Weekly Vulnerabilities Reports > March 7 to 13, 2022

Overview

449 new vulnerabilities reported during this period, including 64 critical vulnerabilities and 180 high severity vulnerabilities. This weekly summary report vulnerabilities in 1366 products from 198 vendors including Fedoraproject, Debian, Google, Huawei, and Tenda. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Classic Buffer Overflow", and "Out-of-bounds Read".

  • 307 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 116 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 250 reported vulnerabilities are exploitable by an anonymous user.
  • Fedoraproject has the most reported vulnerabilities, with 36 reported vulnerabilities.
  • TP Link has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

64 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-12 CVE-2022-24760 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source http web server backend.

10.0
2022-03-07 CVE-2022-0767 Janeczku Server-Side Request Forgery (SSRF) vulnerability in Janeczku Calibre-Web

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.

9.9
2022-03-13 CVE-2021-45887 Ponton Path Traversal vulnerability in Ponton X/P Messenger 3.10.0/3.8.0

An issue was discovered in PONTON X/P Messenger before 3.11.2.

9.8
2022-03-11 CVE-2022-24754 Teluu
Debian
PJSIP is a free and open source multimedia communication library written in C language.
9.8
2022-03-11 CVE-2022-23730 LG Unspecified vulnerability in LG Webos

The public API error causes for the attacker to be able to bypass API access control.

9.8
2022-03-11 CVE-2022-25621 NEC OS Command Injection vulnerability in NEC products

UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11 and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands.

9.8
2022-03-11 CVE-2022-24433 Simple GIT Project Argument Injection or Modification vulnerability in Simple-Git Project Simple-Git

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection.

9.8
2022-03-11 CVE-2021-44618 Nystudio107 Code Injection vulnerability in Nystudio107 Seomatic 3.4.12

A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header.

9.8
2022-03-11 CVE-2021-44620 Totolink Command Injection vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504

A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.

9.8
2022-03-11 CVE-2022-21194 Yokogawa Use of Hard-coded Credentials vulnerability in Yokogawa products

The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00.

9.8
2022-03-11 CVE-2022-23402 Yokogawa Use of Hard-coded Credentials vulnerability in Yokogawa products

The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00

9.8
2022-03-10 CVE-2022-25818 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0

Improper boundary check in UWB stack prior to SMR Mar-2022 Release 1 allows arbitrary code execution.

9.8
2022-03-10 CVE-2022-26100 SAP Improper Input Validation vulnerability in SAP Sapcar 7.22

SAPCAR - version 7.22, does not contain sufficient input validation on the SAPCAR archive.

9.8
2022-03-10 CVE-2022-26131 Hegemonelectronics Unspecified vulnerability in Hegemonelectronics Plc4Trucks Firmware J2497

Power Line Communications PLC4TRUCKS J2497 trailer receivers are susceptible to remote RF induced signals.

9.8
2022-03-10 CVE-2022-26143 Mitel Missing Authentication for Critical Function vulnerability in Mitel Micollab and Mivoice Business Express

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic).

9.8
2022-03-10 CVE-2022-26520 Postgresql
Debian
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties.
9.8
2022-03-10 CVE-2022-24600 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection through /admin/login.php.

9.8
2022-03-10 CVE-2022-24602 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php.

9.8
2022-03-10 CVE-2022-24603 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php.

9.8
2022-03-10 CVE-2022-24604 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php.

9.8
2022-03-10 CVE-2022-24605 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php.

9.8
2022-03-10 CVE-2022-24606 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php.

9.8
2022-03-10 CVE-2022-24607 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php.

9.8
2022-03-10 CVE-2022-24609 Luocms Project Incorrect Authorization vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by an incorrect access control vulnerability.

9.8
2022-03-10 CVE-2022-24651 Sentcms Unrestricted Upload of File with Dangerous Type vulnerability in Sentcms 4.0.0

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload.

9.8
2022-03-10 CVE-2022-24652 Sentcms Unrestricted Upload of File with Dangerous Type vulnerability in Sentcms 4.0.0

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.

9.8
2022-03-10 CVE-2022-24995 Tenda Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime.

9.8
2022-03-10 CVE-2022-22814 Asus Unspecified vulnerability in Asus Myasus 3.1.1.0

The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation.

9.8
2022-03-10 CVE-2022-24193 Icewhale OS Command Injection vulnerability in Icewhale Casaos

CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.

9.8
2022-03-10 CVE-2021-42786 Riverbed Improper Input Validation vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) has Remote Code Execution vulnerabilities in multiple instances of the API requests.

9.8
2022-03-10 CVE-2021-42787 Riverbed Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API.

9.8
2022-03-10 CVE-2021-42853 Riverbed Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDiagnosticServlet has directory traversal vulnerability at the "/api/appInternals/1.0/agent/diagnostic/logs" API.

9.8
2022-03-10 CVE-2021-42854 Riverbed Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API.

9.8
2022-03-10 CVE-2021-44622 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could let a remove malicious user execute arbitrary code via a crafted post request.

9.8
2022-03-10 CVE-2021-44623 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface.

9.8
2022-03-10 CVE-2021-44625 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to executee arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44626 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44627 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44628 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44629 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44630 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44631 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-44632 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

9.8
2022-03-10 CVE-2021-4045 TP Link Command Injection vulnerability in Tp-Link Tapo C200 Firmware

TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root.

9.8
2022-03-10 CVE-2021-40050 Huawei Out-of-bounds Read vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an out-of-bounds read vulnerability in the IFAA module.

9.8
2022-03-10 CVE-2020-14115 MI Insufficient Verification of Data Authenticity vulnerability in MI Ax3600 Firmware 1.0.50

A command injection vulnerability exists in the Xiaomi Router AX3600.

9.8
2022-03-10 CVE-2022-0895 Microweber Unspecified vulnerability in Microweber

Static Code Injection in GitHub repository microweber/microweber prior to 1.3.

9.8
2022-03-09 CVE-2022-22805 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.

9.8
2022-03-09 CVE-2022-22806 Schneider Electric Unspecified vulnerability in Schneider-Electric products

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.

9.8
2022-03-08 CVE-2022-26313 Mendix Unspecified vulnerability in Mendix Forgot Password 3.3.0/3.3.2/3.4.0

A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1).

9.8
2022-03-08 CVE-2022-26314 Mendix Improper Restriction of Excessive Authentication Attempts vulnerability in Mendix Forgot Password

A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2).

9.8
2022-03-07 CVE-2022-0349 Wpdeveloper SQL Injection vulnerability in Wpdeveloper Notificationx

The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection

9.8
2022-03-07 CVE-2022-0434 A3Rev SQL Injection vulnerability in A3Rev Page View Count

The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users.

9.8
2022-03-07 CVE-2022-0441 Stylemixthemes Unspecified vulnerability in Stylemixthemes Masterstudy LMS

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

9.8
2022-03-07 CVE-2022-0766 Janeczku Server-Side Request Forgery (SSRF) vulnerability in Janeczku Calibre-Web

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.

9.8
2022-03-11 CVE-2022-0860 Cobbler Project
Fedoraproject
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
9.1
2022-03-11 CVE-2022-0871 Gogs Unspecified vulnerability in Gogs

Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.

9.1
2022-03-10 CVE-2022-25922 Hegemonelectronics Missing Authentication for Critical Function vulnerability in Hegemonelectronics Plc4Trucks Firmware J2497

Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages.

9.1
2022-03-10 CVE-2022-22795 Signiant XXE vulnerability in Signiant Manager+Agents

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on.

9.1
2022-03-10 CVE-2022-23383 Yzmcms Improper Authentication vulnerability in Yzmcms 6.3

YzmCMS v6.3 is affected by broken access control.

9.1
2022-03-10 CVE-2021-40053 Huawei Incorrect Default Permissions vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a permission control vulnerability in the Nearby module.Successful exploitation of this vulnerability will affect availability and integrity.

9.1
2022-03-10 CVE-2021-33293 Libpano13 Project
Debian
Out-of-bounds Read vulnerability in multiple products

Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c.

9.1
2022-03-09 CVE-2022-0715 Schneider Electric Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric products

A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware.

9.1
2022-03-09 CVE-2022-0482 Easyappointments Unspecified vulnerability in Easyappointments

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

9.1

180 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-13 CVE-2021-45886 Ponton Cross-Site Request Forgery (CSRF) vulnerability in Ponton X/P Messenger 3.10.0/3.8.0

An issue was discovered in PONTON X/P Messenger before 3.11.2.

8.8
2022-03-11 CVE-2022-25600 Flippercode
Fedoraproject
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3).

8.8
2022-03-11 CVE-2022-21808 Yokogawa Path Traversal vulnerability in Yokogawa products

Path traversal vulnerability exists in CAMS for HIS Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

8.8
2022-03-11 CVE-2022-22729 Yokogawa Improper Authentication vulnerability in Yokogawa products

CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets.

8.8
2022-03-11 CVE-2022-25510 Freetakserver UI Project Use of Hard-coded Credentials vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges.

8.8
2022-03-10 CVE-2021-39022 IBM Improper Neutralization of Formula Elements in a CSV File vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0

IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

8.8
2022-03-10 CVE-2021-44673 Croogo Unrestricted Upload of File with Dangerous Type vulnerability in Croogo 3.0.2

A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script.

8.8
2022-03-10 CVE-2022-26846 Spip
Debian
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
8.8
2022-03-10 CVE-2022-24644 Zzinc Download of Code Without Integrity Check vulnerability in Zzinc Keymouse Firmware 2.02/3.05/3.08

ZZ Inc.

8.8
2022-03-10 CVE-2022-24915 Ipcomm Unspecified vulnerability in Ipcomm Ipdio Firmware 3.9

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed.

8.8
2022-03-10 CVE-2022-22834 Overit XML Injection (aka Blind XPath Injection) vulnerability in Overit Geocall 6.3

An issue was discovered in OverIT Geocall before 8.0.

8.8
2022-03-10 CVE-2022-22985 Ipcomm Unspecified vulnerability in Ipcomm Ipdio Firmware 3.9

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed.

8.8
2022-03-10 CVE-2022-23940 Salesagility Deserialization of Untrusted Data vulnerability in Salesagility Suitecrm

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution.

8.8
2022-03-10 CVE-2021-43970 Quicklert Unrestricted Upload of File with Dangerous Type vulnerability in Quicklert 10.0.0

An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes.

8.8
2022-03-10 CVE-2022-0204 Bluez
Fedoraproject
Debian
Integer Overflow or Wraparound vulnerability in multiple products

A heap overflow vulnerability was found in bluez in versions prior to 5.63.

8.8
2022-03-10 CVE-2022-0507 Pandorafms SQL Injection vulnerability in Pandorafms Pandora FMS

Found a potential security vulnerability inside the Pandora API.

8.8
2022-03-09 CVE-2022-24732 Maddy Project Unspecified vulnerability in Maddy Project Maddy

Maddy Mail Server is an open source SMTP compatible email server.

8.8
2022-03-09 CVE-2021-36777 Opensuse Unspecified vulnerability in Opensuse Open Build Service

A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server.

8.8
2022-03-09 CVE-2022-0896 Microweber Code Injection vulnerability in Microweber

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

8.8
2022-03-08 CVE-2022-24715 Icinga Unspecified vulnerability in Icinga web 2

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface.

8.8
2022-03-07 CVE-2021-24952 Tatvic SQL Injection vulnerability in Tatvic Conversios.Io

The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.

8.8
2022-03-07 CVE-2022-0410 WP Visitor Statistics Project SQL Injection vulnerability in WP Visitor Statistics Project WP Visitor Statistics

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection

8.8
2022-03-07 CVE-2022-0439 Icegram SQL Injection vulnerability in Icegram Email Subscribers & Newsletters

The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber.

8.8
2022-03-07 CVE-2022-22351 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged trusted host user to exploit a vulnerability in the nimsh daemon to cause a denial of service in the nimsh daemon on another trusted host.

8.6
2022-03-10 CVE-2022-25219 Phicomm Unspecified vulnerability in Phicomm products

A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot.

8.4
2022-03-11 CVE-2022-23924 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23925 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23926 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23927 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23928 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23929 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23930 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23931 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23932 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23933 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-23934 HP Unspecified vulnerability in HP PC Bios

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

8.2
2022-03-11 CVE-2022-21177 Yokogawa Path Traversal vulnerability in Yokogawa products

There is a path traversal vulnerability in CAMS for HIS Log Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, andfrom R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.

8.1
2022-03-11 CVE-2022-22145 Yokogawa Resource Exhaustion vulnerability in Yokogawa products

CAMS for HIS Log Server contained in the following Yokogawa Electric products is vulnerable to uncontrolled resource consumption.

8.1
2022-03-11 CVE-2022-22151 Yokogawa Improper Encoding or Escaping of Output vulnerability in Yokogawa products

CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.

8.1
2022-03-10 CVE-2022-25090 Kofax Race Condition vulnerability in Kofax Printix 1.3.1106.0

Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.

8.1
2022-03-10 CVE-2022-25218 Phicomm Use of a Broken or Risky Cryptographic Algorithm vulnerability in Phicomm products

The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function.

8.1
2022-03-08 CVE-2022-24309 Mendix Unspecified vulnerability in Mendix

A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False).

8.1
2022-03-13 CVE-2022-24128 Timescale Incorrect Authorization vulnerability in Timescale Timescaledb

Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation.

8.0
2022-03-13 CVE-2022-24696 Mirametrix Unspecified vulnerability in Mirametrix Glance

Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges.

7.8
2022-03-13 CVE-2022-26981 Liblouis
Fedoraproject
Apple
Classic Buffer Overflow vulnerability in multiple products

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).

7.8
2022-03-12 CVE-2022-26967 Gpac Out-of-bounds Write vulnerability in Gpac 2.0

GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode.

7.8
2022-03-11 CVE-2021-41848 Bluproducts
Wikomobile
Luna
Use of Hard-coded Credentials vulnerability in multiple products

An issue was discovered in Luna Simo PPR1.180610.011/202001031830.

7.8
2022-03-11 CVE-2021-41850 Bluproducts
Wikomobile
Luna
Information Exposure vulnerability in multiple products

An issue was discovered in Luna Simo PPR1.180610.011/202001031830.

7.8
2022-03-11 CVE-2022-24415 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2022-03-11 CVE-2022-24416 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2022-03-11 CVE-2022-24419 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2022-03-11 CVE-2022-24420 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2022-03-11 CVE-2022-24421 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

7.8
2022-03-11 CVE-2021-33658 Huawei Missing Authentication for Critical Function vulnerability in Huawei Atune 0.3/0.8

atune before 0.3-0.8 log in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file.

7.8
2022-03-11 CVE-2022-23187 Adobe Classic Buffer Overflow vulnerability in Adobe Illustrator

Adobe Illustrator version 26.0.3 (and earlier) is affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user.

7.8
2022-03-11 CVE-2022-23731 LG Unspecified vulnerability in LG Webos

V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models.

7.8
2022-03-11 CVE-2022-24094 Adobe Out-of-bounds Write vulnerability in Adobe After Effects

Adobe After Effects versions 22.2 (and earlier) and 18.4.4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2022-03-11 CVE-2022-22141 Yokogawa Improper Privilege Management vulnerability in Yokogawa products

'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration.

7.8
2022-03-11 CVE-2022-22148 Yokogawa Incorrect Permission Assignment for Critical Resource vulnerability in Yokogawa products

'Root Service' service implemented in the following Yokogawa Electric products creates some named pipe with improper ACL configuration.

7.8
2022-03-11 CVE-2022-23401 Yokogawa Uncontrolled Search Path Element vulnerability in Yokogawa products

The following Yokogawa Electric products contain insecure DLL loading issues.

7.8
2022-03-10 CVE-2022-24750 Uvnc Unspecified vulnerability in Uvnc Ultravnc

UltraVNC is a free and open source remote pc access software.

7.8
2022-03-10 CVE-2022-25217 Phicomm Use of Hard-coded Credentials vulnerability in Phicomm K2 Firmware and K3C Firmware

Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet.

7.8
2022-03-10 CVE-2022-25230 Omron Use After Free vulnerability in Omron Cx-Programmer

Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-03-10 CVE-2022-25234 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

Out-of-bounds write vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-03-10 CVE-2022-25294 Proofpoint Unspecified vulnerability in Proofpoint Insider Threat Management

Proofpoint Insider Threat Management Agent for Windows relies on an inherently dangerous function that could enable an unprivileged local Windows user to run arbitrary code with SYSTEM privileges.

7.8
2022-03-10 CVE-2022-25325 Omron Use After Free vulnerability in Omron Cx-Programmer

Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-03-10 CVE-2022-25814 Google Unspecified vulnerability in Google Android 11.0/12.0

PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

7.8
2022-03-10 CVE-2022-25815 Google Unspecified vulnerability in Google Android 10.0/11.0

PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

7.8
2022-03-10 CVE-2022-24285 Acer Improper Authentication vulnerability in Acer Care Center 4.00.3000/4.00.3038

Acer Care Center 4.00.30xx before 4.00.3042 contains a local privilege escalation vulnerability.

7.8
2022-03-10 CVE-2022-24286 Acer Improper Authentication vulnerability in Acer Quickaccess

Acer QuickAccess 2.01.300x before 2.01.3030 and 3.00.30xx before 3.00.3038 contains a local privilege escalation vulnerability.

7.8
2022-03-10 CVE-2022-24396 SAP Unspecified vulnerability in SAP Simple Diagnostics Agent

The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005.

7.8
2022-03-10 CVE-2022-24618 Heimdalsecurity Improper Preservation of Permissions vulnerability in Heimdalsecurity Heimdal Premium Security 2.5.383/2.5.385/2.5.395

Heimdal.Wizard.exe installer in Heimdal Premium Security 2.5.395 and earlier has insecure permissions, which allows unprivileged local users to elevate privileges to SYSTEM via the "Browse For Folder" window accessible by triggering a "Repair" on the MSI package located in C:\Windows\Installer.

7.8
2022-03-10 CVE-2022-24928 Google Unspecified vulnerability in Google Android 11.0

Security misconfiguration of RKP in kernel prior to SMR Mar-2022 Release 1 allows a system not to be protected by RKP.

7.8
2022-03-10 CVE-2022-24931 Google Unspecified vulnerability in Google Android 10.0/11.0

Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission

7.8
2022-03-10 CVE-2022-24960 Pdftron Use After Free vulnerability in Pdftron 9.2.0

A use after free vulnerability was discovered in PDFTron SDK version 9.2.0.

7.8
2022-03-10 CVE-2022-20047 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In video decoder, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-03-10 CVE-2022-20048 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In video decoder, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-03-10 CVE-2022-20053 Google Missing Authorization vulnerability in Google Android

In ims service, there is a possible escalation of privilege due to a missing permission check.

7.8
2022-03-10 CVE-2022-20054 Google Missing Authorization vulnerability in Google Android

In ims service, there is a possible AT command injection due to a missing permission check.

7.8
2022-03-10 CVE-2022-21124 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

Out-of-bounds write vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-03-10 CVE-2022-21219 Omron Out-of-bounds Read vulnerability in Omron Cx-Programmer

Out-of-bounds read vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-03-10 CVE-2021-42855 Riverbed Incorrect Permission Assignment for Critical Resource vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands.

7.8
2022-03-10 CVE-2022-0516 Linux
Fedoraproject
Debian
Redhat
Netapp
A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel.
7.8
2022-03-10 CVE-2022-0847 Linux
Fedoraproject
Redhat
Ovirt
Netapp
Siemens
Sonicwall
Improper Initialization vulnerability in multiple products

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.

7.8
2022-03-10 CVE-2021-40376 Otris Improper Authentication vulnerability in Otris Update Manager 1.2.1.0

otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe.

7.8
2022-03-10 CVE-2021-32025 Blackberry Unspecified vulnerability in Blackberry products

An elevation of privilege vulnerability in the QNX Neutrino Kernel of affected versions of QNX Software Development Platform version(s) 6.4.0 to 7.0, QNX Momentics all 6.3.x versions, QNX OS for Safety versions 1.0.0 to 1.0.2, QNX OS for Safety versions 2.0.0 to 2.0.1, QNX for Medical versions 1.0.0 to 1.1.1, and QNX OS for Medical version 2.0.0 could allow an attacker to potentially access data, modify behavior, or permanently crash the system.

7.8
2022-03-10 CVE-2020-14111 MI Insufficient Verification of Data Authenticity vulnerability in MI Ax3600 Firmware 1.0.50/1.0.67/1.1.12

A command injection vulnerability exists in the Xiaomi Router AX3600.

7.8
2022-03-09 CVE-2022-25943 Kingsoft Incorrect Default Permissions vulnerability in Kingsoft WPS Office

The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed.

7.8
2022-03-08 CVE-2022-26337 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager

Trend Micro Password Manager (Consumer) installer version 5.0.0.1262 and below is vulnerable to an Uncontrolled Search Path Element vulnerability that could allow an attacker to use a specially crafted file to exploit the vulnerability and escalate local privileges on the affected machine.

7.8
2022-03-08 CVE-2022-24408 Siemens Improper Privilege Management vulnerability in Siemens Sinumerik MC Firmware and Sinumerik ONE Firmware

A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1).

7.8
2022-03-08 CVE-2022-24661 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Star-Ccm+ Viewer 2021.2.1/2021.3.1

A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < V2022.1).

7.8
2022-03-07 CVE-2021-4199 Bitdefender Incorrect Permission Assignment for Critical Resource vulnerability in Bitdefender products

Incorrect Permission Assignment for Critical Resource vulnerability in the crash handling component BDReinit.exe as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools for Windows allows a remote attacker to escalate local privileges to SYSTEM.

7.8
2022-03-11 CVE-2022-21819 Nvidia Incorrect Permission Assignment for Critical Resource vulnerability in Nvidia Jetson Linux

NVIDIA distributions of Jetson Linux contain a vulnerability where an error in the IOMMU configuration may allow an unprivileged attacker with physical access to the board direct read/write access to the entire system address space through the PCI bus.

7.6
2022-03-09 CVE-2021-22783 Schneider Electric Unspecified vulnerability in Schneider-Electric Ritto Wiser Door

A CWE-200: Information Exposure vulnerability exists which could allow a session hijack when the door panel is communicating with the door.

7.6
2022-03-11 CVE-2021-42577 Softing NULL Pointer Dereference vulnerability in Softing products

An issue was discovered in Softing OPC UA C++ SDK before 5.70.

7.5
2022-03-11 CVE-2021-23246 Oppo Unspecified vulnerability in Oppo Coloros 11

In ACE2 ColorOS11, the attacker can obtain the foreground package name through permission promotion, resulting in user information disclosure.

7.5
2022-03-11 CVE-2021-32476 Moodle Allocation of Resources Without Limits or Throttling vulnerability in Moodle

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.

7.5
2022-03-11 CVE-2022-0853 Redhat Memory Leak vulnerability in Redhat products

A flaw was found in JBoss-client.

7.5
2022-03-11 CVE-2022-25216 Dvdfab Path Traversal vulnerability in Dvdfab 12 Player and Playerfab

An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>.

7.5
2022-03-11 CVE-2022-0913 Microweber Integer Overflow or Wraparound vulnerability in Microweber

Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.

7.5
2022-03-11 CVE-2020-36518 Fasterxml
Oracle
Debian
Netapp
Out-of-bounds Write vulnerability in multiple products

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

7.5
2022-03-11 CVE-2022-25508 Freetakserver UI Project Missing Authentication for Critical Function vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.

7.5
2022-03-11 CVE-2022-25512 Freetakserver UI Project Information Exposure vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys.

7.5
2022-03-10 CVE-2022-24726 Istio Resource Exhaustion vulnerability in Istio

Istio is an open platform to connect, manage, and secure microservices.

7.5
2022-03-10 CVE-2022-25546 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS.

7.5
2022-03-10 CVE-2022-25547 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime.

7.5
2022-03-10 CVE-2022-25548 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime.

7.5
2022-03-10 CVE-2022-25549 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS.

7.5
2022-03-10 CVE-2022-25550 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo.

7.5
2022-03-10 CVE-2022-25551 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS.

7.5
2022-03-10 CVE-2022-25552 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function form_fast_setting_wifi_set.

7.5
2022-03-10 CVE-2022-25553 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS.

7.5
2022-03-10 CVE-2022-25554 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo.

7.5
2022-03-10 CVE-2022-25555 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime.

7.5
2022-03-10 CVE-2022-25556 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42E328.

7.5
2022-03-10 CVE-2022-25557 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow in the function saveParentControlInfo.

7.5
2022-03-10 CVE-2022-25558 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetProvince.

7.5
2022-03-10 CVE-2022-25560 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_4327CC.

7.5
2022-03-10 CVE-2022-25561 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21

Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42DE00.

7.5
2022-03-10 CVE-2022-25566 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo.

7.5
2022-03-10 CVE-2022-26311 Couchbase Unspecified vulnerability in Couchbase Cloud Native Operator 2.2.0/2.2.1/2.2.2

Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor.

7.5
2022-03-10 CVE-2022-26662 Tryton
Debian
XML Entity Expansion vulnerability in multiple products

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1.

7.5
2022-03-10 CVE-2022-24601 Luocms Project SQL Injection vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php.

7.5
2022-03-10 CVE-2022-0903 Mattermost Out-of-bounds Write vulnerability in Mattermost Server

A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body.

7.5
2022-03-10 CVE-2022-22547 SAP Unspecified vulnerability in SAP Simple Diagnostics Agent

Simple Diagnostics Agent - versions 1.0 (up to version 1.57.), allows an attacker to access information which would otherwise be restricted via a random port 9000-65535.

7.5
2022-03-10 CVE-2021-44032 TP Link Unspecified vulnerability in Tp-Link Omada Software Controller

TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed.

7.5
2022-03-10 CVE-2021-46408 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21

Tenda AX12 v22.03.01.21 was discovered to contain a stack buffer overflow in the function sub_422CE4.

7.5
2022-03-10 CVE-2022-0618 Apple Unspecified vulnerability in Apple Swiftnio Http/2

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame.

7.5
2022-03-10 CVE-2022-0725 Keepass
Fedoraproject
Information Exposure Through Log Files vulnerability in multiple products

A flaw was found in keepass.

7.5
2022-03-10 CVE-2022-0813 Phpmyadmin Information Exposure vulnerability in PHPmyadmin

PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests.

7.5
2022-03-10 CVE-2021-40047 Huawei Memory Leak vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a vulnerability of memory not being released after effective lifetime in the Bastet module.

7.5
2022-03-10 CVE-2021-40048 Huawei Incorrect Calculation of Buffer Size vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an incorrect buffer size calculation vulnerability in the video framework.

7.5
2022-03-10 CVE-2021-40049 Huawei Incorrect Default Permissions vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a permission control vulnerability in the PMS module.

7.5
2022-03-10 CVE-2021-40051 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an unauthorized access vulnerability in system components.

7.5
2022-03-10 CVE-2021-40052 Huawei Incorrect Calculation of Buffer Size vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability.

7.5
2022-03-10 CVE-2021-40054 Huawei Integer Underflow (Wrap or Wraparound) vulnerability in Huawei Emui and Magic UI

There is an integer underflow vulnerability in the atcmdserver module.

7.5
2022-03-10 CVE-2021-40056 Huawei Classic Buffer Overflow vulnerability in Huawei Emui and Magic UI

There is a vulnerability of copying input buffer without checking its size in the video framework.

7.5
2022-03-10 CVE-2021-40057 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap-based and stack-based buffer overflow vulnerability in the video framework.

7.5
2022-03-10 CVE-2021-40058 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap-based buffer overflow vulnerability in the video framework.

7.5
2022-03-10 CVE-2021-40060 Huawei Out-of-bounds Write vulnerability in Huawei Emui and Magic UI

There is a heap-based buffer overflow vulnerability in the video framework.

7.5
2022-03-10 CVE-2021-40061 Huawei Type Confusion vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module.

7.5
2022-03-10 CVE-2021-40062 Huawei Classic Buffer Overflow vulnerability in Huawei Emui and Magic UI

There is a vulnerability of copying input buffer without checking its size in the video framework.

7.5
2022-03-10 CVE-2021-40063 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is an improper access control vulnerability in the video module.

7.5
2022-03-10 CVE-2021-40064 Huawei Out-of-bounds Write vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a heap-based buffer overflow vulnerability in system components.

7.5
2022-03-10 CVE-2021-3698 Cockpit Project
Redhat
Improper Certificate Validation vulnerability in multiple products

A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD).

7.5
2022-03-10 CVE-2020-36517 Home Assistant Information Exposure Through Discrepancy vulnerability in Home-Assistant 2022.03

An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration.

7.5
2022-03-10 CVE-2021-38296 Apache
Oracle
Authentication Bypass by Capture-replay vulnerability in multiple products

Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled".

7.5
2022-03-09 CVE-2022-24748 Shopware Incorrect Authorization vulnerability in Shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework.

7.5
2022-03-08 CVE-2022-24716 Icinga Unspecified vulnerability in Icinga web 2

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface.

7.5
2022-03-08 CVE-2022-24713 Rust Lang
Fedoraproject
Debian
regex is an implementation of regular expressions for the Rust language.
7.5
2022-03-07 CVE-2021-25087 Wpdownloadmanager Unspecified vulnerability in Wpdownloadmanager Wordpress Download Manager

The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).

7.5
2022-03-10 CVE-2022-25214 Phicomm Unspecified vulnerability in Phicomm products

Improper access control on the LocalClientList.asp interface allows an unauthenticated remote attacker to obtain sensitive information concerning devices on the local area network, including IP and MAC addresses.

7.4
2022-03-07 CVE-2022-24738 Evmos Improper Authentication vulnerability in Evmos

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network.

7.4
2022-03-10 CVE-2022-0815 Mcafee Exposure of Resource to Wrong Sphere vulnerability in Mcafee Webadvisor 4.1.1.48

Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system.

7.3
2022-03-10 CVE-2021-44750 F Secure Unspecified vulnerability in F-Secure products

An arbitrary code execution vulnerability was found in the F-Secure Support Tool.

7.3
2022-03-11 CVE-2021-32474 Moodle SQL Injection vulnerability in Moodle

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host.

7.2
2022-03-10 CVE-2022-25225 Softinventive SQL Injection vulnerability in Softinventive Network Olympus 1.8.0

Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter.

7.2
2022-03-10 CVE-2022-26521 Abantecart Unrestricted Upload of File with Dangerous Type vulnerability in Abantecart

Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).

7.2
2022-03-09 CVE-2022-24734 Mybb Unspecified vulnerability in Mybb

MyBB is a free and open source forum software.

7.2
2022-03-08 CVE-2021-43944 Atlassian Code Injection vulnerability in Atlassian Jira Server

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.

7.2
2022-03-07 CVE-2021-24216 Servmask Unrestricted Upload of File with Dangerous Type vulnerability in Servmask One-Stop WP Migration 7.39/7.40

The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

7.2
2022-03-07 CVE-2021-24777 Hotscot SQL Injection vulnerability in Hotscot Contact Form 1.0/1.1/1.2

The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

7.2
2022-03-07 CVE-2021-24778 Wpaffiliatefeed SQL Injection vulnerability in Wpaffiliatefeed Tradetracker-Store

The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

7.2
2022-03-07 CVE-2022-0267 Adrotate Project SQL Injection vulnerability in Adrotate Project Adrotate

The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection

7.2
2022-03-07 CVE-2022-0420 Metagauss SQL Injection vulnerability in Metagauss Registrationmagic

The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks

7.2
2022-03-07 CVE-2022-0440 Catchplugins Unspecified vulnerability in Catchplugins Catch Themes Demo Import

The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)

7.2
2022-03-10 CVE-2022-25821 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

Improper use of SMS buffer pointer in Shannon baseband prior to SMR Mar-2022 Release 1 allows OOB read.

7.1
2022-03-10 CVE-2022-0891 Libtiff
Debian
Fedoraproject
Netapp
Out-of-bounds Write vulnerability in multiple products

A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

7.1
2022-03-10 CVE-2021-3739 Linux
Fedoraproject
Netapp
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’.

7.1
2022-03-10 CVE-2022-0905 Gitea Unspecified vulnerability in Gitea

Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.

7.1
2022-03-10 CVE-2022-0280 Microsoft Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Microsoft Windows

A race condition vulnerability exists in the QuickClean feature of McAfee Total Protection for Windows prior to 16.0.43 that allows a local user to gain privilege elevation and perform an arbitrary file delete.

7.0
2022-03-10 CVE-2022-23036 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23037 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23038 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23039 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23040 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23041 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-23042 XEN
Debian
Race Condition vulnerability in multiple products

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use.

7.0
2022-03-10 CVE-2022-26488 Python
Netapp
Untrusted Search Path vulnerability in multiple products

In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured.

7.0
2022-03-09 CVE-2022-24753 Stripe Unspecified vulnerability in Stripe CLI

Stripe CLI is a command-line tool for the Stripe eCommerce platform.

7.0

190 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-11 CVE-2021-33150 Intel Unspecified vulnerability in Intel products

Hardware allows activation of test or debug logic at runtime for some Intel(R) Trace Hub instances which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

6.8
2022-03-10 CVE-2022-25213 Phicomm Use of Hard-coded Credentials vulnerability in Phicomm products

Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device.

6.8
2022-03-10 CVE-2022-20055 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In preloader (usb), there is a possible out of bounds write due to a missing bounds check.

6.8
2022-03-11 CVE-2022-0921 Microweber Unrestricted Upload of File with Dangerous Type vulnerability in Microweber

Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.

6.7
2022-03-10 CVE-2022-20049 Google Missing Authorization vulnerability in Google Android 10.0/11.0

In vpu, there is a possible escalation of privilege due to a missing permission check.

6.7
2022-03-10 CVE-2022-20050 Google Link Following vulnerability in Google Android 11.0/12.0

In connsyslogger, there is a possible symbolic link following due to improper link resolution.

6.7
2022-03-10 CVE-2022-20056 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In preloader (usb), there is a possible out of bounds write due to a missing bounds check.

6.6
2022-03-10 CVE-2022-20058 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In preloader (usb), there is a possible out of bounds write due to a missing bounds check.

6.6
2022-03-10 CVE-2022-20059 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In preloader (usb), there is a possible out of bounds write due to a missing bounds check.

6.6
2022-03-10 CVE-2022-20060 Google Missing Authentication for Critical Function vulnerability in Google Android 10.0/11.0/12.0

In preloader (usb), there is a possible permission bypass due to a missing proper image authentication.

6.6
2022-03-11 CVE-2021-42262 Softing Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Softing products

An issue was discovered in Softing OPC UA C++ SDK before 5.70.

6.5
2022-03-11 CVE-2021-26341 AMD Improper Cross-boundary Removal of Sensitive Data vulnerability in AMD products

Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage.

6.5
2022-03-11 CVE-2022-0001 Intel
Oracle
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
6.5
2022-03-11 CVE-2022-0002 Intel
Oracle
Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
6.5
2022-03-11 CVE-2022-23625 Wire Improper Handling of Exceptional Conditions vulnerability in Wire and Wire-Ios-Transport

Wire-ios is a messaging application using the wire protocol on apple's ios platform.

6.5
2022-03-11 CVE-2022-0932 Saleor Unspecified vulnerability in Saleor

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.

6.5
2022-03-11 CVE-2022-0821 Orchardcore Unspecified vulnerability in Orchardcore

Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.

6.5
2022-03-11 CVE-2022-25506 Freetakserver UI Project SQL Injection vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.

6.5
2022-03-11 CVE-2022-25511 Freetakserver UI Project Unspecified vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system.

6.5
2022-03-10 CVE-2022-25243 Hashicorp Improper Certificate Validation vulnerability in Hashicorp Vault

"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false.

6.5
2022-03-10 CVE-2022-25244 Hashicorp Unspecified vulnerability in Hashicorp Vault

Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint.

6.5
2022-03-10 CVE-2022-26652 Nats Path Traversal vulnerability in Nats Server and Nats Streaming Server

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams.

6.5
2022-03-10 CVE-2022-26661 Tryton
Debian
XXE vulnerability in multiple products

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1.

6.5
2022-03-10 CVE-2022-26778 Veritas Cleartext Storage of Sensitive Information vulnerability in Veritas System Recovery 18.0/21

Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration.

6.5
2022-03-10 CVE-2022-24398 SAP Unspecified vulnerability in SAP Business Objects Business Intelligence Platform 420/430

Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted.

6.5
2022-03-10 CVE-2022-0904 Mattermost Out-of-bounds Write vulnerability in Mattermost Server

A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document.

6.5
2022-03-10 CVE-2022-20057 Google Improper Handling of Exceptional Conditions vulnerability in Google Android 11.0/12.0

In btif, there is a possible memory corruption due to incorrect error handling.

6.5
2022-03-10 CVE-2022-21132 Pfsense Path Traversal vulnerability in Pfsense Pfsense-Pkg-Wireguard 0.1.5/0.1.6

Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder.

6.5
2022-03-10 CVE-2022-22835 Overit XXE vulnerability in Overit Geocall 6.3

An issue was discovered in OverIT Geocall before version 8.0.

6.5
2022-03-10 CVE-2021-43969 Quicklert SQL Injection vulnerability in Quicklert 10.0.0

The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections.

6.5
2022-03-10 CVE-2022-0856 Libcaca Project
Fedoraproject
Divide By Zero vulnerability in multiple products

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

6.5
2022-03-10 CVE-2022-0865 Libtiff
Debian
Fedoraproject
Netapp
Reachable Assertion vulnerability in multiple products

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file.

6.5
2022-03-10 CVE-2021-40059 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI

There is a permission control vulnerability in the Wi-Fi module.

6.5
2022-03-10 CVE-2021-28488 Ericsson Exposure of Resource to Wrong Sphere vulnerability in Ericsson Network Manager

Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role).

6.5
2022-03-10 CVE-2021-32436 Abcm2Ps Project
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

6.5
2022-03-10 CVE-2021-34338 Libming
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Ming 0.4.8 has an out-of-bounds buffer overwrite issue in the function getName() in decompiler.c file that causes a direct segmentation fault and leads to denial of service.

6.5
2022-03-10 CVE-2021-34339 Libming
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Ming 0.4.8 has an out-of-bounds buffer access issue in the function getString() in decompiler.c file that causes a direct segmentation fault and leads to denial of service.

6.5
2022-03-10 CVE-2021-34340 Libming
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Ming 0.4.8 has an out-of-bounds buffer access issue in the function decompileINCR_DECR() in decompiler.c file that causes a direct segmentation fault and leads to denial of service.

6.5
2022-03-10 CVE-2021-34341 Libming
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Ming 0.4.8 has an out-of-bounds read vulnerability in the function decompileIF() in the decompile.c file that causes a direct segmentation fault and leads to denial of service.

6.5
2022-03-10 CVE-2021-34342 Libming
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Ming 0.4.8 has an out-of-bounds read vulnerability in the function newVar_N() in decompile.c which causes a huge information leak.

6.5
2022-03-10 CVE-2021-3733 Python
Redhat
Fedoraproject
Netapp
Resource Exhaustion vulnerability in multiple products

There's a flaw in urllib's AbstractBasicAuthHandler class.

6.5
2022-03-09 CVE-2022-24745 Shopware Unspecified vulnerability in Shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework.

6.5
2022-03-09 CVE-2022-24741 Nextcloud Allocation of Resources Without Limits or Throttling vulnerability in Nextcloud Server

Nextcloud server is an open source, self hosted cloud style services platform.

6.5
2022-03-09 CVE-2022-0881 Framasoft Insecure Storage of Sensitive Information vulnerability in Framasoft Peertube

Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.

6.5
2022-03-08 CVE-2022-26319 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Portable Security 2.0/3.0

An installer search patch element vulnerability in Trend Micro Portable Security 3.0 Pro, 3.0 and 2.0 could allow a local attacker to place an arbitrarily generated DLL file in an installer folder to elevate local privileges.

6.5
2022-03-08 CVE-2021-41543 Siemens Information Exposure Through Log Files vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36).

6.5
2022-03-08 CVE-2022-26317 Mendix Use of Insufficiently Random Values vulnerability in Mendix

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29).

6.5
2022-03-07 CVE-2022-24737 Httpie
Fedoraproject
HTTPie is a command-line HTTP client.
6.5
2022-03-07 CVE-2022-0754 Salesagility SQL Injection vulnerability in Salesagility Suitecrm

SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5.

6.5
2022-03-07 CVE-2022-0756 Salesagility Unspecified vulnerability in Salesagility Suitecrm

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

6.5
2022-03-07 CVE-2021-25098 Fatcatapps Cross-Site Request Forgery (CSRF) vulnerability in Fatcatapps Easy Pricing Tables

The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash

6.5
2022-03-07 CVE-2022-0163 Rednao Missing Authorization vulnerability in Rednao Smart Forms

The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.

6.5
2022-03-07 CVE-2022-0445 Devowl Cross-Site Request Forgery (CSRF) vulnerability in Devowl Wordpress Real Cookie Banner

The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack

6.5
2022-03-10 CVE-2022-25822 Google Use After Free vulnerability in Google Android 10.0/11.0/12.0

An use after free vulnerability in sdp driver prior to SMR Mar-2022 Release 1 allows kernel crash.

6.2
2022-03-13 CVE-2021-46709 Phpliteadmin Cross-site Scripting vulnerability in PHPliteadmin

phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number).

6.1
2022-03-12 CVE-2022-0929 Microweber Cross-site Scripting vulnerability in Microweber

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.

6.1
2022-03-12 CVE-2022-26533 Alist Project Cross-site Scripting vulnerability in Alist Project Alist

Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.

6.1
2022-03-11 CVE-2021-44667 Alibaba Cross-site Scripting vulnerability in Alibaba Nacos 2.0.3

A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters.

6.1
2022-03-11 CVE-2021-27414 Hitachienergy Improper Restriction of Rendered UI Layers or Frames vulnerability in Hitachienergy Ellipse Enterprise Asset Management 9.0.22

An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials.

6.1
2022-03-11 CVE-2021-32009 Secomea Cross-site Scripting vulnerability in Secomea Gatemanager 9.6.621421014

Cross-site Scripting (XSS) vulnerability in firmware section of Secomea GateManager allows logged in user to inject javascript in browser session.

6.1
2022-03-11 CVE-2021-32478 Moodle Unspecified vulnerability in Moodle

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.

6.1
2022-03-11 CVE-2022-25601 Plugin Planet
Fedoraproject
Cross-site Scripting vulnerability in multiple products

Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).

6.1
2022-03-11 CVE-2021-46708 Smartbear Improper Restriction of Rendered UI Layers or Frames vulnerability in Smartbear Swagger-Ui-Dist

The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim.

6.1
2022-03-11 CVE-2022-0820 Orchardcore Cross-site Scripting vulnerability in Orchardcore

Cross-site Scripting (XSS) - Stored in GitHub repository orchardcms/orchardcore prior to 1.3.0.

6.1
2022-03-10 CVE-2021-44585 Jeecg Cross-site Scripting vulnerability in Jeecg Boot 3.0

A Cross Site Scripting (XSS) vulnerabilitiy exits in jeecg-boot 3.0 in /jeecg-boot/jmreport/view with a mouseover event.

6.1
2022-03-10 CVE-2022-26101 SAP Unspecified vulnerability in SAP Fiori Launchpad 754/755/756

Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

6.1
2022-03-10 CVE-2022-24395 SAP Unspecified vulnerability in SAP Netweaver Enterprise Portal

SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2022-03-10 CVE-2022-24397 SAP Unspecified vulnerability in SAP Netweaver Enterprise Portal

SAP NetWeaver Enterprise Portal - versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website.

6.1
2022-03-10 CVE-2022-24399 SAP Unspecified vulnerability in SAP Focused RUN 200/300

The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability.

6.1
2022-03-10 CVE-2022-24608 Luocms Project Cross-site Scripting vulnerability in Luocms Project Luocms 2.0

Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php.

6.1
2022-03-10 CVE-2022-21146 Ipcomm Cross-site Scripting vulnerability in Ipcomm Ipdio Firmware 3.9

Persistent cross-site scripting in the web interface of ipDIO allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into a specific parameter.

6.1
2022-03-10 CVE-2022-24177 Exlibrisgroup Cross-site Scripting vulnerability in Exlibrisgroup Aleph 500 18.1/20.0

A cross-site scripting (XSS) vulnerability in the component cgi-bin/ej.cgi of Ex libris ALEPH 500 v18.1 and v20 allows attackers to execute arbitrary web scripts or HTML.

6.1
2022-03-10 CVE-2021-41657 Smartbear Improper Restriction of Rendered UI Layers or Frames vulnerability in Smartbear Collaborator 6.1.6102

SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack.

6.1
2022-03-10 CVE-2021-42856 Riverbed Cross-site Scripting vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack.

6.1
2022-03-09 CVE-2022-24746 Shopware Unspecified vulnerability in Shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework.

6.1
2022-03-08 CVE-2022-24739 Alltube Project Unspecified vulnerability in Alltube Project Alltube

alltube is an html front end for youtube-dl.

6.1
2022-03-08 CVE-2021-41180 Nextcloud Unspecified vulnerability in Nextcloud Talk

Nextcloud talk is a self hosting messaging service.

6.1
2022-03-08 CVE-2021-41541 Siemens Cross-site Scripting vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36).

6.1
2022-03-08 CVE-2021-41542 Siemens Cross-site Scripting vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36).

6.1
2022-03-08 CVE-2021-44478 Siemens Cross-site Scripting vulnerability in Siemens Polarion ALM and Polarion Subversion Webclient

A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions).

6.1
2022-03-07 CVE-2021-4198 Bitdefender NULL Pointer Dereference vulnerability in Bitdefender products

A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files.

6.1
2022-03-07 CVE-2021-24953 Tinywebgallery Cross-site Scripting vulnerability in Tinywebgallery Advanced Iframe

The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

6.1
2022-03-07 CVE-2021-25038 Obtaininfotech Cross-site Scripting vulnerability in Obtaininfotech Multisite User Sync/Unsync

The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

6.1
2022-03-07 CVE-2021-25039 Obtaininfotech Cross-site Scripting vulnerability in Obtaininfotech Multisite Content Copier/Updater

The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

6.1
2022-03-07 CVE-2022-0347 Wpbrigade Cross-site Scripting vulnerability in Wpbrigade Loginpress

The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

6.1
2022-03-07 CVE-2022-0422 Videousermanuals Cross-site Scripting vulnerability in Videousermanuals White Label CMS

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue

6.1
2022-03-07 CVE-2022-0429 Cerber Cross-site Scripting vulnerability in Cerber WP Cerber Security, Anti-Spam & Malware Scan

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability.

6.1
2022-03-07 CVE-2022-0533 Metaphorcreations Cross-site Scripting vulnerability in Metaphorcreations Ditty

The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.

6.1
2022-03-08 CVE-2021-36809 Sophos Unspecified vulnerability in Sophos SSL VPN Client

A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client.

6.0
2022-03-10 CVE-2021-40055 Huawei Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI

There is a man-in-the-middle attack vulnerability during system update download in recovery mode.

5.9
2022-03-09 CVE-2022-24322 Schneider Electric Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Ecostruxure Control Expert 14.0/14.1/15.0

A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus response data.

5.9
2022-03-09 CVE-2022-24323 Schneider Electric Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data.

5.9
2022-03-13 CVE-2022-23960 XEN
ARM
Debian
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB.
5.6
2022-03-11 CVE-2021-26401 AMD Unspecified vulnerability in AMD products

LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs.

5.6
2022-03-12 CVE-2022-26966 Linux
Netapp
Debian
An issue was discovered in the Linux kernel before 5.16.12.
5.5
2022-03-11 CVE-2021-41849 Bluproducts
Wikomobile
Luna
Cleartext Transmission of Sensitive Information vulnerability in multiple products

An issue was discovered in Luna Simo PPR1.180610.011/202001031830.

5.5
2022-03-11 CVE-2022-0907 Libtiff
Debian
Fedoraproject
Netapp
Unchecked Return Value vulnerability in multiple products

Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file.

5.5
2022-03-11 CVE-2022-0908 Libtiff
Debian
Fedoraproject
Netapp
NULL Pointer Dereference vulnerability in multiple products

Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file.

5.5
2022-03-11 CVE-2022-0909 Libtiff
Debian
Fedoraproject
Netapp
Divide By Zero vulnerability in multiple products

Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file.

5.5
2022-03-11 CVE-2022-0924 Libtiff
Debian
Fedoraproject
Netapp
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file.

5.5
2022-03-11 CVE-2022-26878 Linux Memory Leak vulnerability in Linux Kernel

drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).

5.5
2022-03-10 CVE-2022-25108 Foxit NULL Pointer Dereference vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader and Editor before 11.2.1 and PhantomPDF before 10.1.7 allow a NULL pointer dereference during PDF parsing because the pointer is used without proper validation.

5.5
2022-03-10 CVE-2022-25819 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

OOB read vulnerability in hdcp2 device node prior to SMR Mar-2022 Release 1 allow an attacker to view Kernel stack memory.

5.5
2022-03-10 CVE-2022-25825 Samasung Improper Authentication vulnerability in Samasung Account

Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in.

5.5
2022-03-10 CVE-2022-20051 Google Improper Privilege Management vulnerability in Google Android 11.0/12.0

In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment.

5.5
2022-03-10 CVE-2021-44215 Northern Tech Incorrect Default Permissions vulnerability in Northern.Tech Cfengine

Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact.

5.5
2022-03-10 CVE-2021-44216 Northern Tech Incorrect Default Permissions vulnerability in Northern.Tech Cfengine

Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files.

5.5
2022-03-10 CVE-2021-44269 Wavpack
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files.

5.5
2022-03-10 CVE-2021-44421 Occlum Project Information Exposure Through Discrepancy vulnerability in Occlum Project Occlum

The pointer-validation logic in util/mem_util.rs in Occlum before 0.26.0 for Intel SGX acts as a confused deputy that allows a local attacker to access unauthorized information via side-channel analysis.

5.5
2022-03-10 CVE-2021-4023 Linux
Fedoraproject
A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1.
5.5
2022-03-10 CVE-2021-4095 Linux
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context.

5.5
2022-03-10 CVE-2022-0433 Linux
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter.

5.5
2022-03-10 CVE-2021-32434 Abcm2Ps Project
Fedoraproject
Debian
Out-of-bounds Read vulnerability in multiple products

abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.

5.5
2022-03-10 CVE-2021-32435 Abcm2Ps Project
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

5.5
2022-03-10 CVE-2021-34122 Rockcarry NULL Pointer Dereference vulnerability in Rockcarry Ffjpeg

The function bitstr_tell at bitstr.c in ffjpeg commit 4ab404e has a NULL pointer dereference.

5.5
2022-03-10 CVE-2021-3732 Linux Unspecified vulnerability in Linux Kernel

A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS.

5.5
2022-03-10 CVE-2021-20269 Kexec Tools Project Unspecified vulnerability in Kexec-Tools Project Kexec-Tools

A flaw was found in the permissions of a log file created by kexec-tools.

5.5
2022-03-10 CVE-2022-0890 Mruby NULL Pointer Dereference vulnerability in Mruby

NULL Pointer Dereference in GitHub repository mruby/mruby prior to 3.2.

5.5
2022-03-07 CVE-2021-38988 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service.

5.5
2022-03-07 CVE-2021-38989 IBM Unspecified vulnerability in IBM AIX and Vios

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service.

5.5
2022-03-13 CVE-2021-45889 Ponton Cross-site Scripting vulnerability in Ponton X/P Messenger 3.10.0/3.8.0

An issue was discovered in PONTON X/P Messenger before 3.11.2.

5.4
2022-03-12 CVE-2022-0880 Showdoc Cross-site Scripting vulnerability in Showdoc

Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2.

5.4
2022-03-11 CVE-2021-27416 Hitachienergy Cross-site Scripting vulnerability in Hitachienergy Ellipse Enterprise Asset Management 9.0.22/9.0.23/9.0.25

An attacker could exploit this vulnerability in Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 by tricking a user to click on a link containing malicious code that would then be run by the web browser.

5.4
2022-03-11 CVE-2021-32475 Moodle Cross-site Scripting vulnerability in Moodle

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

5.4
2022-03-11 CVE-2022-0928 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.

5.4
2022-03-11 CVE-2022-26874 Horde
Debian
Cross-site Scripting vulnerability in multiple products

lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition.

5.4
2022-03-11 CVE-2022-0822 Orchardcore Cross-site Scripting vulnerability in Orchardcore

Cross-site Scripting (XSS) - Reflected in GitHub repository orchardcms/orchardcore prior to 1.3.0.

5.4
2022-03-11 CVE-2022-25507 Freetakserver UI Project Cross-site Scripting vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8

FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Callsign parameter.

5.4
2022-03-10 CVE-2022-26102 SAP Missing Authorization vulnerability in SAP Netweaver Application Server Abap

Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction.

5.4
2022-03-10 CVE-2022-24432 Ipcomm Cross-site Scripting vulnerability in Ipcomm Ipdio Firmware 3.9

Persistent cross-site scripting (XSS) in the web interface of ipDIO allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into specific fields.

5.4
2022-03-10 CVE-2022-21158 Marktext Cross-site Scripting vulnerability in Marktext

A stored cross-site scripting vulnerability in marktext versions prior to v0.17.0 due to improper handling of the link (with javascript: scheme) inside the document may allow an attacker to execute an arbitrary script on the PC of the user using marktext.

5.4
2022-03-10 CVE-2021-32005 Secomea Cross-site Scripting vulnerability in Secomea products

Cross-site Scripting (XSS) vulnerability in log view of Secomea SiteManager allows a logged in user to store javascript for later execution.

5.4
2022-03-10 CVE-2021-33851 Apasionados Cross-site Scripting vulnerability in Apasionados Customize Login Image 3.4

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack.

5.4
2022-03-10 CVE-2021-33852 Metaphorcreations Cross-site Scripting vulnerability in Metaphorcreations Post Duplicator 2.23

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack.

5.4
2022-03-09 CVE-2022-22511 Wago Unspecified vulnerability in Wago products

Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks.

5.4
2022-03-08 CVE-2022-0877 Bookstackapp Cross-site Scripting vulnerability in Bookstackapp Bookstack

Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3.

5.4
2022-03-07 CVE-2021-24821 Nicdark Cross-site Scripting vulnerability in Nicdark Cost Calculator

The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page)

5.4
2022-03-07 CVE-2021-24826 Custom Content Shortcode Project Cross-site Scripting vulnerability in Custom Content Shortcode Project Custom Content Shortcode

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

5.4
2022-03-07 CVE-2021-24960 Iptanus Unrestricted Upload of File with Dangerous Type vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks

5.4
2022-03-07 CVE-2021-24961 Iptanus Cross-site Scripting vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

5.4
2022-03-07 CVE-2022-0205 YOP Poll Cross-site Scripting vulnerability in Yop-Poll

The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue

5.4
2022-03-07 CVE-2022-0426 Adtribes Cross-site Scripting vulnerability in Adtribes Product Feed PRO for Woocommerce

The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting

5.4
2022-03-12 CVE-2022-26276 Onenav Path Traversal vulnerability in Onenav 0.9.14

An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal.

5.3
2022-03-11 CVE-2022-25839 URL JS Project Improper Input Validation vulnerability in Url-Js Project Url-Js

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed.

5.3
2022-03-11 CVE-2021-32473 Moodle Unspecified vulnerability in Moodle

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

5.3
2022-03-11 CVE-2022-0870 Gogs Server-Side Request Forgery (SSRF) vulnerability in Gogs

Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5.

5.3
2022-03-10 CVE-2021-41233 Nextcloud Incorrect Authorization vulnerability in Nextcloud Server

Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server.

5.3
2022-03-10 CVE-2021-38910 IBM Improper Input Validation vulnerability in IBM Datapower Gateway

IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input.

5.3
2022-03-10 CVE-2021-39025 IBM Unspecified vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0

IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 could disclose internal IP address information when the web backend is down.

5.3
2022-03-10 CVE-2022-26847 Spip
Debian
Information Exposure vulnerability in multiple products

SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.

5.3
2022-03-10 CVE-2022-25215 Phicomm Unspecified vulnerability in Phicomm products

Improper access control on the LocalMACConfig.asp interface allows an unauthenticated remote attacker to add (or remove) client MAC addresses to (or from) a list of banned hosts.

5.3
2022-03-10 CVE-2022-26103 SAP Unspecified vulnerability in SAP Netweaver Application Server Java 7.50

Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

5.3
2022-03-10 CVE-2022-26104 SAP Missing Authorization vulnerability in SAP Financial Consolidation 10.1

SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message.

5.3
2022-03-10 CVE-2021-42857 Riverbed Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API.

5.3
2022-03-10 CVE-2021-35251 Solarwinds Information Exposure Through an Error Message vulnerability in Solarwinds web Help Desk

Sensitive information could be displayed when a detailed technical error message is posted.

5.3
2022-03-10 CVE-2020-14112 MI Information Exposure vulnerability in MI Ax6000 Firmware

Information Leak Vulnerability exists in the Xiaomi Router AX6000.

5.3
2022-03-09 CVE-2022-24747 Shopware Exposure of Resource to Wrong Sphere vulnerability in Shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework.

5.3
2022-03-08 CVE-2022-24714 Icinga Unspecified vulnerability in Icinga web 2

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface.

5.3
2022-03-08 CVE-2021-41239 Nextcloud Unspecified vulnerability in Nextcloud Server

Nextcloud server is a self hosted system designed to provide cloud style services.

5.3
2022-03-07 CVE-2021-25009 Correosexpress Project Unspecified vulnerability in Correosexpress Project Correosexpress

The CorreosExpress WordPress plugin through 2.6.0 generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses

5.3
2022-03-13 CVE-2021-45888 Ponton Cross-site Scripting vulnerability in Ponton X/P Messenger 3.10.0/3.8.0

An issue was discovered in PONTON X/P Messenger before 3.11.2.

4.8
2022-03-12 CVE-2022-0930 Microweber Cross-site Scripting vulnerability in Microweber

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

4.8
2022-03-12 CVE-2022-0926 Microweber Cross-site Scripting vulnerability in Microweber

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

4.8
2022-03-11 CVE-2022-0912 Microweber Unrestricted Upload of File with Dangerous Type vulnerability in Microweber

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.

4.8
2022-03-10 CVE-2022-0906 Microweber Cross-site Scripting vulnerability in Microweber

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

4.8
2022-03-07 CVE-2021-24810 WP Eventmanager Cross-site Scripting vulnerability in Wp-Eventmanager WP Event Manager

The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-03-07 CVE-2022-0389 Codepeople Cross-site Scripting vulnerability in Codepeople WP Time Slots Booking Form

The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-03-07 CVE-2022-0448 Dwbooster Cross-site Scripting vulnerability in Dwbooster CP Blocks

The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

4.8
2022-03-07 CVE-2022-0535 E2Pdf Cross-site Scripting vulnerability in E2Pdf

The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-03-10 CVE-2022-25368 Amperecomputing
ARM
Spectre BHB is a variant of Spectre-v2 in which malicious code uses the shared branch history (stored in the CPU BHB) to influence mispredicted branches in the victim's hardware context.
4.7
2022-03-10 CVE-2022-25816 Google Improper Authentication vulnerability in Google Android 10.0/11.0/12.0

Improper authentication in Samsung Lock and mask apps setting prior to SMR Mar-2022 Release 1 allows attacker to change enable/disable without authentication

4.6
2022-03-10 CVE-2022-25820 Google Improper Restriction of Excessive Authentication Attempts vulnerability in Google Android 11.0/12.0

A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.

4.6
2022-03-10 CVE-2022-24932 Google
Samsung
Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker package installation before finishing Setup wizard.
4.6
2022-03-10 CVE-2022-26355 Citrix Exposure of Resource to Wrong Sphere vulnerability in Citrix Federated Authentication Service 10.6/7.17

Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP).

4.4
2022-03-09 CVE-2022-24349 Zabbix
Debian
Fedoraproject
Cross-site Scripting vulnerability in multiple products

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users.

4.4
2022-03-09 CVE-2022-24917 Zabbix
Debian
Fedoraproject
Cross-site Scripting vulnerability in multiple products

An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users.

4.4
2022-03-09 CVE-2022-24918 Zabbix
Fedoraproject
Cross-site Scripting vulnerability in multiple products

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users.

4.4
2022-03-09 CVE-2022-24919 Zabbix
Debian
Fedoraproject
Cross-site Scripting vulnerability in multiple products

An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users.

4.4
2022-03-09 CVE-2022-0022 Paloaltonetworks Use of Password Hash With Insufficient Computational Effort vulnerability in Paloaltonetworks Pan-Os

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode.

4.4
2022-03-11 CVE-2021-32472 Moodle Missing Authorization vulnerability in Moodle

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.

4.3
2022-03-11 CVE-2021-32477 Moodle Missing Authorization vulnerability in Moodle

The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default).

4.3
2022-03-11 CVE-2018-25031 Smartbear Improper Input Validation vulnerability in Smartbear Swagger UI

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks.

4.3
2022-03-10 CVE-2021-32006 Secomea Incorrect Default Permissions vulnerability in Secomea Gatemanager 9.6.621421014

This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions.

4.3
2022-03-10 CVE-2021-3660 Cockpit Project
Redhat
Cockpit (and its plugins) do not seem to protect itself against clickjacking.
4.3
2022-03-08 CVE-2021-41241 Nextcloud Unspecified vulnerability in Nextcloud Server

Nextcloud server is a self hosted system designed to provide cloud style services.

4.3
2022-03-07 CVE-2022-0755 Salesagility Unspecified vulnerability in Salesagility Suitecrm

Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.

4.3
2022-03-07 CVE-2021-24824 Custom Content Shortcode Project Incorrect Authorization vulnerability in Custom Content Shortcode Project Custom Content Shortcode

The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata.

4.3
2022-03-07 CVE-2021-24825 Custom Content Shortcode Project Unspecified vulnerability in Custom Content Shortcode Project Custom Content Shortcode

The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed.

4.3
2022-03-07 CVE-2022-0384 Imdpen Unspecified vulnerability in Imdpen Video Conferencing With Zoom

The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog

4.3
2022-03-07 CVE-2022-0442 Ayecode Authorization Bypass Through User-Controlled Key vulnerability in Ayecode Userswp

The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.

4.3

15 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-13 CVE-2021-36368 Openbsd
Debian
Improper Authentication vulnerability in multiple products

An issue was discovered in OpenSSH before 8.9.

3.7
2022-03-10 CVE-2022-21170 DAJ Improper Certificate Validation vulnerability in DAJ I-Filter and I-Filter Browser & Cloud Multiagent

Improper check for certificate revocation in i-FILTER Ver.10.45R01 and earlier, i-FILTER Ver.9.50R10 and earlier, i-FILTER Browser & Cloud MultiAgent for Windows Ver.4.93R04 and earlier, and D-SPA (Ver.3 / Ver.4) using i-FILTER allows a remote unauthenticated attacker to conduct a man-in-the-middle attack and eavesdrop on an encrypted communication.

3.7
2022-03-09 CVE-2022-24744 Shopware Unspecified vulnerability in Shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework.

3.5
2022-03-10 CVE-2022-25817 Google Unspecified vulnerability in Google Android 10.0/11.0

Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate pinned-shortcut without user consent.

3.3
2022-03-10 CVE-2022-25823 Samsung Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch Plugin 2.2.05.21033151/2.2.05.22012751

Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.220126741 allows attackers to access user information in log.

3.3
2022-03-10 CVE-2022-25824 Samsung Unspecified vulnerability in Samsung Bixby Touch

Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.

3.3
2022-03-10 CVE-2022-25826 Samsung Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch 3 Plugin

Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log

3.3
2022-03-10 CVE-2022-25827 Samsung Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch Plugin 2.2.05.21033151

Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.22012751 allows attacker to access password information of connected WiFiAp in the log

3.3
2022-03-10 CVE-2022-25828 Samsung Information Exposure Through Log Files vulnerability in Samsung Watch Active Plugin 2.2.07.21033151

Information Exposure vulnerability in Watch Active Plugin prior to version 2.2.07.22012751 allows attacker to access password information of connected WiFiAp in the log

3.3
2022-03-10 CVE-2022-25829 Samsung Information Exposure Through Log Files vulnerability in Samsung Watch Active2 Plugin 2.2.08.21033151

Information Exposure vulnerability in Watch Active2 Plugin prior to version 2.2.08.22012751 allows attacker to access password information of connected WiFiAp in the log

3.3
2022-03-10 CVE-2022-25830 Samsung Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch 3 Plugin

Information Exposure vulnerability in Galaxy Watch3 Plugin prior to version 2.2.09.22012751 allows attacker to access password information of connected WiFiAp in the log

3.3
2022-03-10 CVE-2022-24929 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication.

3.3
2022-03-10 CVE-2022-24930 Samsung Unspecified vulnerability in Samsung Wear OS 3.0

An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission

3.3
2022-03-10 CVE-2021-3981 GNU
Fedoraproject
A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content.
3.3
2022-03-08 CVE-2021-41181 Nextcloud Improper Authentication vulnerability in Nextcloud Talk

Nextcloud talk is a self hosting messaging service.

2.4