | Linux Redhat Debian Oracle Netapp | Improper Validation of Integrity Check Value vulnerability in multiple products A flaw was found in the Linux SCTP stack. | 6.5 |
2022-03-02 | CVE-2021-38268 | Liferay | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site member role to add and duplicate forms, via the UI or the API. | 6.5 |
2022-03-02 | CVE-2022-24447 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine KEY Manager Plus 5.6/6.0/6.1 An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. | 6.5 |
2022-03-01 | CVE-2022-24251 | Extensis | Unrestricted Upload of File with Dangerous Type vulnerability in Extensis Portfolio 4.0 Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the Catalog Asset Upload function. | 6.5 |
2022-03-01 | CVE-2022-24252 | Extensis | Unrestricted Upload of File with Dangerous Type vulnerability in Extensis Portfolio 4.0 An unrestricted file upload vulnerability in the FileTransferServlet component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted file. | 6.5 |
2022-03-01 | CVE-2022-24253 | Extensis | Unrestricted Upload of File with Dangerous Type vulnerability in Extensis Portfolio 4.0 Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the component AdminFileTransferServlet. | 6.5 |
2022-03-01 | CVE-2022-24254 | Extensis | Unrestricted Upload of File with Dangerous Type vulnerability in Extensis Portfolio 4.0 An unrestricted file upload vulnerability in the Backup/Restore Archive component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted ZIP file. | 6.5 |
2022-03-01 | CVE-2021-43077 | Fortinet | SQL Injection vulnerability in Fortinet Fortiwlm A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the AP monitor handlers. | 6.5 |
2022-03-01 | CVE-2021-44238 | Ayacms Project | Code Injection vulnerability in Ayacms Project Ayacms 3.1.2 AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE) via /aya/module/admin/ust_tab_e.inc.php, | 6.5 |
2022-03-01 | CVE-2022-23380 | Taogogo | SQL Injection vulnerability in Taogogo Taocms 3.0.2 There is a SQL injection vulnerability in the background of taocms 3.0.2 in parameter id:action=admin&id=2&ctrl=edit. | 6.5 |
2022-03-01 | CVE-2021-35036 | Zyxel | Cleartext Storage of Sensitive Information vulnerability in Zyxel products A cleartext storage of information vulnerability in the Zyxel VMG3625-T50B firmware version V5.50(ABTL.0)b2k could allow an authenticated attacker to obtain sensitive information from the configuration file. | 6.5 |
2022-03-01 | CVE-2021-42951 | Algorithmia | Unspecified vulnerability in Algorithmia Msol A Remote Code Execution (RCE) vulnerability exists in Algorithmia MSOL all versions before October 10 2021 of SaaS. | 6.5 |
2022-03-01 | CVE-2022-25018 | Pluxml | Code Injection vulnerability in Pluxml 5.8.7 Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages. | 6.5 |
2022-02-28 | CVE-2022-23906 | Cmsmadesimple | Unrestricted Upload of File with Dangerous Type vulnerability in Cmsmadesimple CMS Made Simple 2.2.15 CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. | 6.5 |
2022-02-28 | CVE-2021-24864 | Wpscan | SQL Injection vulnerability in Wpscan WP Cloudy The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue | 6.5 |
2022-02-28 | CVE-2022-0383 | Ljapps | SQL Injection vulnerability in Ljapps WP Review Slider The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks | 6.5 |
2022-02-28 | CVE-2022-0411 | Asgaros | SQL Injection vulnerability in Asgaros Forum The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection | 6.5 |
2022-02-28 | CVE-2022-23911 | Accesspressthemes | SQL Injection vulnerability in Accesspressthemes AP Custom Testimonial The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection | 6.5 |
2022-03-05 | CVE-2022-25312 | Apache | XXE vulnerability in Apache Any23 An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. | 6.4 |
2022-02-28 | CVE-2022-0768 | Alltubedownload | Server-Side Request Forgery (SSRF) vulnerability in Alltubedownload Alltube Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2. | 6.4 |
2022-03-02 | CVE-2021-3631 | Redhat Netapp | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. | 6.3 |
2022-03-04 | CVE-2021-20303 | Openexr Debian | Integer Overflow or Wraparound vulnerability in multiple products A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. | 6.1 |
2022-03-04 | CVE-2022-23397 | Cedargate | Cross-site Scripting vulnerability in Cedargate Ez-Net Portal The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. | 6.1 |
2022-03-02 | CVE-2021-3623 | Libtpms Project Redhat Fedoraproject | Out-of-bounds Write vulnerability in multiple products A flaw was found in libtpms. | 6.1 |
2022-03-02 | CVE-2021-3654 | Openstack Redhat | Open Redirect vulnerability in multiple products A vulnerability was found in openstack-nova's console proxy, noVNC. | 6.1 |
2022-03-01 | CVE-2022-24719 | Fluture Node Project | Improper Cross-boundary Removal of Sensitive Data vulnerability in Fluture-Node Project Fluture-Node 4.0.0/4.0.1 Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. | 6.1 |
2022-02-28 | CVE-2021-24977 | USE ANY Font Project | Missing Authorization vulnerability in USE ANY Font Project USE ANY Font The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. | 6.1 |
2022-03-02 | CVE-2021-23222 | Postgresql | Insufficiently Protected Credentials vulnerability in Postgresql A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. | 5.9 |
2022-03-06 | CVE-2022-0697 | Archivy Project | Open Redirect vulnerability in Archivy Project Archivy Open Redirect in GitHub repository archivy/archivy prior to 1.7.0. | 5.8 |
2022-03-06 | CVE-2022-0868 | URI JS Project | Open Redirect vulnerability in Uri.Js Project Uri.Js Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10. | 5.8 |
2022-03-06 | CVE-2022-0869 | Spirit Project | Open Redirect vulnerability in Spirit-Project Spirit Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3. | 5.8 |
2022-03-04 | CVE-2022-0855 | Microweber | Use of Incorrectly-Resolved Name or Reference vulnerability in Microweber Whmcs Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4. | 5.8 |
2022-03-04 | CVE-2021-46379 | Dlink | Open Redirect vulnerability in Dlink Dir-850L Firmware 1.08Trb03 DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through URL redirection to untrusted site. | 5.8 |
2022-02-28 | CVE-2022-26156 | Cherwell | Open Redirect vulnerability in Cherwell Service Management 10.2.3 An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. | 5.8 |
2022-02-28 | CVE-2022-26158 | Cherwell | Open Redirect vulnerability in Cherwell Service Management 10.2.3 An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. | 5.8 |
2022-02-28 | CVE-2021-25011 | Wpgooglemap | Cross-Site Request Forgery (CSRF) vulnerability in Wpgooglemap WP Google MAP The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. | 5.7 |
2022-03-04 | CVE-2021-20300 | Openexr Debian | Integer Overflow or Wraparound vulnerability in multiple products A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. | 5.5 |
2022-03-04 | CVE-2021-20302 | Openexr Debian | A flaw was found in OpenEXR's TiledInputFile functionality. | 5.5 |
2022-03-04 | CVE-2021-3744 | Linux Fedoraproject Debian Redhat Oracle | Memory Leak vulnerability in multiple products A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). | 5.5 |
2022-03-04 | CVE-2022-22946 | Vmware Oracle | Improper Certificate Validation vulnerability in multiple products In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. | 5.5 |
2022-03-04 | CVE-2022-26336 | Apache Netapp | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. | 5.5 |
2022-03-03 | CVE-2022-24725 | Shescape Project | OS Command Injection vulnerability in Shescape Project Shescape 1.4.0/1.5.0 Shescape is a shell escape package for JavaScript. | 5.5 |
2022-03-03 | CVE-2021-3602 | Buildah Project Redhat | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products An information disclosure flaw was found in Buildah, when building containers using chroot isolation. | 5.5 |
2022-03-03 | CVE-2021-3620 | Redhat | Information Exposure Through an Error Message vulnerability in Redhat products A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. | 5.5 |
2022-03-03 | CVE-2022-25471 | Open EMR | Authorization Bypass Through User-Controlled Key vulnerability in Open-Emr Openemr 6.0.0 An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register. | 5.5 |
2022-03-02 | CVE-2021-45074 | Jfrog | Unspecified vulnerability in Jfrog Artifactory JFrog Artifactory before 7.29.3 and 6.23.38, is vulnerable to Broken Access Control, a low-privileged user is able to delete other known users OAuth token, which will force a reauthentication on an active session or in the next UI session. | 5.5 |
2022-03-02 | CVE-2022-0829 | Webmin | Improper Authorization vulnerability in Webmin Improper Authorization in GitHub repository webmin/webmin prior to 1.990. | 5.5 |
2022-03-01 | CVE-2021-38986 | IBM | Insufficient Session Expiration vulnerability in IBM MQ 9.2.0/9.2.0.0/9.2.1.0 IBM MQ Appliance 9.2 CD and 9.2 LTS does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 5.5 |
2022-03-01 | CVE-2022-22321 | IBM | Inadequate Encryption Strength vulnerability in IBM MQ 9.2.0/9.2.0.0/9.2.1.0 IBM MQ Appliance 9.2 CD and 9.2 LTS local messaging users stored with a password hash that provides insufficient protection. | 5.5 |
2022-02-28 | CVE-2022-25412 | MAX 3000 | Path Traversal vulnerability in Max-3000 Maxsite CMS 108 Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | 5.5 |
2022-02-28 | CVE-2021-41111 | Pagerduty | Authorization Bypass Through User-Controlled Key vulnerability in Pagerduty Rundeck Rundeck is an open source automation service with a web console, command line tools and a WebAPI. | 5.5 |
2022-02-28 | CVE-2021-41112 | Pagerduty | Missing Authorization vulnerability in Pagerduty Rundeck Rundeck is an open source automation service with a web console, command line tools and a WebAPI. | 5.5 |
2022-03-03 | CVE-2022-24723 | URI JS Project | Unspecified vulnerability in Uri.Js Project Uri.Js URI.js is a Javascript URL mutation library. | 5.3 |
2022-03-03 | CVE-2022-25146 | Liferay | Origin Validation Error vulnerability in Liferay Digital Experience Platform and Liferay Portal The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message. | 5.3 |
2022-02-28 | CVE-2022-26157 | Cherwell | Missing Encryption of Sensitive Data vulnerability in Cherwell Service Management 10.2.3 An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. | 5.3 |
2022-02-28 | CVE-2021-25118 | Yoast | Information Exposure vulnerability in Yoast SEO The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. | 5.3 |
2022-02-28 | CVE-2022-26159 | Ametys | Forced Browsing vulnerability in Ametys 4.0.3 The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/<domain>/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. | 5.3 |
2022-03-04 | CVE-2021-46353 | Dlink | Information Exposure Through an Error Message vulnerability in Dlink Dir-X1860 Firmware An information disclosure in web interface in D-Link DIR-X1860 before 1.03 RevA1 allows a remote unauthenticated attacker to send a specially crafted HTTP request and gain knowledge of different absolute paths that are being used by the web application. | 5.0 |
2022-03-04 | CVE-2021-27757 | Hcltech | Cleartext Storage of Sensitive Information vulnerability in Hcltech Bigfix Insights 10.0 " Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information." | 5.0 |
2022-03-04 | CVE-2022-23233 | Netapp | Unspecified vulnerability in Netapp Storagegrid StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service. | 5.0 |
2022-03-04 | CVE-2021-46381 | Dlink | Path Traversal vulnerability in Dlink Dap-1620 Firmware Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow]. | 5.0 |
2022-03-04 | CVE-2021-46378 | Dlink | Unspecified vulnerability in Dlink Dir-850L Firmware 1.08Trb03 DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through an unauthenticated remote configuration download. | 5.0 |
2022-03-04 | CVE-2022-23327 | Ethereum | Unspecified vulnerability in Ethereum GO Ethereum A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS). | 5.0 |
2022-03-04 | CVE-2022-23328 | Ethereum | Resource Exhaustion vulnerability in Ethereum GO Ethereum A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS). | 5.0 |
2022-03-03 | CVE-2022-22700 | Cyberark | Use of Insufficiently Random Values vulnerability in Cyberark Identity CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. | 5.0 |
2022-03-03 | CVE-2021-40635 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. | 5.0 |
2022-03-03 | CVE-2021-40636 | Os4Ed | SQL Injection vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database. | 5.0 |
2022-03-02 | CVE-2021-38266 | Liferay | Unspecified vulnerability in Liferay Portal The Portal Security module in Liferay Portal 7.2.1 and earlier, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17 and 7.2 before fix pack 5 does not correctly import users from LDAP, which allows remote attackers to prevent a legitimate user from authenticating by attempting to sign in as a user that exist in LDAP. | 5.0 |
2022-03-02 | CVE-2021-4076 | Tang Project | Unspecified vulnerability in Tang Project Tang A flaw exists in tang, a network-based cryptographic binding server, which could result in leak of private keys. | 5.0 |
2022-03-02 | CVE-2022-25393 | Simple Bakery Shop Management Project | SQL Injection vulnerability in Simple Bakery Shop Management Project Simple Bakery Shop Management 1.0 Simple Bakery Shop Management v1.0 was discovered to contain a SQL injection vulnerability via the username parameter. | 5.0 |
2022-03-02 | CVE-2022-23779 | Zohocorp | Information Exposure vulnerability in Zohocorp Manageengine Desktop Central Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. | 5.0 |
2022-03-02 | CVE-2022-25634 | QT | Path Traversal vulnerability in QT Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. | 5.0 |
2022-03-01 | CVE-2021-41652 | Batflat | Incorrect Default Permissions vulnerability in Batflat 1.3.6 Insecure permissions in the file database.sdb of BatFlat CMS v1.3.6 allows attackers to dump the entire database. | 5.0 |
2022-03-01 | CVE-2022-23387 | Taocms | SQL Injection vulnerability in Taocms 3.0.2 An issue was discovered in taocms 3.0.2. | 5.0 |
2022-03-01 | CVE-2022-23377 | Keep | Files or Directories Accessible to External Parties vulnerability in Keep Archeevo Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files. | 5.0 |
2022-03-01 | CVE-2022-0777 | Microweber | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Microweber Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | 5.0 |
2022-02-28 | CVE-2020-22844 | Mikrotik | Memory Leak vulnerability in Mikrotik Routeros 6.47 A buffer overflow in Mikrotik RouterOS 6.47 allows unauthenticated attackers to cause a denial of service (DOS) via crafted SMB requests. | 5.0 |
2022-02-28 | CVE-2022-26315 | Qrcp Project | Path Traversal vulnerability in Qrcp Project Qrcp qrcp through 0.8.4, in receive mode, allows ../ Directory Traversal via the file name specified by the uploader. | 5.0 |
2022-02-28 | CVE-2022-24685 | Hashicorp | Allocation of Resources Without Limits or Throttling vulnerability in Hashicorp Nomad HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow invalid HCL for the jobs parse endpoint, which may cause excessive CPU usage. | 5.0 |
2022-03-04 | CVE-2021-3428 | Linux | Integer Overflow or Wraparound vulnerability in Linux Kernel A flaw was found in the Linux kernel. | 4.9 |
2022-03-04 | CVE-2022-23232 | Netapp | Unspecified vulnerability in Netapp Storagegrid StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. | 4.9 |
2022-03-02 | CVE-2022-23953 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 4.9 |
2022-03-02 | CVE-2022-23956 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 4.9 |
2022-02-28 | CVE-2021-24823 | Schiocco | Cross-Site Request Forgery (CSRF) vulnerability in Schiocco Support Board The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. | 4.9 |
2022-02-28 | CVE-2022-0360 | Smackcoders | Cross-site Scripting vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues | 4.8 |
2022-03-02 | CVE-2022-22301 | Fortinet | OS Command Injection vulnerability in Fortinet Fortiap-C An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiAP-C console 5.4.0 through 5.4.3, 5.2.0 through 5.2.1 may allow an authenticated attacker to execute unauthorized commands by running CLI commands with specifically crafted arguments. | 4.6 |
2022-03-01 | CVE-2021-43619 | ARM | Classic Buffer Overflow vulnerability in ARM Trusted Firmware-M 1.4.0/1.4.1 Trusted Firmware M 1.4.x through 1.4.1 has a buffer overflow issue in the Firmware Update partition. | 4.6 |
2022-03-03 | CVE-2021-4002 | Linux Debian Fedoraproject Oracle | Memory Leak vulnerability in multiple products A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. | 4.4 |
2022-03-06 | CVE-2021-44748 | F Secure | Cross-site Scripting vulnerability in F-Secure Safe 18.5 A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. | 4.3 |
2022-03-06 | CVE-2021-44749 | F Secure | Cross-site Scripting vulnerability in F-Secure Safe 18.5 A vulnerability affecting F-Secure SAFE browser protection was discovered improper URL handling can be triggered to cause universal cross-site scripting through browsing protection in a SAFE web browser. | 4.3 |
2022-03-05 | CVE-2022-0849 | Radare | Use After Free vulnerability in Radare Radare2 Use After Free in r_reg_get_name_idx in GitHub repository radareorg/radare2 prior to 5.6.6. | 4.3 |
2022-03-04 | CVE-2021-27756 | Hcltech | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hcltech Bigfix Compliance 2.0/2.0.5 "TLS-RSA cipher suites are not disabled in BigFix Compliance up to v2.0.5. | 4.3 |
2022-03-04 | CVE-2021-46382 | Netgear | Cross-site Scripting vulnerability in Netgear Wac120 AC Firmware Unauthenticated cross-site scripting (XSS) in Netgear WAC120 AC Access Point may lead to mulitple attacks like session hijacking even clipboard hijacking. | 4.3 |
2022-03-04 | CVE-2020-18324 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.1 Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.1 via the q parameter in the Kickstart template. | 4.3 |
2022-03-04 | CVE-2020-18325 | Intelliants | Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.1 Multilple Cross Site Scripting (XSS) vulnerability exists in Intelliants Subrion CMS v4.2.1 in the Configuration panel. | 4.3 |
2022-03-04 | CVE-2020-18327 | Alfresco | Cross-site Scripting vulnerability in Alfresco 5.2 Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. | 4.3 |
2022-03-04 | CVE-2021-44321 | Mini Inventory AND Sales Management System Project | Cross-Site Request Forgery (CSRF) vulnerability in Mini-Inventory-And-Sales-Management-System Project Mini-Inventory-And-Sales-Management-System 1.0 Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. | 4.3 |
2022-03-04 | CVE-2022-0752 | Hestiacp | Cross-site Scripting vulnerability in Hestiacp Control Panel Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9. | 4.3 |
2022-03-04 | CVE-2022-0838 | Hestiacp | Cross-site Scripting vulnerability in Hestiacp Control Panel Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10. | 4.3 |
2022-03-03 | CVE-2022-23052 | Petereport Project | Cross-Site Request Forgery (CSRF) vulnerability in Petereport Project Petereport 0.5 PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application. | 4.3 |
2022-03-03 | CVE-2022-23708 | Elastic | Unspecified vulnerability in Elastic Elasticsearch A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. | 4.3 |
2022-03-03 | CVE-2022-23710 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana 7.15.1/7.15.2/8.0.0 A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser. | 4.3 |
2022-03-03 | CVE-2022-0753 | Hestiacp | Cross-site Scripting vulnerability in Hestiacp Control Panel Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9. | 4.3 |
2022-03-03 | CVE-2021-40637 | Os4Ed | Cross-site Scripting vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. | 4.3 |
2022-03-03 | CVE-2022-24573 | Element IT | Cross-site Scripting vulnerability in Element-It Http Commander A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field. | 4.3 |
2022-03-03 | CVE-2021-38263 | Liferay | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the Server module's script console in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 20 and 7.2 before fix pack 10 allows remote attackers to inject arbitrary web script or HTML via the output of a script. | 4.3 |
2022-03-03 | CVE-2021-38264 | Liferay | Cross-site Scripting vulnerability in Liferay Portal 7.4.0/7.4.1 Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. | 4.3 |
2022-03-02 | CVE-2022-24722 | Github | Cross-site Scripting vulnerability in Github Viewcomponent VIewComponent is a framework for building view components in Ruby on Rails. | 4.3 |
2022-03-02 | CVE-2022-25114 | Event Management Project | Cross-site Scripting vulnerability in Event Management Project Event Management 1.0 Event Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the full_name parameter under register.php. | 4.3 |
2022-03-02 | CVE-2022-25395 | Cosmetics AND Beauty Product Online Store Project | Cross-site Scripting vulnerability in Cosmetics and Beauty Product Online Store Project Cosmetics and Beauty Product Online Store 1.0 Cosmetics and Beauty Product Online Store v1.0 was discovered to contain multiple reflected cross-site scripting (XSS) attacks via the search parameter under the /cbpos/ app. | 4.3 |
2022-03-02 | CVE-2021-41003 | HPE | Unspecified vulnerability in HPE Arubaos-Cx Multiple unauthenticated command injection vulnerabilities were discovered in the AOS-CX API interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. | 4.3 |
2022-03-02 | CVE-2022-23395 | Jquery Cookie Project | Unspecified vulnerability in Jquery.Cookie Project Jquery.Cookie 1.4.1 jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). | 4.3 |
2022-03-02 | CVE-2021-45860 | Tsmuxer Project | Integer Overflow or Wraparound vulnerability in Tsmuxer Project Tsmuxer An integer overflow in DTSStreamReader::findFrame() of tsMuxer git-2678966 allows attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2022-03-02 | CVE-2021-45861 | Tsmuxer Project | Reachable Assertion vulnerability in Tsmuxer Project Tsmuxer There is an Assertion `num <= INT_BIT' failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277. | 4.3 |
2022-03-02 | CVE-2021-45863 | Tsmuxer Project | Out-of-bounds Write vulnerability in Tsmuxer Project Tsmuxer tsMuxer git-2678966 was discovered to contain a heap-based buffer overflow via the function HevcUnit::updateBits in hevc.cpp. | 4.3 |
2022-03-02 | CVE-2021-45864 | Tsmuxer Project | Out-of-bounds Read vulnerability in Tsmuxer Project Tsmuxer tsMuxer git-c6a0277 was discovered to contain a segmentation fault via DTSStreamReader::findFrame in dtsStreamReader.cpp. | 4.3 |
2022-03-02 | CVE-2022-25050 | RTL 433 Project | Out-of-bounds Write vulnerability in RTL 433 Project RLT 433 21.12 rtl_433 21.12 was discovered to contain a stack overflow in the function somfy_iohc_decode(). | 4.3 |
2022-03-02 | CVE-2022-25051 | RTL 433 Project | Off-by-one Error vulnerability in RTL 433 Project RTL 433 21.12 An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when decoding a crafted file. | 4.3 |
2022-03-01 | CVE-2022-24717 | Finastra | Cross-site Scripting vulnerability in Finastra Ssr-Pages ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). | 4.3 |
2022-03-01 | CVE-2021-46387 | Zyxel | Cross-site Scripting vulnerability in Zyxel Zywall 2 Plus Internet Security Appliance Firmware ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). | 4.3 |
2022-03-01 | CVE-2021-44747 | F Secure | Unspecified vulnerability in F-Secure products A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the Fmlib component used in certain F-Secure products can crash while scanning fuzzed files. | 4.3 |
2022-03-01 | CVE-2022-0776 | Revealjs | Cross-site Scripting vulnerability in Revealjs Reveal.Js Cross-site Scripting (XSS) - DOM in GitHub repository hakimel/reveal.js prior to 4.3.0. | 4.3 |
2022-03-01 | CVE-2021-44961 | Slic3R | Memory Leak vulnerability in Slic3R Libslic3R 1.3.0 A memory leakage flaw exists in the class PerimeterGenerator of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. | 4.3 |
2022-03-01 | CVE-2021-44962 | Slic3R | Out-of-bounds Read vulnerability in Slic3R Libslic3R 1.3.0 An out-of-bounds read vulnerability exists in the GCode::extrude() functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. | 4.3 |
2022-03-01 | CVE-2022-24446 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine KEY Manager Plus 6.1.6 An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. | 4.3 |
2022-02-28 | CVE-2022-23907 | Cmsmadesimple | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.15 CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage. | 4.3 |
2022-02-28 | CVE-2022-25028 | Home Owners Collection Management System Project | Cross-site Scripting vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0 Home Owners Collection Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the collected_by parameter under the List of Collections module. | 4.3 |
2022-02-28 | CVE-2022-25013 | Icehrm | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php. | 4.3 |
2022-02-28 | CVE-2022-25014 | Icehrm | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. | 4.3 |
2022-02-28 | CVE-2022-26155 | Cherwell | Cross-site Scripting vulnerability in Cherwell Service Management 10.2.3 An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. | 4.3 |
2022-02-28 | CVE-2022-25642 | Obyte | Cross-site Scripting vulnerability in Obyte Obyte (formerly Byteball) Wallet before 3.4.1 allows XSS. | 4.3 |
2022-02-28 | CVE-2022-24572 | CAR Driving School Management System Project | Cross-site Scripting vulnerability in CAR Driving School Management System Project CAR Driving School Management System 1.0 Car Driving School Management System v1.0 is affected by Cross Site Scripting (XSS) in the User Enrollment Form (Username Field). | 4.3 |
2022-02-28 | CVE-2020-36510 | Codetipi | Cross-site Scripting vulnerability in Codetipi 15Zine The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-28 | CVE-2021-24688 | Orange Form Project | Cross-Site Request Forgery (CSRF) vulnerability in Orange-Form Project Orange-Form The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it) | 4.3 |
2022-02-28 | CVE-2021-24730 | Infornweb | Missing Authorization vulnerability in Infornweb Logo Showcase With Slick Slider The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | 4.3 |
2022-02-28 | CVE-2021-24913 | Infornweb | Cross-Site Request Forgery (CSRF) vulnerability in Infornweb Logo Showcase With Slick Slider The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media. | 4.3 |
2022-02-28 | CVE-2021-24994 | Wpvivid | Cross-site Scripting vulnerability in Wpvivid Migration, Backup, Staging The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue | 4.3 |
2022-02-28 | CVE-2021-25034 | WP User Project | Cross-site Scripting vulnerability in WP User Project WP User The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues | 4.3 |
2022-02-28 | CVE-2021-25081 | Wpgooglemap | Cross-Site Request Forgery (CSRF) vulnerability in Wpgooglemap WP Google MAP The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack | 4.3 |
2022-02-28 | CVE-2021-25112 | I Plugins | Cross-site Scripting vulnerability in I-Plugins Whmcs Bridge The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-28 | CVE-2022-0150 | WP Accessibility Helper Project | Cross-site Scripting vulnerability in WP Accessibility Helper Project WP Accessibility Helper The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-02-28 | CVE-2022-0189 | Wprssaggregator | Cross-site Scripting vulnerability in Wprssaggregator WP RSS Aggregator The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-02-28 | CVE-2022-0328 | Simple Membership Plugin | Cross-Site Request Forgery (CSRF) vulnerability in Simple-Membership-Plugin Simple Membership The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
2022-02-28 | CVE-2022-0345 | Madewithfuel | Missing Authorization vulnerability in Madewithfuel Customize Wordpress Emails and Alerts The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.). | 4.3 |
2022-02-28 | CVE-2022-0377 | Thimpress | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Thimpress Learnpress Users of the LearnPress WordPress plugin before 4.1.5 can upload an image as a profile avatar after the registration. | 4.3 |
2022-02-28 | CVE-2022-0385 | Crazy Bone Project | Cross-site Scripting vulnerability in Crazy Bone Project Crazy Bone The Crazy Bone WordPress plugin through 0.6.0 does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting | 4.3 |
2022-02-28 | CVE-2022-23912 | Accesspressthemes | Cross-site Scripting vulnerability in Accesspressthemes AP Custom Testimonial The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting | 4.3 |
2022-02-28 | CVE-2022-23988 | Westguardsolutions | Cross-site Scripting vulnerability in Westguardsolutions WS Form The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission | 4.3 |
2022-03-03 | CVE-2022-23709 | Elastic | Missing Authorization vulnerability in Elastic Kibana A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. | 4.0 |
2022-03-02 | CVE-2021-43070 | Fortinet | Path Traversal vulnerability in Fortinet Fortiwlm Multiple relative path traversal vulnerabilities [CWE-23] in FortiWLM management interface 8.6.2 and below, 8.5.2 and below, 8.4.2 and below, 8.3.3 and below, 8.2.2 may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. | 4.0 |
2022-03-02 | CVE-2022-0577 | Scrapy Debian | Incorrect Authorization vulnerability in multiple products Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1. | 4.0 |
2022-03-01 | CVE-2020-15936 | Fortinet | Improper Input Validation vulnerability in Fortinet Fortios A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets. | 4.0 |
2022-03-01 | CVE-2022-24718 | Finastra | Path Traversal vulnerability in Finastra Ssr-Pages ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). | 4.0 |
2022-02-28 | CVE-2021-24689 | Wpeverest | Path Traversal vulnerability in Wpeverest Contact Form The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack | 4.0 |
2022-02-28 | CVE-2021-24820 | Bold Themes | Path Traversal vulnerability in Bold-Themes Cost Calculator The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.6) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout | 4.0 |
51 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-04 | CVE-2021-43590 | Dell | Cleartext Storage of Sensitive Information vulnerability in Dell Enterprise Storage Analytics 4.0.1/6.2.1 Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. | 3.6 |
2022-03-01 | CVE-2022-22262 | Asus | Link Following vulnerability in Asus ROG Live Service ROG Live Service’s function for deleting temp files created by installation has an improper link resolution before file access vulnerability. | 3.6 |
2022-03-04 | CVE-2022-26483 | Veritas | Cross-site Scripting vulnerability in Veritas Infoscale Operations Manager An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2 Patch 600 and 8.x before 8.0.0 Patch 100. | 3.5 |
2022-03-04 | CVE-2022-0831 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. | 3.5 |
2022-03-04 | CVE-2022-0832 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3. | 3.5 |
2022-03-03 | CVE-2022-23051 | Petereport Project | Cross-site Scripting vulnerability in Petereport Project Petereport 0.5 PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter. | 3.5 |
2022-03-03 | CVE-2022-25220 | Petereport Project | Cross-site Scripting vulnerability in Petereport Project Petereport 0.5 PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding. | 3.5 |
2022-03-03 | CVE-2022-25138 | Axelor | Cross-site Scripting vulnerability in Axelor Open Suite Axelor Open Suite v5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Name parameter. | 3.5 |
2022-03-03 | CVE-2021-43774 | Fujifilm | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Fujifilm products A risky-algorithm issue was discovered on Fujifilm DocuCentre-VI C4471 1.8 devices. | 3.5 |
2022-03-03 | CVE-2022-24563 | Metalgenix | Cross-site Scripting vulnerability in Metalgenix Genixcms 1.1.11 In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&view=options" via the intro_title and intro_image parameters. | 3.5 |
2022-03-03 | CVE-2021-38265 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0 Cross-site scripting (XSS) vulnerability in the Asset module in Liferay Portal 7.3.4 through 7.3.6 allow remote attackers to inject arbitrary web script or HTML when creating a collection page via the _com_liferay_asset_list_web_portlet_AssetListPortlet_title parameter. | 3.5 |
2022-03-03 | CVE-2021-38267 | Liferay | Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal Cross-site scripting (XSS) vulnerability in the Blogs module's edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter. | 3.5 |
2022-03-03 | CVE-2021-38269 | Liferay | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command. | 3.5 |
2022-03-02 | CVE-2022-22944 | Vmware | Cross-site Scripting vulnerability in VMWare Workspace ONE Boxer VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. | 3.5 |
2022-03-02 | CVE-2022-23656 | Zulip | Cross-site Scripting vulnerability in Zulip Server Zulip is an open source team chat app. | 3.5 |
2022-03-02 | CVE-2021-44166 | Fortinet | Unspecified vulnerability in Fortinet Fortitoken Mobile An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user. | 3.5 |
2022-03-01 | CVE-2022-25020 | Pluxml | Cross-site Scripting vulnerability in Pluxml 5.8.7 A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the thumbnail path of a blog post. | 3.5 |
2022-03-01 | CVE-2022-25022 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.1 A cross-site scripting (XSS) vulnerability in Htmly v2.8.1 allows attackers to excute arbitrary web scripts HTML via a crafted payload in the content field of a blog post. | 3.5 |
2022-03-01 | CVE-2022-26332 | Cipi | Cross-site Scripting vulnerability in Cipi 3.1.15 Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field. | 3.5 |
2022-02-28 | CVE-2022-0743 | Getgrav | Cross-site Scripting vulnerability in Getgrav Grav Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | 3.5 |
2022-02-28 | CVE-2022-25407 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Doctor parameter at /admin-panel1.php. | 3.5 |
2022-02-28 | CVE-2022-25408 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the dpassword parameter at /admin-panel1.php. | 3.5 |
2022-02-28 | CVE-2022-25409 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the demail parameter at /admin-panel1.php. | 3.5 |
2022-02-28 | CVE-2022-25410 | MAX 3000 | Cross-site Scripting vulnerability in Max-3000 Maxsite CMS 108 Maxsite CMS v180 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_file_description at /admin/files. | 3.5 |
2022-02-28 | CVE-2022-25413 | MAX 3000 | Cross-site Scripting vulnerability in Max-3000 Maxsite CMS 108 Maxsite CMS v108 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_tags at /admin/page_edit/3. | 3.5 |
2022-02-28 | CVE-2022-25015 | Icehrm | Cross-site Scripting vulnerability in Icehrm 30.0.0.Os A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field. | 3.5 |
2022-02-28 | CVE-2021-24898 | Editable Table Project | Cross-site Scripting vulnerability in Editable-Table Project Editable Table The EditableTable WordPress plugin through 0.1.4 does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-02-28 | CVE-2021-24901 | Securemoz | Cross-site Scripting vulnerability in Securemoz Security Audit The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-02-28 | CVE-2021-24903 | Codeasily | Cross-site Scripting vulnerability in Codeasily Grand Flagallery The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-02-28 | CVE-2021-24920 | Statcounter | Cross-site Scripting vulnerability in Statcounter The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-02-28 | CVE-2021-24933 | Bootstrapped | Cross-site Scripting vulnerability in Bootstrapped Dynamic Widgets The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue | 3.5 |
2022-02-28 | CVE-2021-24971 | Magnigenie | Cross-site Scripting vulnerability in Magnigenie WP Responsive Menu The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. | 3.5 |
2022-02-28 | CVE-2021-25042 | Plugins Market | Missing Authorization vulnerability in Plugins-Market WP Visitor Statistics (Real Time Traffic) The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. | 3.5 |
2022-02-28 | CVE-2021-4222 | Maxfoundry | Cross-site Scripting vulnerability in Maxfoundry Wp-Paginate The WP-Paginate WordPress plugin before 2.1.4 does not sanitise and escape its preset settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2022-02-28 | CVE-2022-23987 | Westguardsolutions | Cross-site Scripting vulnerability in Westguardsolutions WS Form The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-02-28 | CVE-2021-43945 | Atlassian | Cross-site Scripting vulnerability in Atlassian Data Center and Jira Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. | 3.5 |
2022-03-02 | CVE-2021-3658 | Bluez Fedoraproject | Incorrect Authorization vulnerability in multiple products bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. | 3.3 |
2022-03-02 | CVE-2021-3716 | Nbdkit Project Redhat | A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. | 3.1 |
2022-03-02 | CVE-2021-46270 | Jfrog | Unspecified vulnerability in Jfrog Artifactory JFrog Artifactory before 7.31.10, is vulnerable to Broken Access Control where a project admin user is able to list all available repository names due to insufficient permission validation. | 2.7 |
2022-03-02 | CVE-2022-23954 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 2.1 |
2022-03-02 | CVE-2022-23955 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 2.1 |
2022-03-02 | CVE-2022-23957 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 2.1 |
2022-03-02 | CVE-2022-23958 | HP | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. | 2.1 |
2022-03-02 | CVE-2021-38996 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. | 2.1 |
2022-03-02 | CVE-2022-22350 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in CAA to cause a denial of service. | 2.1 |
2022-03-02 | CVE-2022-22303 | Fortinet | Information Exposure vulnerability in Fortinet Fortimanager An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file. | 2.1 |
2022-03-01 | CVE-2022-25012 | Argussurveillance | Inadequate Encryption Strength vulnerability in Argussurveillance DVR 4.0.0.0 Argus Surveillance DVR v4.0 employs weak password encryption. | 2.1 |
2022-03-01 | CVE-2020-4925 | IBM | Unspecified vulnerability in IBM Spectrum Scale 5.0.0/5.1.0 A security vulnerability in the Spectrum Scale 5.0 and 5.1 allows a non-root user to overflow the mmfsd daemon with requests and preventing the daemon to service other requests. | 2.1 |
2022-03-01 | CVE-2021-38955 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a local user with elevated privileges to cause a denial of service due to a file creation vulnerability in the audit commands. | 2.1 |
2022-03-04 | CVE-2021-43392 | ST | Improper Verification of Cryptographic Signature vulnerability in ST J-Safe3 Firmware and Stsafe-J Firmware STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to obtain information on cryptographic secrets. | 1.9 |
2022-03-04 | CVE-2021-43393 | ST | Improper Verification of Cryptographic Signature vulnerability in ST J-Safe3 Firmware and Stsafe-J Firmware STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. | 1.9 |