Weekly Vulnerabilities Reports > March 7 to 13, 2022
Overview
449 new vulnerabilities reported during this period, including 64 critical vulnerabilities and 180 high severity vulnerabilities. This weekly summary report vulnerabilities in 1366 products from 198 vendors including Fedoraproject, Debian, Google, Huawei, and Tenda. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Classic Buffer Overflow", and "Out-of-bounds Read".
- 307 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 116 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 250 reported vulnerabilities are exploitable by an anonymous user.
- Fedoraproject has the most reported vulnerabilities, with 36 reported vulnerabilities.
- TP Link has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
64 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-12 | CVE-2022-24760 | Parseplatform | Unspecified vulnerability in Parseplatform Parse-Server Parse Server is an open source http web server backend. | 10.0 |
2022-03-07 | CVE-2022-0767 | Janeczku | Server-Side Request Forgery (SSRF) vulnerability in Janeczku Calibre-Web Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | 9.9 |
2022-03-13 | CVE-2021-45887 | Ponton | Path Traversal vulnerability in Ponton X/P Messenger 3.10.0/3.8.0 An issue was discovered in PONTON X/P Messenger before 3.11.2. | 9.8 |
2022-03-11 | CVE-2022-24754 | Teluu Debian | PJSIP is a free and open source multimedia communication library written in C language. | 9.8 |
2022-03-11 | CVE-2022-23730 | LG | Unspecified vulnerability in LG Webos The public API error causes for the attacker to be able to bypass API access control. | 9.8 |
2022-03-11 | CVE-2022-25621 | NEC | OS Command Injection vulnerability in NEC products UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11 and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands. | 9.8 |
2022-03-11 | CVE-2022-24433 | Simple GIT Project | Argument Injection or Modification vulnerability in Simple-Git Project Simple-Git The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. | 9.8 |
2022-03-11 | CVE-2021-44618 | Nystudio107 | Code Injection vulnerability in Nystudio107 Seomatic 3.4.12 A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header. | 9.8 |
2022-03-11 | CVE-2021-44620 | Totolink | Command Injection vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504 A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. | 9.8 |
2022-03-11 | CVE-2022-21194 | Yokogawa | Use of Hard-coded Credentials vulnerability in Yokogawa products The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00. | 9.8 |
2022-03-11 | CVE-2022-23402 | Yokogawa | Use of Hard-coded Credentials vulnerability in Yokogawa products The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00 | 9.8 |
2022-03-10 | CVE-2022-25818 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0 Improper boundary check in UWB stack prior to SMR Mar-2022 Release 1 allows arbitrary code execution. | 9.8 | |
2022-03-10 | CVE-2022-26100 | SAP | Improper Input Validation vulnerability in SAP Sapcar 7.22 SAPCAR - version 7.22, does not contain sufficient input validation on the SAPCAR archive. | 9.8 |
2022-03-10 | CVE-2022-26131 | Hegemonelectronics | Unspecified vulnerability in Hegemonelectronics Plc4Trucks Firmware J2497 Power Line Communications PLC4TRUCKS J2497 trailer receivers are susceptible to remote RF induced signals. | 9.8 |
2022-03-10 | CVE-2022-26143 | Mitel | Missing Authentication for Critical Function vulnerability in Mitel Micollab and Mivoice Business Express The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). | 9.8 |
2022-03-10 | CVE-2022-26520 | Postgresql Debian | In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. | 9.8 |
2022-03-10 | CVE-2022-24600 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection through /admin/login.php. | 9.8 |
2022-03-10 | CVE-2022-24602 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php. | 9.8 |
2022-03-10 | CVE-2022-24603 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php. | 9.8 |
2022-03-10 | CVE-2022-24604 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php. | 9.8 |
2022-03-10 | CVE-2022-24605 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php. | 9.8 |
2022-03-10 | CVE-2022-24606 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php. | 9.8 |
2022-03-10 | CVE-2022-24607 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php. | 9.8 |
2022-03-10 | CVE-2022-24609 | Luocms Project | Incorrect Authorization vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by an incorrect access control vulnerability. | 9.8 |
2022-03-10 | CVE-2022-24651 | Sentcms | Unrestricted Upload of File with Dangerous Type vulnerability in Sentcms 4.0.0 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload. | 9.8 |
2022-03-10 | CVE-2022-24652 | Sentcms | Unrestricted Upload of File with Dangerous Type vulnerability in Sentcms 4.0.0 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload. | 9.8 |
2022-03-10 | CVE-2022-24995 | Tenda | Out-of-bounds Write vulnerability in Tenda AX3 Firmware 16.03.12.10Cn Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetSysTime. | 9.8 |
2022-03-10 | CVE-2022-22814 | Asus | Unspecified vulnerability in Asus Myasus 3.1.1.0 The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation. | 9.8 |
2022-03-10 | CVE-2022-24193 | Icewhale | OS Command Injection vulnerability in Icewhale Casaos CasaOS before v0.2.7 was discovered to contain a command injection vulnerability. | 9.8 |
2022-03-10 | CVE-2021-42786 | Riverbed | Improper Input Validation vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) has Remote Code Execution vulnerabilities in multiple instances of the API requests. | 9.8 |
2022-03-10 | CVE-2021-42787 | Riverbed | Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. | 9.8 |
2022-03-10 | CVE-2021-42853 | Riverbed | Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDiagnosticServlet has directory traversal vulnerability at the "/api/appInternals/1.0/agent/diagnostic/logs" API. | 9.8 |
2022-03-10 | CVE-2021-42854 | Riverbed | Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. | 9.8 |
2022-03-10 | CVE-2021-44622 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could let a remove malicious user execute arbitrary code via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44623 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface. | 9.8 |
2022-03-10 | CVE-2021-44625 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to executee arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44626 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44627 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44628 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44629 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44630 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44631 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-44632 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr886N Firmware 201908262.3.8 A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request. | 9.8 |
2022-03-10 | CVE-2021-4045 | TP Link | Command Injection vulnerability in Tp-Link Tapo C200 Firmware TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. | 9.8 |
2022-03-10 | CVE-2021-40050 | Huawei | Out-of-bounds Read vulnerability in Huawei Emui, Harmonyos and Magic UI There is an out-of-bounds read vulnerability in the IFAA module. | 9.8 |
2022-03-10 | CVE-2020-14115 | MI | Insufficient Verification of Data Authenticity vulnerability in MI Ax3600 Firmware 1.0.50 A command injection vulnerability exists in the Xiaomi Router AX3600. | 9.8 |
2022-03-10 | CVE-2022-0895 | Microweber | Unspecified vulnerability in Microweber Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | 9.8 |
2022-03-09 | CVE-2022-22805 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. | 9.8 |
2022-03-09 | CVE-2022-22806 | Schneider Electric | Unspecified vulnerability in Schneider-Electric products A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. | 9.8 |
2022-03-08 | CVE-2022-26313 | Mendix | Unspecified vulnerability in Mendix Forgot Password 3.3.0/3.3.2/3.4.0 A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). | 9.8 |
2022-03-08 | CVE-2022-26314 | Mendix | Improper Restriction of Excessive Authentication Attempts vulnerability in Mendix Forgot Password A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). | 9.8 |
2022-03-07 | CVE-2022-0349 | Wpdeveloper | SQL Injection vulnerability in Wpdeveloper Notificationx The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection | 9.8 |
2022-03-07 | CVE-2022-0434 | A3Rev | SQL Injection vulnerability in A3Rev Page View Count The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. | 9.8 |
2022-03-07 | CVE-2022-0441 | Stylemixthemes | Unspecified vulnerability in Stylemixthemes Masterstudy LMS The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin | 9.8 |
2022-03-07 | CVE-2022-0766 | Janeczku | Server-Side Request Forgery (SSRF) vulnerability in Janeczku Calibre-Web Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | 9.8 |
2022-03-11 | CVE-2022-0860 | Cobbler Project Fedoraproject | Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | 9.1 |
2022-03-11 | CVE-2022-0871 | Gogs | Unspecified vulnerability in Gogs Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5. | 9.1 |
2022-03-10 | CVE-2022-25922 | Hegemonelectronics | Missing Authentication for Critical Function vulnerability in Hegemonelectronics Plc4Trucks Firmware J2497 Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. | 9.1 |
2022-03-10 | CVE-2022-22795 | Signiant | XXE vulnerability in Signiant Manager+Agents Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. | 9.1 |
2022-03-10 | CVE-2022-23383 | Yzmcms | Improper Authentication vulnerability in Yzmcms 6.3 YzmCMS v6.3 is affected by broken access control. | 9.1 |
2022-03-10 | CVE-2021-40053 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui, Harmonyos and Magic UI There is a permission control vulnerability in the Nearby module.Successful exploitation of this vulnerability will affect availability and integrity. | 9.1 |
2022-03-10 | CVE-2021-33293 | Libpano13 Project Debian | Out-of-bounds Read vulnerability in multiple products Panorama Tools libpano13 v2.9.20 was discovered to contain an out-of-bounds read in the function panoParserFindOLine() in parser.c. | 9.1 |
2022-03-09 | CVE-2022-0715 | Schneider Electric | Insufficient Verification of Data Authenticity vulnerability in Schneider-Electric products A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware. | 9.1 |
2022-03-09 | CVE-2022-0482 | Easyappointments | Unspecified vulnerability in Easyappointments Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. | 9.1 |
180 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-13 | CVE-2021-45886 | Ponton | Cross-Site Request Forgery (CSRF) vulnerability in Ponton X/P Messenger 3.10.0/3.8.0 An issue was discovered in PONTON X/P Messenger before 3.11.2. | 8.8 |
2022-03-11 | CVE-2022-25600 | Flippercode Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3). | 8.8 |
2022-03-11 | CVE-2022-21808 | Yokogawa | Path Traversal vulnerability in Yokogawa products Path traversal vulnerability exists in CAMS for HIS Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00. | 8.8 |
2022-03-11 | CVE-2022-22729 | Yokogawa | Improper Authentication vulnerability in Yokogawa products CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. | 8.8 |
2022-03-11 | CVE-2022-25510 | Freetakserver UI Project | Use of Hard-coded Credentials vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges. | 8.8 |
2022-03-10 | CVE-2021-39022 | IBM | Improper Neutralization of Formula Elements in a CSV File vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0 IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software. | 8.8 |
2022-03-10 | CVE-2021-44673 | Croogo | Unrestricted Upload of File with Dangerous Type vulnerability in Croogo 3.0.2 A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via admin/file-manager/attachments, which lets a malicoius user upload a web shell script. | 8.8 |
2022-03-10 | CVE-2022-26846 | Spip Debian | SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code. | 8.8 |
2022-03-10 | CVE-2022-24644 | Zzinc | Download of Code Without Integrity Check vulnerability in Zzinc Keymouse Firmware 2.02/3.05/3.08 ZZ Inc. | 8.8 |
2022-03-10 | CVE-2022-24915 | Ipcomm | Unspecified vulnerability in Ipcomm Ipdio Firmware 3.9 The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. | 8.8 |
2022-03-10 | CVE-2022-22834 | Overit | XML Injection (aka Blind XPath Injection) vulnerability in Overit Geocall 6.3 An issue was discovered in OverIT Geocall before 8.0. | 8.8 |
2022-03-10 | CVE-2022-22985 | Ipcomm | Unspecified vulnerability in Ipcomm Ipdio Firmware 3.9 The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. | 8.8 |
2022-03-10 | CVE-2022-23940 | Salesagility | Deserialization of Untrusted Data vulnerability in Salesagility Suitecrm SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. | 8.8 |
2022-03-10 | CVE-2021-43970 | Quicklert | Unrestricted Upload of File with Dangerous Type vulnerability in Quicklert 10.0.0 An arbitrary file upload vulnerability exists in albumimages.jsp in Quicklert for Digium 10.0.0 (1043) via a .mp3;.jsp filename for a file that begins with audio data bytes. | 8.8 |
2022-03-10 | CVE-2022-0204 | Bluez Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products A heap overflow vulnerability was found in bluez in versions prior to 5.63. | 8.8 |
2022-03-10 | CVE-2022-0507 | Pandorafms | SQL Injection vulnerability in Pandorafms Pandora FMS Found a potential security vulnerability inside the Pandora API. | 8.8 |
2022-03-09 | CVE-2022-24732 | Maddy Project | Unspecified vulnerability in Maddy Project Maddy Maddy Mail Server is an open source SMTP compatible email server. | 8.8 |
2022-03-09 | CVE-2021-36777 | Opensuse | Unspecified vulnerability in Opensuse Open Build Service A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. | 8.8 |
2022-03-09 | CVE-2022-0896 | Microweber | Code Injection vulnerability in Microweber Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. | 8.8 |
2022-03-08 | CVE-2022-24715 | Icinga | Unspecified vulnerability in Icinga web 2 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. | 8.8 |
2022-03-07 | CVE-2021-24952 | Tatvic | SQL Injection vulnerability in Tatvic Conversios.Io The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. | 8.8 |
2022-03-07 | CVE-2022-0410 | WP Visitor Statistics Project | SQL Injection vulnerability in WP Visitor Statistics Project WP Visitor Statistics The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection | 8.8 |
2022-03-07 | CVE-2022-0439 | Icegram | SQL Injection vulnerability in Icegram Email Subscribers & Newsletters The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. | 8.8 |
2022-03-07 | CVE-2022-22351 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged trusted host user to exploit a vulnerability in the nimsh daemon to cause a denial of service in the nimsh daemon on another trusted host. | 8.6 |
2022-03-10 | CVE-2022-25219 | Phicomm | Unspecified vulnerability in Phicomm products A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. | 8.4 |
2022-03-11 | CVE-2022-23924 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23925 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23926 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23927 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23928 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23929 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23930 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23931 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23932 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23933 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-23934 | HP | Unspecified vulnerability in HP PC Bios Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure. | 8.2 |
2022-03-11 | CVE-2022-21177 | Yokogawa | Path Traversal vulnerability in Yokogawa products There is a path traversal vulnerability in CAMS for HIS Log Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, andfrom R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00. | 8.1 |
2022-03-11 | CVE-2022-22145 | Yokogawa | Resource Exhaustion vulnerability in Yokogawa products CAMS for HIS Log Server contained in the following Yokogawa Electric products is vulnerable to uncontrolled resource consumption. | 8.1 |
2022-03-11 | CVE-2022-22151 | Yokogawa | Improper Encoding or Escaping of Output vulnerability in Yokogawa products CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00. | 8.1 |
2022-03-10 | CVE-2022-25090 | Kofax | Race Condition vulnerability in Kofax Printix 1.3.1106.0 Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition. | 8.1 |
2022-03-10 | CVE-2022-25218 | Phicomm | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Phicomm products The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. | 8.1 |
2022-03-08 | CVE-2022-24309 | Mendix | Unspecified vulnerability in Mendix A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). | 8.1 |
2022-03-13 | CVE-2022-24128 | Timescale | Incorrect Authorization vulnerability in Timescale Timescaledb Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. | 8.0 |
2022-03-13 | CVE-2022-24696 | Mirametrix | Unspecified vulnerability in Mirametrix Glance Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. | 7.8 |
2022-03-13 | CVE-2022-26981 | Liblouis Fedoraproject Apple | Classic Buffer Overflow vulnerability in multiple products Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c). | 7.8 |
2022-03-12 | CVE-2022-26967 | Gpac | Out-of-bounds Write vulnerability in Gpac 2.0 GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. | 7.8 |
2022-03-11 | CVE-2021-41848 | Bluproducts Wikomobile Luna | Use of Hard-coded Credentials vulnerability in multiple products An issue was discovered in Luna Simo PPR1.180610.011/202001031830. | 7.8 |
2022-03-11 | CVE-2021-41850 | Bluproducts Wikomobile Luna | Information Exposure vulnerability in multiple products An issue was discovered in Luna Simo PPR1.180610.011/202001031830. | 7.8 |
2022-03-11 | CVE-2022-24415 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products Dell BIOS contains an improper input validation vulnerability. | 7.8 |
2022-03-11 | CVE-2022-24416 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products Dell BIOS contains an improper input validation vulnerability. | 7.8 |
2022-03-11 | CVE-2022-24419 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products Dell BIOS contains an improper input validation vulnerability. | 7.8 |
2022-03-11 | CVE-2022-24420 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products Dell BIOS contains an improper input validation vulnerability. | 7.8 |
2022-03-11 | CVE-2022-24421 | Dell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products Dell BIOS contains an improper input validation vulnerability. | 7.8 |
2022-03-11 | CVE-2021-33658 | Huawei | Missing Authentication for Critical Function vulnerability in Huawei Atune 0.3/0.8 atune before 0.3-0.8 log in as a local user and run the curl command to access the local atune url interface to escalate the local privilege or modify any file. | 7.8 |
2022-03-11 | CVE-2022-23187 | Adobe | Classic Buffer Overflow vulnerability in Adobe Illustrator Adobe Illustrator version 26.0.3 (and earlier) is affected by a buffer overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-11 | CVE-2022-23731 | LG | Unspecified vulnerability in LG Webos V8 javascript engine (heap vulnerability) can cause privilege escalation ,which can impact on some webOS TV models. | 7.8 |
2022-03-11 | CVE-2022-24094 | Adobe | Out-of-bounds Write vulnerability in Adobe After Effects Adobe After Effects versions 22.2 (and earlier) and 18.4.4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-11 | CVE-2022-22141 | Yokogawa | Improper Privilege Management vulnerability in Yokogawa products 'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. | 7.8 |
2022-03-11 | CVE-2022-22148 | Yokogawa | Incorrect Permission Assignment for Critical Resource vulnerability in Yokogawa products 'Root Service' service implemented in the following Yokogawa Electric products creates some named pipe with improper ACL configuration. | 7.8 |
2022-03-11 | CVE-2022-23401 | Yokogawa | Uncontrolled Search Path Element vulnerability in Yokogawa products The following Yokogawa Electric products contain insecure DLL loading issues. | 7.8 |
2022-03-10 | CVE-2022-24750 | Uvnc | Unspecified vulnerability in Uvnc Ultravnc UltraVNC is a free and open source remote pc access software. | 7.8 |
2022-03-10 | CVE-2022-25217 | Phicomm | Use of Hard-coded Credentials vulnerability in Phicomm K2 Firmware and K3C Firmware Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. | 7.8 |
2022-03-10 | CVE-2022-25230 | Omron | Use After Free vulnerability in Omron Cx-Programmer Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | 7.8 |
2022-03-10 | CVE-2022-25234 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Programmer Out-of-bounds write vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | 7.8 |
2022-03-10 | CVE-2022-25294 | Proofpoint | Unspecified vulnerability in Proofpoint Insider Threat Management Proofpoint Insider Threat Management Agent for Windows relies on an inherently dangerous function that could enable an unprivileged local Windows user to run arbitrary code with SYSTEM privileges. | 7.8 |
2022-03-10 | CVE-2022-25325 | Omron | Use After Free vulnerability in Omron Cx-Programmer Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | 7.8 |
2022-03-10 | CVE-2022-25814 | Unspecified vulnerability in Google Android 11.0/12.0 PendingIntent hijacking vulnerability in Wearable Manager Installer prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | 7.8 | |
2022-03-10 | CVE-2022-25815 | Unspecified vulnerability in Google Android 10.0/11.0 PendingIntent hijacking vulnerability in Weather application prior to SMR Mar-2022 Release 1 allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent. | 7.8 | |
2022-03-10 | CVE-2022-24285 | Acer | Improper Authentication vulnerability in Acer Care Center 4.00.3000/4.00.3038 Acer Care Center 4.00.30xx before 4.00.3042 contains a local privilege escalation vulnerability. | 7.8 |
2022-03-10 | CVE-2022-24286 | Acer | Improper Authentication vulnerability in Acer Quickaccess Acer QuickAccess 2.01.300x before 2.01.3030 and 3.00.30xx before 3.00.3038 contains a local privilege escalation vulnerability. | 7.8 |
2022-03-10 | CVE-2022-24396 | SAP | Unspecified vulnerability in SAP Simple Diagnostics Agent The Simple Diagnostics Agent - versions 1.0 up to version 1.57, does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. | 7.8 |
2022-03-10 | CVE-2022-24618 | Heimdalsecurity | Improper Preservation of Permissions vulnerability in Heimdalsecurity Heimdal Premium Security 2.5.383/2.5.385/2.5.395 Heimdal.Wizard.exe installer in Heimdal Premium Security 2.5.395 and earlier has insecure permissions, which allows unprivileged local users to elevate privileges to SYSTEM via the "Browse For Folder" window accessible by triggering a "Repair" on the MSI package located in C:\Windows\Installer. | 7.8 |
2022-03-10 | CVE-2022-24928 | Unspecified vulnerability in Google Android 11.0 Security misconfiguration of RKP in kernel prior to SMR Mar-2022 Release 1 allows a system not to be protected by RKP. | 7.8 | |
2022-03-10 | CVE-2022-24931 | Unspecified vulnerability in Google Android 10.0/11.0 Improper access control vulnerability in dynamic receiver in ApkInstaller prior to SMR MAR-2022 Release allows unauthorized attackers to execute arbitrary activity without a proper permission | 7.8 | |
2022-03-10 | CVE-2022-24960 | Pdftron | Use After Free vulnerability in Pdftron 9.2.0 A use after free vulnerability was discovered in PDFTron SDK version 9.2.0. | 7.8 |
2022-03-10 | CVE-2022-20047 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In video decoder, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-03-10 | CVE-2022-20048 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In video decoder, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-03-10 | CVE-2022-20053 | Missing Authorization vulnerability in Google Android In ims service, there is a possible escalation of privilege due to a missing permission check. | 7.8 | |
2022-03-10 | CVE-2022-20054 | Missing Authorization vulnerability in Google Android In ims service, there is a possible AT command injection due to a missing permission check. | 7.8 | |
2022-03-10 | CVE-2022-21124 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Programmer Out-of-bounds write vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | 7.8 |
2022-03-10 | CVE-2022-21219 | Omron | Out-of-bounds Read vulnerability in Omron Cx-Programmer Out-of-bounds read vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. | 7.8 |
2022-03-10 | CVE-2021-42855 | Riverbed | Incorrect Permission Assignment for Critical Resource vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. | 7.8 |
2022-03-10 | CVE-2022-0516 | Linux Fedoraproject Debian Redhat Netapp | A vulnerability was found in kvm_s390_guest_sida_op in the arch/s390/kvm/kvm-s390.c function in KVM for s390 in the Linux kernel. | 7.8 |
2022-03-10 | CVE-2022-0847 | Linux Fedoraproject Redhat Ovirt Netapp Siemens Sonicwall | Improper Initialization vulnerability in multiple products A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. | 7.8 |
2022-03-10 | CVE-2021-40376 | Otris | Improper Authentication vulnerability in Otris Update Manager 1.2.1.0 otris Update Manager 1.2.1.0 allows local users to achieve SYSTEM access via unauthenticated calls to exposed interfaces over a .NET named pipe. | 7.8 |
2022-03-10 | CVE-2021-32025 | Blackberry | Unspecified vulnerability in Blackberry products An elevation of privilege vulnerability in the QNX Neutrino Kernel of affected versions of QNX Software Development Platform version(s) 6.4.0 to 7.0, QNX Momentics all 6.3.x versions, QNX OS for Safety versions 1.0.0 to 1.0.2, QNX OS for Safety versions 2.0.0 to 2.0.1, QNX for Medical versions 1.0.0 to 1.1.1, and QNX OS for Medical version 2.0.0 could allow an attacker to potentially access data, modify behavior, or permanently crash the system. | 7.8 |
2022-03-10 | CVE-2020-14111 | MI | Insufficient Verification of Data Authenticity vulnerability in MI Ax3600 Firmware 1.0.50/1.0.67/1.1.12 A command injection vulnerability exists in the Xiaomi Router AX3600. | 7.8 |
2022-03-09 | CVE-2022-25943 | Kingsoft | Incorrect Default Permissions vulnerability in Kingsoft WPS Office The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed. | 7.8 |
2022-03-08 | CVE-2022-26337 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager Trend Micro Password Manager (Consumer) installer version 5.0.0.1262 and below is vulnerable to an Uncontrolled Search Path Element vulnerability that could allow an attacker to use a specially crafted file to exploit the vulnerability and escalate local privileges on the affected machine. | 7.8 |
2022-03-08 | CVE-2022-24408 | Siemens | Improper Privilege Management vulnerability in Siemens Sinumerik MC Firmware and Sinumerik ONE Firmware A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). | 7.8 |
2022-03-08 | CVE-2022-24661 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Star-Ccm+ Viewer 2021.2.1/2021.3.1 A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < V2022.1). | 7.8 |
2022-03-07 | CVE-2021-4199 | Bitdefender | Incorrect Permission Assignment for Critical Resource vulnerability in Bitdefender products Incorrect Permission Assignment for Critical Resource vulnerability in the crash handling component BDReinit.exe as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools for Windows allows a remote attacker to escalate local privileges to SYSTEM. | 7.8 |
2022-03-11 | CVE-2022-21819 | Nvidia | Incorrect Permission Assignment for Critical Resource vulnerability in Nvidia Jetson Linux NVIDIA distributions of Jetson Linux contain a vulnerability where an error in the IOMMU configuration may allow an unprivileged attacker with physical access to the board direct read/write access to the entire system address space through the PCI bus. | 7.6 |
2022-03-09 | CVE-2021-22783 | Schneider Electric | Unspecified vulnerability in Schneider-Electric Ritto Wiser Door A CWE-200: Information Exposure vulnerability exists which could allow a session hijack when the door panel is communicating with the door. | 7.6 |
2022-03-11 | CVE-2021-42577 | Softing | NULL Pointer Dereference vulnerability in Softing products An issue was discovered in Softing OPC UA C++ SDK before 5.70. | 7.5 |
2022-03-11 | CVE-2021-23246 | Oppo | Unspecified vulnerability in Oppo Coloros 11 In ACE2 ColorOS11, the attacker can obtain the foreground package name through permission promotion, resulting in user information disclosure. | 7.5 |
2022-03-11 | CVE-2021-32476 | Moodle | Allocation of Resources Without Limits or Throttling vulnerability in Moodle A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. | 7.5 |
2022-03-11 | CVE-2022-0853 | Redhat | Memory Leak vulnerability in Redhat products A flaw was found in JBoss-client. | 7.5 |
2022-03-11 | CVE-2022-25216 | Dvdfab | Path Traversal vulnerability in Dvdfab 12 Player and Playerfab An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | 7.5 |
2022-03-11 | CVE-2022-0913 | Microweber | Integer Overflow or Wraparound vulnerability in Microweber Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3. | 7.5 |
2022-03-11 | CVE-2020-36518 | Fasterxml Oracle Debian Netapp | Out-of-bounds Write vulnerability in multiple products jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | 7.5 |
2022-03-11 | CVE-2022-25508 | Freetakserver UI Project | Missing Authentication for Critical Function vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users. | 7.5 |
2022-03-11 | CVE-2022-25512 | Freetakserver UI Project | Information Exposure vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys. | 7.5 |
2022-03-10 | CVE-2022-24726 | Istio | Resource Exhaustion vulnerability in Istio Istio is an open platform to connect, manage, and secure microservices. | 7.5 |
2022-03-10 | CVE-2022-25546 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS. | 7.5 |
2022-03-10 | CVE-2022-25547 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. | 7.5 |
2022-03-10 | CVE-2022-25548 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. | 7.5 |
2022-03-10 | CVE-2022-25549 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS. | 7.5 |
2022-03-10 | CVE-2022-25550 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo. | 7.5 |
2022-03-10 | CVE-2022-25551 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS. | 7.5 |
2022-03-10 | CVE-2022-25552 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function form_fast_setting_wifi_set. | 7.5 |
2022-03-10 | CVE-2022-25553 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetSysToolDDNS. | 7.5 |
2022-03-10 | CVE-2022-25554 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo. | 7.5 |
2022-03-10 | CVE-2022-25555 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. | 7.5 |
2022-03-10 | CVE-2022-25556 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21 Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42E328. | 7.5 |
2022-03-10 | CVE-2022-25557 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow in the function saveParentControlInfo. | 7.5 |
2022-03-10 | CVE-2022-25558 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function formSetProvince. | 7.5 |
2022-03-10 | CVE-2022-25560 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21 Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_4327CC. | 7.5 |
2022-03-10 | CVE-2022-25561 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21 Tenda AX12 v22.03.01.21 was discovered to contain a stack overflow in the function sub_42DE00. | 7.5 |
2022-03-10 | CVE-2022-25566 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function saveParentControlInfo. | 7.5 |
2022-03-10 | CVE-2022-26311 | Couchbase | Unspecified vulnerability in Couchbase Cloud Native Operator 2.2.0/2.2.1/2.2.2 Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor. | 7.5 |
2022-03-10 | CVE-2022-26662 | Tryton Debian | XML Entity Expansion vulnerability in multiple products An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. | 7.5 |
2022-03-10 | CVE-2022-24601 | Luocms Project | SQL Injection vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php. | 7.5 |
2022-03-10 | CVE-2022-0903 | Mattermost | Out-of-bounds Write vulnerability in Mattermost Server A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted POST body. | 7.5 |
2022-03-10 | CVE-2022-22547 | SAP | Unspecified vulnerability in SAP Simple Diagnostics Agent Simple Diagnostics Agent - versions 1.0 (up to version 1.57.), allows an attacker to access information which would otherwise be restricted via a random port 9000-65535. | 7.5 |
2022-03-10 | CVE-2021-44032 | TP Link | Unspecified vulnerability in Tp-Link Omada Software Controller TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed. | 7.5 |
2022-03-10 | CVE-2021-46408 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21 Tenda AX12 v22.03.01.21 was discovered to contain a stack buffer overflow in the function sub_422CE4. | 7.5 |
2022-03-10 | CVE-2022-0618 | Apple | Unspecified vulnerability in Apple Swiftnio Http/2 A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. | 7.5 |
2022-03-10 | CVE-2022-0725 | Keepass Fedoraproject | Information Exposure Through Log Files vulnerability in multiple products A flaw was found in keepass. | 7.5 |
2022-03-10 | CVE-2022-0813 | Phpmyadmin | Information Exposure vulnerability in PHPmyadmin PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially sensitive information by creating invalid requests. | 7.5 |
2022-03-10 | CVE-2021-40047 | Huawei | Memory Leak vulnerability in Huawei Emui, Harmonyos and Magic UI There is a vulnerability of memory not being released after effective lifetime in the Bastet module. | 7.5 |
2022-03-10 | CVE-2021-40048 | Huawei | Incorrect Calculation of Buffer Size vulnerability in Huawei Emui, Harmonyos and Magic UI There is an incorrect buffer size calculation vulnerability in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40049 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui, Harmonyos and Magic UI There is a permission control vulnerability in the PMS module. | 7.5 |
2022-03-10 | CVE-2021-40051 | Huawei | Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI There is an unauthorized access vulnerability in system components. | 7.5 |
2022-03-10 | CVE-2021-40052 | Huawei | Incorrect Calculation of Buffer Size vulnerability in Huawei Emui, Harmonyos and Magic UI There is an incorrect buffer size calculation vulnerability in the video framework.Successful exploitation of this vulnerability may affect availability. | 7.5 |
2022-03-10 | CVE-2021-40054 | Huawei | Integer Underflow (Wrap or Wraparound) vulnerability in Huawei Emui and Magic UI There is an integer underflow vulnerability in the atcmdserver module. | 7.5 |
2022-03-10 | CVE-2021-40056 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui and Magic UI There is a vulnerability of copying input buffer without checking its size in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40057 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a heap-based and stack-based buffer overflow vulnerability in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40058 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a heap-based buffer overflow vulnerability in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40060 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Magic UI There is a heap-based buffer overflow vulnerability in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40061 | Huawei | Type Confusion vulnerability in Huawei Emui, Harmonyos and Magic UI There is a vulnerability of accessing resources using an incompatible type (type confusion) in the Bastet module. | 7.5 |
2022-03-10 | CVE-2021-40062 | Huawei | Classic Buffer Overflow vulnerability in Huawei Emui and Magic UI There is a vulnerability of copying input buffer without checking its size in the video framework. | 7.5 |
2022-03-10 | CVE-2021-40063 | Huawei | Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI There is an improper access control vulnerability in the video module. | 7.5 |
2022-03-10 | CVE-2021-40064 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui, Harmonyos and Magic UI There is a heap-based buffer overflow vulnerability in system components. | 7.5 |
2022-03-10 | CVE-2021-3698 | Cockpit Project Redhat | Improper Certificate Validation vulnerability in multiple products A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). | 7.5 |
2022-03-10 | CVE-2020-36517 | Home Assistant | Information Exposure Through Discrepancy vulnerability in Home-Assistant 2022.03 An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS operator to gain knowledge about internal network resources via the hardcoded DNS resolver configuration. | 7.5 |
2022-03-10 | CVE-2021-38296 | Apache Oracle | Authentication Bypass by Capture-replay vulnerability in multiple products Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". | 7.5 |
2022-03-09 | CVE-2022-24748 | Shopware | Incorrect Authorization vulnerability in Shopware Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. | 7.5 |
2022-03-08 | CVE-2022-24716 | Icinga | Unspecified vulnerability in Icinga web 2 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. | 7.5 |
2022-03-08 | CVE-2022-24713 | Rust Lang Fedoraproject Debian | regex is an implementation of regular expressions for the Rust language. | 7.5 |
2022-03-07 | CVE-2021-25087 | Wpdownloadmanager | Unspecified vulnerability in Wpdownloadmanager Wordpress Download Manager The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25). | 7.5 |
2022-03-10 | CVE-2022-25214 | Phicomm | Unspecified vulnerability in Phicomm products Improper access control on the LocalClientList.asp interface allows an unauthenticated remote attacker to obtain sensitive information concerning devices on the local area network, including IP and MAC addresses. | 7.4 |
2022-03-07 | CVE-2022-24738 | Evmos | Improper Authentication vulnerability in Evmos Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. | 7.4 |
2022-03-10 | CVE-2022-0815 | Mcafee | Exposure of Resource to Wrong Sphere vulnerability in Mcafee Webadvisor 4.1.1.48 Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system. | 7.3 |
2022-03-10 | CVE-2021-44750 | F Secure | Unspecified vulnerability in F-Secure products An arbitrary code execution vulnerability was found in the F-Secure Support Tool. | 7.3 |
2022-03-11 | CVE-2021-32474 | Moodle | SQL Injection vulnerability in Moodle An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. | 7.2 |
2022-03-10 | CVE-2022-25225 | Softinventive | SQL Injection vulnerability in Softinventive Network Olympus 1.8.0 Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. | 7.2 |
2022-03-10 | CVE-2022-26521 | Abantecart | Unrestricted Upload of File with Dangerous Type vulnerability in Abantecart Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type). | 7.2 |
2022-03-09 | CVE-2022-24734 | Mybb | Unspecified vulnerability in Mybb MyBB is a free and open source forum software. | 7.2 |
2022-03-08 | CVE-2021-43944 | Atlassian | Code Injection vulnerability in Atlassian Jira Server This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. | 7.2 |
2022-03-07 | CVE-2021-24216 | Servmask | Unrestricted Upload of File with Dangerous Type vulnerability in Servmask One-Stop WP Migration 7.39/7.40 The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. | 7.2 |
2022-03-07 | CVE-2021-24777 | Hotscot | SQL Injection vulnerability in Hotscot Contact Form 1.0/1.1/1.2 The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection. | 7.2 |
2022-03-07 | CVE-2021-24778 | Wpaffiliatefeed | SQL Injection vulnerability in Wpaffiliatefeed Tradetracker-Store The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | 7.2 |
2022-03-07 | CVE-2022-0267 | Adrotate Project | SQL Injection vulnerability in Adrotate Project Adrotate The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection | 7.2 |
2022-03-07 | CVE-2022-0420 | Metagauss | SQL Injection vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks | 7.2 |
2022-03-07 | CVE-2022-0440 | Catchplugins | Unspecified vulnerability in Catchplugins Catch Themes Demo Import The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true) | 7.2 |
2022-03-10 | CVE-2022-25821 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 Improper use of SMS buffer pointer in Shannon baseband prior to SMR Mar-2022 Release 1 allows OOB read. | 7.1 | |
2022-03-10 | CVE-2022-0891 | Libtiff Debian Fedoraproject Netapp | Out-of-bounds Write vulnerability in multiple products A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact | 7.1 |
2022-03-10 | CVE-2021-3739 | Linux Fedoraproject Netapp | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel, where triggering the bug requires ‘CAP_SYS_ADMIN’. | 7.1 |
2022-03-10 | CVE-2022-0905 | Gitea | Unspecified vulnerability in Gitea Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4. | 7.1 |
2022-03-10 | CVE-2022-0280 | Microsoft | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Microsoft Windows A race condition vulnerability exists in the QuickClean feature of McAfee Total Protection for Windows prior to 16.0.43 that allows a local user to gain privilege elevation and perform an arbitrary file delete. | 7.0 |
2022-03-10 | CVE-2022-23036 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23037 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23038 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23039 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23040 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23041 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-23042 | XEN Debian | Race Condition vulnerability in multiple products Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. | 7.0 |
2022-03-10 | CVE-2022-26488 | Python Netapp | Untrusted Search Path vulnerability in multiple products In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. | 7.0 |
2022-03-09 | CVE-2022-24753 | Stripe | Unspecified vulnerability in Stripe CLI Stripe CLI is a command-line tool for the Stripe eCommerce platform. | 7.0 |
190 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-11 | CVE-2021-33150 | Intel | Unspecified vulnerability in Intel products Hardware allows activation of test or debug logic at runtime for some Intel(R) Trace Hub instances which may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2022-03-10 | CVE-2022-25213 | Phicomm | Use of Hard-coded Credentials vulnerability in Phicomm products Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. | 6.8 |
2022-03-10 | CVE-2022-20055 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In preloader (usb), there is a possible out of bounds write due to a missing bounds check. | 6.8 | |
2022-03-11 | CVE-2022-0921 | Microweber | Unrestricted Upload of File with Dangerous Type vulnerability in Microweber Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12. | 6.7 |
2022-03-10 | CVE-2022-20049 | Missing Authorization vulnerability in Google Android 10.0/11.0 In vpu, there is a possible escalation of privilege due to a missing permission check. | 6.7 | |
2022-03-10 | CVE-2022-20050 | Link Following vulnerability in Google Android 11.0/12.0 In connsyslogger, there is a possible symbolic link following due to improper link resolution. | 6.7 | |
2022-03-10 | CVE-2022-20056 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In preloader (usb), there is a possible out of bounds write due to a missing bounds check. | 6.6 | |
2022-03-10 | CVE-2022-20058 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In preloader (usb), there is a possible out of bounds write due to a missing bounds check. | 6.6 | |
2022-03-10 | CVE-2022-20059 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In preloader (usb), there is a possible out of bounds write due to a missing bounds check. | 6.6 | |
2022-03-10 | CVE-2022-20060 | Missing Authentication for Critical Function vulnerability in Google Android 10.0/11.0/12.0 In preloader (usb), there is a possible permission bypass due to a missing proper image authentication. | 6.6 | |
2022-03-11 | CVE-2021-42262 | Softing | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Softing products An issue was discovered in Softing OPC UA C++ SDK before 5.70. | 6.5 |
2022-03-11 | CVE-2021-26341 | AMD | Improper Cross-boundary Removal of Sensitive Data vulnerability in AMD products Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage. | 6.5 |
2022-03-11 | CVE-2022-0001 | Intel Oracle | Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | 6.5 |
2022-03-11 | CVE-2022-0002 | Intel Oracle | Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | 6.5 |
2022-03-11 | CVE-2022-23625 | Wire | Improper Handling of Exceptional Conditions vulnerability in Wire and Wire-Ios-Transport Wire-ios is a messaging application using the wire protocol on apple's ios platform. | 6.5 |
2022-03-11 | CVE-2022-0932 | Saleor | Unspecified vulnerability in Saleor Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. | 6.5 |
2022-03-11 | CVE-2022-0821 | Orchardcore | Unspecified vulnerability in Orchardcore Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0. | 6.5 |
2022-03-11 | CVE-2022-25506 | Freetakserver UI Project | SQL Injection vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser. | 6.5 |
2022-03-11 | CVE-2022-25511 | Freetakserver UI Project | Unspecified vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system. | 6.5 |
2022-03-10 | CVE-2022-25243 | Hashicorp | Improper Certificate Validation vulnerability in Hashicorp Vault "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. | 6.5 |
2022-03-10 | CVE-2022-25244 | Hashicorp | Unspecified vulnerability in Hashicorp Vault Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. | 6.5 |
2022-03-10 | CVE-2022-26652 | Nats | Path Traversal vulnerability in Nats Server and Nats Streaming Server NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. | 6.5 |
2022-03-10 | CVE-2022-26661 | Tryton Debian | XXE vulnerability in multiple products An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. | 6.5 |
2022-03-10 | CVE-2022-26778 | Veritas | Cleartext Storage of Sensitive Information vulnerability in Veritas System Recovery 18.0/21 Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration. | 6.5 |
2022-03-10 | CVE-2022-24398 | SAP | Unspecified vulnerability in SAP Business Objects Business Intelligence Platform 420/430 Under certain conditions SAP Business Objects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker to access information which would otherwise be restricted. | 6.5 |
2022-03-10 | CVE-2022-0904 | Mattermost | Out-of-bounds Write vulnerability in Mattermost Server A stack overflow bug in the document extractor in Mattermost Server in versions up to and including 6.3.2 allows an attacker to crash the server via submitting a maliciously crafted Apple Pages document. | 6.5 |
2022-03-10 | CVE-2022-20057 | Improper Handling of Exceptional Conditions vulnerability in Google Android 11.0/12.0 In btif, there is a possible memory corruption due to incorrect error handling. | 6.5 | |
2022-03-10 | CVE-2022-21132 | Pfsense | Path Traversal vulnerability in Pfsense Pfsense-Pkg-Wireguard 0.1.5/0.1.6 Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder. | 6.5 |
2022-03-10 | CVE-2022-22835 | Overit | XXE vulnerability in Overit Geocall 6.3 An issue was discovered in OverIT Geocall before version 8.0. | 6.5 |
2022-03-10 | CVE-2021-43969 | Quicklert | SQL Injection vulnerability in Quicklert 10.0.0 The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections. | 6.5 |
2022-03-10 | CVE-2022-0856 | Libcaca Project Fedoraproject | Divide By Zero vulnerability in multiple products libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service | 6.5 |
2022-03-10 | CVE-2022-0865 | Libtiff Debian Fedoraproject Netapp | Reachable Assertion vulnerability in multiple products Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-03-10 | CVE-2021-40059 | Huawei | Incorrect Default Permissions vulnerability in Huawei Emui and Magic UI There is a permission control vulnerability in the Wi-Fi module. | 6.5 |
2022-03-10 | CVE-2021-28488 | Ericsson | Exposure of Resource to Wrong Sphere vulnerability in Ericsson Network Manager Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). | 6.5 |
2022-03-10 | CVE-2021-32436 | Abcm2Ps Project Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors. | 6.5 |
2022-03-10 | CVE-2021-34338 | Libming Fedoraproject | Out-of-bounds Write vulnerability in multiple products Ming 0.4.8 has an out-of-bounds buffer overwrite issue in the function getName() in decompiler.c file that causes a direct segmentation fault and leads to denial of service. | 6.5 |
2022-03-10 | CVE-2021-34339 | Libming Fedoraproject | Out-of-bounds Write vulnerability in multiple products Ming 0.4.8 has an out-of-bounds buffer access issue in the function getString() in decompiler.c file that causes a direct segmentation fault and leads to denial of service. | 6.5 |
2022-03-10 | CVE-2021-34340 | Libming Fedoraproject | Out-of-bounds Write vulnerability in multiple products Ming 0.4.8 has an out-of-bounds buffer access issue in the function decompileINCR_DECR() in decompiler.c file that causes a direct segmentation fault and leads to denial of service. | 6.5 |
2022-03-10 | CVE-2021-34341 | Libming Fedoraproject | Out-of-bounds Read vulnerability in multiple products Ming 0.4.8 has an out-of-bounds read vulnerability in the function decompileIF() in the decompile.c file that causes a direct segmentation fault and leads to denial of service. | 6.5 |
2022-03-10 | CVE-2021-34342 | Libming Fedoraproject | Out-of-bounds Read vulnerability in multiple products Ming 0.4.8 has an out-of-bounds read vulnerability in the function newVar_N() in decompile.c which causes a huge information leak. | 6.5 |
2022-03-10 | CVE-2021-3733 | Python Redhat Fedoraproject Netapp | Resource Exhaustion vulnerability in multiple products There's a flaw in urllib's AbstractBasicAuthHandler class. | 6.5 |
2022-03-09 | CVE-2022-24745 | Shopware | Unspecified vulnerability in Shopware Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. | 6.5 |
2022-03-09 | CVE-2022-24741 | Nextcloud | Allocation of Resources Without Limits or Throttling vulnerability in Nextcloud Server Nextcloud server is an open source, self hosted cloud style services platform. | 6.5 |
2022-03-09 | CVE-2022-0881 | Framasoft | Insecure Storage of Sensitive Information vulnerability in Framasoft Peertube Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1. | 6.5 |
2022-03-08 | CVE-2022-26319 | Trendmicro | Uncontrolled Search Path Element vulnerability in Trendmicro Portable Security 2.0/3.0 An installer search patch element vulnerability in Trend Micro Portable Security 3.0 Pro, 3.0 and 2.0 could allow a local attacker to place an arbitrarily generated DLL file in an installer folder to elevate local privileges. | 6.5 |
2022-03-08 | CVE-2021-41543 | Siemens | Information Exposure Through Log Files vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42 A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). | 6.5 |
2022-03-08 | CVE-2022-26317 | Mendix | Use of Insufficiently Random Values vulnerability in Mendix A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). | 6.5 |
2022-03-07 | CVE-2022-24737 | Httpie Fedoraproject | HTTPie is a command-line HTTP client. | 6.5 |
2022-03-07 | CVE-2022-0754 | Salesagility | SQL Injection vulnerability in Salesagility Suitecrm SQL Injection in GitHub repository salesagility/suitecrm prior to 7.12.5. | 6.5 |
2022-03-07 | CVE-2022-0756 | Salesagility | Unspecified vulnerability in Salesagility Suitecrm Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | 6.5 |
2022-03-07 | CVE-2021-25098 | Fatcatapps | Cross-Site Request Forgery (CSRF) vulnerability in Fatcatapps Easy Pricing Tables The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash | 6.5 |
2022-03-07 | CVE-2022-0163 | Rednao | Missing Authorization vulnerability in Rednao Smart Forms The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. | 6.5 |
2022-03-07 | CVE-2022-0445 | Devowl | Cross-Site Request Forgery (CSRF) vulnerability in Devowl Wordpress Real Cookie Banner The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack | 6.5 |
2022-03-10 | CVE-2022-25822 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 An use after free vulnerability in sdp driver prior to SMR Mar-2022 Release 1 allows kernel crash. | 6.2 | |
2022-03-13 | CVE-2021-46709 | Phpliteadmin | Cross-site Scripting vulnerability in PHPliteadmin phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number). | 6.1 |
2022-03-12 | CVE-2022-0929 | Microweber | Cross-site Scripting vulnerability in Microweber XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. | 6.1 |
2022-03-12 | CVE-2022-26533 | Alist Project | Cross-site Scripting vulnerability in Alist Project Alist Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist. | 6.1 |
2022-03-11 | CVE-2021-44667 | Alibaba | Cross-site Scripting vulnerability in Alibaba Nacos 2.0.3 A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters. | 6.1 |
2022-03-11 | CVE-2021-27414 | Hitachienergy | Improper Restriction of Rendered UI Layers or Frames vulnerability in Hitachienergy Ellipse Enterprise Asset Management 9.0.22 An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials. | 6.1 |
2022-03-11 | CVE-2021-32009 | Secomea | Cross-site Scripting vulnerability in Secomea Gatemanager 9.6.621421014 Cross-site Scripting (XSS) vulnerability in firmware section of Secomea GateManager allows logged in user to inject javascript in browser session. | 6.1 |
2022-03-11 | CVE-2021-32478 | Moodle | Unspecified vulnerability in Moodle The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. | 6.1 |
2022-03-11 | CVE-2022-25601 | Plugin Planet Fedoraproject | Cross-site Scripting vulnerability in multiple products Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4). | 6.1 |
2022-03-11 | CVE-2021-46708 | Smartbear | Improper Restriction of Rendered UI Layers or Frames vulnerability in Smartbear Swagger-Ui-Dist The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. | 6.1 |
2022-03-11 | CVE-2022-0820 | Orchardcore | Cross-site Scripting vulnerability in Orchardcore Cross-site Scripting (XSS) - Stored in GitHub repository orchardcms/orchardcore prior to 1.3.0. | 6.1 |
2022-03-10 | CVE-2021-44585 | Jeecg | Cross-site Scripting vulnerability in Jeecg Boot 3.0 A Cross Site Scripting (XSS) vulnerabilitiy exits in jeecg-boot 3.0 in /jeecg-boot/jmreport/view with a mouseover event. | 6.1 |
2022-03-10 | CVE-2022-26101 | SAP | Unspecified vulnerability in SAP Fiori Launchpad 754/755/756 Fiori launchpad - versions 754, 755, 756, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2022-03-10 | CVE-2022-24395 | SAP | Unspecified vulnerability in SAP Netweaver Enterprise Portal SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2022-03-10 | CVE-2022-24397 | SAP | Unspecified vulnerability in SAP Netweaver Enterprise Portal SAP NetWeaver Enterprise Portal - versions 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in reflected Cross-Site Scripting (XSS) vulnerability.This reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content of portal Website. | 6.1 |
2022-03-10 | CVE-2022-24399 | SAP | Unspecified vulnerability in SAP Focused RUN 200/300 The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST service does not sufficiently sanitize the input name of the file using multipart/form-data, resulting in Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2022-03-10 | CVE-2022-24608 | Luocms Project | Cross-site Scripting vulnerability in Luocms Project Luocms 2.0 Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php. | 6.1 |
2022-03-10 | CVE-2022-21146 | Ipcomm | Cross-site Scripting vulnerability in Ipcomm Ipdio Firmware 3.9 Persistent cross-site scripting in the web interface of ipDIO allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into a specific parameter. | 6.1 |
2022-03-10 | CVE-2022-24177 | Exlibrisgroup | Cross-site Scripting vulnerability in Exlibrisgroup Aleph 500 18.1/20.0 A cross-site scripting (XSS) vulnerability in the component cgi-bin/ej.cgi of Ex libris ALEPH 500 v18.1 and v20 allows attackers to execute arbitrary web scripts or HTML. | 6.1 |
2022-03-10 | CVE-2021-41657 | Smartbear | Improper Restriction of Rendered UI Layers or Frames vulnerability in Smartbear Collaborator 6.1.6102 SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack. | 6.1 |
2022-03-10 | CVE-2021-42856 | Riverbed | Cross-site Scripting vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. | 6.1 |
2022-03-09 | CVE-2022-24746 | Shopware | Unspecified vulnerability in Shopware Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. | 6.1 |
2022-03-08 | CVE-2022-24739 | Alltube Project | Unspecified vulnerability in Alltube Project Alltube alltube is an html front end for youtube-dl. | 6.1 |
2022-03-08 | CVE-2021-41180 | Nextcloud | Unspecified vulnerability in Nextcloud Talk Nextcloud talk is a self hosting messaging service. | 6.1 |
2022-03-08 | CVE-2021-41541 | Siemens | Cross-site Scripting vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42 A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). | 6.1 |
2022-03-08 | CVE-2021-41542 | Siemens | Cross-site Scripting vulnerability in Siemens Climatix Pol909 Firmware 11.34/11.42 A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). | 6.1 |
2022-03-08 | CVE-2021-44478 | Siemens | Cross-site Scripting vulnerability in Siemens Polarion ALM and Polarion Subversion Webclient A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). | 6.1 |
2022-03-07 | CVE-2021-4198 | Bitdefender | NULL Pointer Dereference vulnerability in Bitdefender products A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files. | 6.1 |
2022-03-07 | CVE-2021-24953 | Tinywebgallery | Cross-site Scripting vulnerability in Tinywebgallery Advanced Iframe The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2022-03-07 | CVE-2021-25038 | Obtaininfotech | Cross-site Scripting vulnerability in Obtaininfotech Multisite User Sync/Unsync The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | 6.1 |
2022-03-07 | CVE-2021-25039 | Obtaininfotech | Cross-site Scripting vulnerability in Obtaininfotech Multisite Content Copier/Updater The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | 6.1 |
2022-03-07 | CVE-2022-0347 | Wpbrigade | Cross-site Scripting vulnerability in Wpbrigade Loginpress The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-03-07 | CVE-2022-0422 | Videousermanuals | Cross-site Scripting vulnerability in Videousermanuals White Label CMS The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2022-03-07 | CVE-2022-0429 | Cerber | Cross-site Scripting vulnerability in Cerber WP Cerber Security, Anti-Spam & Malware Scan The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. | 6.1 |
2022-03-07 | CVE-2022-0533 | Metaphorcreations | Cross-site Scripting vulnerability in Metaphorcreations Ditty The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2022-03-08 | CVE-2021-36809 | Sophos | Unspecified vulnerability in Sophos SSL VPN Client A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client. | 6.0 |
2022-03-10 | CVE-2021-40055 | Huawei | Unspecified vulnerability in Huawei Emui, Harmonyos and Magic UI There is a man-in-the-middle attack vulnerability during system update download in recovery mode. | 5.9 |
2022-03-09 | CVE-2022-24322 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Ecostruxure Control Expert 14.0/14.1/15.0 A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus response data. | 5.9 |
2022-03-09 | CVE-2022-24323 | Schneider Electric | Improper Check for Unusual or Exceptional Conditions vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data. | 5.9 |
2022-03-13 | CVE-2022-23960 | XEN ARM Debian | Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. | 5.6 |
2022-03-11 | CVE-2021-26401 | AMD | Unspecified vulnerability in AMD products LFENCE/JMP (mitigation V2-2) may not sufficiently mitigate CVE-2017-5715 on some AMD CPUs. | 5.6 |
2022-03-12 | CVE-2022-26966 | Linux Netapp Debian | An issue was discovered in the Linux kernel before 5.16.12. | 5.5 |
2022-03-11 | CVE-2021-41849 | Bluproducts Wikomobile Luna | Cleartext Transmission of Sensitive Information vulnerability in multiple products An issue was discovered in Luna Simo PPR1.180610.011/202001031830. | 5.5 |
2022-03-11 | CVE-2022-0907 | Libtiff Debian Fedoraproject Netapp | Unchecked Return Value vulnerability in multiple products Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 5.5 |
2022-03-11 | CVE-2022-0908 | Libtiff Debian Fedoraproject Netapp | NULL Pointer Dereference vulnerability in multiple products Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file. | 5.5 |
2022-03-11 | CVE-2022-0909 | Libtiff Debian Fedoraproject Netapp | Divide By Zero vulnerability in multiple products Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 5.5 |
2022-03-11 | CVE-2022-0924 | Libtiff Debian Fedoraproject Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 5.5 |
2022-03-11 | CVE-2022-26878 | Linux | Memory Leak vulnerability in Linux Kernel drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed). | 5.5 |
2022-03-10 | CVE-2022-25108 | Foxit | NULL Pointer Dereference vulnerability in Foxit PDF Editor and PDF Reader Foxit PDF Reader and Editor before 11.2.1 and PhantomPDF before 10.1.7 allow a NULL pointer dereference during PDF parsing because the pointer is used without proper validation. | 5.5 |
2022-03-10 | CVE-2022-25819 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 OOB read vulnerability in hdcp2 device node prior to SMR Mar-2022 Release 1 allow an attacker to view Kernel stack memory. | 5.5 | |
2022-03-10 | CVE-2022-25825 | Samasung | Improper Authentication vulnerability in Samasung Account Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in. | 5.5 |
2022-03-10 | CVE-2022-20051 | Improper Privilege Management vulnerability in Google Android 11.0/12.0 In ims service, there is a possible unexpected application behavior due to incorrect privilege assignment. | 5.5 | |
2022-03-10 | CVE-2021-44215 | Northern Tech | Incorrect Default Permissions vulnerability in Northern.Tech Cfengine Northern.tech CFEngine Enterprise 3.15.4 before 3.15.5 has Insecure Permissions that may allow unauthorized local users to have an unspecified impact. | 5.5 |
2022-03-10 | CVE-2021-44216 | Northern Tech | Incorrect Default Permissions vulnerability in Northern.Tech Cfengine Northern.tech CFEngine Enterprise before 3.15.5 and 3.18.x before 3.18.1 has Insecure Permissions that may allow unauthorized local users to access the Apache and Mission Portal log files. | 5.5 |
2022-03-10 | CVE-2021-44269 | Wavpack Fedoraproject | Out-of-bounds Read vulnerability in multiple products An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. | 5.5 |
2022-03-10 | CVE-2021-44421 | Occlum Project | Information Exposure Through Discrepancy vulnerability in Occlum Project Occlum The pointer-validation logic in util/mem_util.rs in Occlum before 0.26.0 for Intel SGX acts as a confused deputy that allows a local attacker to access unauthorized information via side-channel analysis. | 5.5 |
2022-03-10 | CVE-2021-4023 | Linux Fedoraproject | A flaw was found in the io-workqueue implementation in the Linux kernel versions prior to 5.15-rc1. | 5.5 |
2022-03-10 | CVE-2021-4095 | Linux Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. | 5.5 |
2022-03-10 | CVE-2022-0433 | Linux Fedoraproject | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the Linux kernel's BPF subsystem in the way a user triggers the map_get_next_key function of the BPF bloom filter. | 5.5 |
2022-03-10 | CVE-2021-32434 | Abcm2Ps Project Fedoraproject Debian | Out-of-bounds Read vulnerability in multiple products abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c. | 5.5 |
2022-03-10 | CVE-2021-32435 | Abcm2Ps Project Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors. | 5.5 |
2022-03-10 | CVE-2021-34122 | Rockcarry | NULL Pointer Dereference vulnerability in Rockcarry Ffjpeg The function bitstr_tell at bitstr.c in ffjpeg commit 4ab404e has a NULL pointer dereference. | 5.5 |
2022-03-10 | CVE-2021-3732 | Linux | Unspecified vulnerability in Linux Kernel A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. | 5.5 |
2022-03-10 | CVE-2021-20269 | Kexec Tools Project | Unspecified vulnerability in Kexec-Tools Project Kexec-Tools A flaw was found in the permissions of a log file created by kexec-tools. | 5.5 |
2022-03-10 | CVE-2022-0890 | Mruby | NULL Pointer Dereference vulnerability in Mruby NULL Pointer Dereference in GitHub repository mruby/mruby prior to 3.2. | 5.5 |
2022-03-07 | CVE-2021-38988 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. | 5.5 |
2022-03-07 | CVE-2021-38989 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. | 5.5 |
2022-03-13 | CVE-2021-45889 | Ponton | Cross-site Scripting vulnerability in Ponton X/P Messenger 3.10.0/3.8.0 An issue was discovered in PONTON X/P Messenger before 3.11.2. | 5.4 |
2022-03-12 | CVE-2022-0880 | Showdoc | Cross-site Scripting vulnerability in Showdoc Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2. | 5.4 |
2022-03-11 | CVE-2021-27416 | Hitachienergy | Cross-site Scripting vulnerability in Hitachienergy Ellipse Enterprise Asset Management 9.0.22/9.0.23/9.0.25 An attacker could exploit this vulnerability in Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 by tricking a user to click on a link containing malicious code that would then be run by the web browser. | 5.4 |
2022-03-11 | CVE-2021-32475 | Moodle | Cross-site Scripting vulnerability in Moodle ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. | 5.4 |
2022-03-11 | CVE-2022-0928 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12. | 5.4 |
2022-03-11 | CVE-2022-26874 | Horde Debian | Cross-site Scripting vulnerability in multiple products lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. | 5.4 |
2022-03-11 | CVE-2022-0822 | Orchardcore | Cross-site Scripting vulnerability in Orchardcore Cross-site Scripting (XSS) - Reflected in GitHub repository orchardcms/orchardcore prior to 1.3.0. | 5.4 |
2022-03-11 | CVE-2022-25507 | Freetakserver UI Project | Cross-site Scripting vulnerability in Freetakserver-Ui Project Freetakserver-Ui 1.9.8 FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Callsign parameter. | 5.4 |
2022-03-10 | CVE-2022-26102 | SAP | Missing Authorization vulnerability in SAP Netweaver Application Server Abap Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated attacker, to access content on the start screen of any transaction that is available with in the same SAP system even if he/she isn't authorized for that transaction. | 5.4 |
2022-03-10 | CVE-2022-24432 | Ipcomm | Cross-site Scripting vulnerability in Ipcomm Ipdio Firmware 3.9 Persistent cross-site scripting (XSS) in the web interface of ipDIO allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into specific fields. | 5.4 |
2022-03-10 | CVE-2022-21158 | Marktext | Cross-site Scripting vulnerability in Marktext A stored cross-site scripting vulnerability in marktext versions prior to v0.17.0 due to improper handling of the link (with javascript: scheme) inside the document may allow an attacker to execute an arbitrary script on the PC of the user using marktext. | 5.4 |
2022-03-10 | CVE-2021-32005 | Secomea | Cross-site Scripting vulnerability in Secomea products Cross-site Scripting (XSS) vulnerability in log view of Secomea SiteManager allows a logged in user to store javascript for later execution. | 5.4 |
2022-03-10 | CVE-2021-33851 | Apasionados | Cross-site Scripting vulnerability in Apasionados Customize Login Image 3.4 A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. | 5.4 |
2022-03-10 | CVE-2021-33852 | Metaphorcreations | Cross-site Scripting vulnerability in Metaphorcreations Post Duplicator 2.23 A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. | 5.4 |
2022-03-09 | CVE-2022-22511 | Wago | Unspecified vulnerability in Wago products Various configuration pages of the device are vulnerable to reflected XSS (Cross-Site Scripting) attacks. | 5.4 |
2022-03-08 | CVE-2022-0877 | Bookstackapp | Cross-site Scripting vulnerability in Bookstackapp Bookstack Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3. | 5.4 |
2022-03-07 | CVE-2021-24821 | Nicdark | Cross-site Scripting vulnerability in Nicdark Cost Calculator The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page) | 5.4 |
2022-03-07 | CVE-2021-24826 | Custom Content Shortcode Project | Cross-site Scripting vulnerability in Custom Content Shortcode Project Custom Content Shortcode The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | 5.4 |
2022-03-07 | CVE-2021-24960 | Iptanus | Unrestricted Upload of File with Dangerous Type vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks | 5.4 |
2022-03-07 | CVE-2021-24961 | Iptanus | Cross-site Scripting vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | 5.4 |
2022-03-07 | CVE-2022-0205 | YOP Poll | Cross-site Scripting vulnerability in Yop-Poll The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue | 5.4 |
2022-03-07 | CVE-2022-0426 | Adtribes | Cross-site Scripting vulnerability in Adtribes Product Feed PRO for Woocommerce The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting | 5.4 |
2022-03-12 | CVE-2022-26276 | Onenav | Path Traversal vulnerability in Onenav 0.9.14 An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal. | 5.3 |
2022-03-11 | CVE-2022-25839 | URL JS Project | Improper Input Validation vulnerability in Url-Js Project Url-Js The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. | 5.3 |
2022-03-11 | CVE-2021-32473 | Moodle | Unspecified vulnerability in Moodle It was possible for a student to view their quiz grade before it had been released, using a quiz web service. | 5.3 |
2022-03-11 | CVE-2022-0870 | Gogs | Server-Side Request Forgery (SSRF) vulnerability in Gogs Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. | 5.3 |
2022-03-10 | CVE-2021-41233 | Nextcloud | Incorrect Authorization vulnerability in Nextcloud Server Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. | 5.3 |
2022-03-10 | CVE-2021-38910 | IBM | Improper Input Validation vulnerability in IBM Datapower Gateway IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. | 5.3 |
2022-03-10 | CVE-2021-39025 | IBM | Unspecified vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0 IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 could disclose internal IP address information when the web backend is down. | 5.3 |
2022-03-10 | CVE-2022-26847 | Spip Debian | Information Exposure vulnerability in multiple products SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects. | 5.3 |
2022-03-10 | CVE-2022-25215 | Phicomm | Unspecified vulnerability in Phicomm products Improper access control on the LocalMACConfig.asp interface allows an unauthenticated remote attacker to add (or remove) client MAC addresses to (or from) a list of banned hosts. | 5.3 |
2022-03-10 | CVE-2022-26103 | SAP | Unspecified vulnerability in SAP Netweaver Application Server Java 7.50 Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | 5.3 |
2022-03-10 | CVE-2022-26104 | SAP | Missing Authorization vulnerability in SAP Financial Consolidation 10.1 SAP Financial Consolidation - version 10.1, does not perform necessary authorization checks for updating homepage messages, resulting for an unauthorized user to alter the maintenance system message. | 5.3 |
2022-03-10 | CVE-2021-42857 | Riverbed | Path Traversal vulnerability in Riverbed Steelcentral Appinternals Dynamic Sampling Agent 10.0.0/11.0.0/12.0.0 It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. | 5.3 |
2022-03-10 | CVE-2021-35251 | Solarwinds | Information Exposure Through an Error Message vulnerability in Solarwinds web Help Desk Sensitive information could be displayed when a detailed technical error message is posted. | 5.3 |
2022-03-10 | CVE-2020-14112 | MI | Information Exposure vulnerability in MI Ax6000 Firmware Information Leak Vulnerability exists in the Xiaomi Router AX6000. | 5.3 |
2022-03-09 | CVE-2022-24747 | Shopware | Exposure of Resource to Wrong Sphere vulnerability in Shopware Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. | 5.3 |
2022-03-08 | CVE-2022-24714 | Icinga | Unspecified vulnerability in Icinga web 2 Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. | 5.3 |
2022-03-08 | CVE-2021-41239 | Nextcloud | Unspecified vulnerability in Nextcloud Server Nextcloud server is a self hosted system designed to provide cloud style services. | 5.3 |
2022-03-07 | CVE-2021-25009 | Correosexpress Project | Unspecified vulnerability in Correosexpress Project Correosexpress The CorreosExpress WordPress plugin through 2.6.0 generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses | 5.3 |
2022-03-13 | CVE-2021-45888 | Ponton | Cross-site Scripting vulnerability in Ponton X/P Messenger 3.10.0/3.8.0 An issue was discovered in PONTON X/P Messenger before 3.11.2. | 4.8 |
2022-03-12 | CVE-2022-0930 | Microweber | Cross-site Scripting vulnerability in Microweber File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. | 4.8 |
2022-03-12 | CVE-2022-0926 | Microweber | Cross-site Scripting vulnerability in Microweber File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12. | 4.8 |
2022-03-11 | CVE-2022-0912 | Microweber | Unrestricted Upload of File with Dangerous Type vulnerability in Microweber Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11. | 4.8 |
2022-03-10 | CVE-2022-0906 | Microweber | Cross-site Scripting vulnerability in Microweber Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12. | 4.8 |
2022-03-07 | CVE-2021-24810 | WP Eventmanager | Cross-site Scripting vulnerability in Wp-Eventmanager WP Event Manager The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-03-07 | CVE-2022-0389 | Codepeople | Cross-site Scripting vulnerability in Codepeople WP Time Slots Booking Form The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-03-07 | CVE-2022-0448 | Dwbooster | Cross-site Scripting vulnerability in Dwbooster CP Blocks The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | 4.8 |
2022-03-07 | CVE-2022-0535 | E2Pdf | Cross-site Scripting vulnerability in E2Pdf The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-03-10 | CVE-2022-25368 | Amperecomputing ARM | Spectre BHB is a variant of Spectre-v2 in which malicious code uses the shared branch history (stored in the CPU BHB) to influence mispredicted branches in the victim's hardware context. | 4.7 |
2022-03-10 | CVE-2022-25816 | Improper Authentication vulnerability in Google Android 10.0/11.0/12.0 Improper authentication in Samsung Lock and mask apps setting prior to SMR Mar-2022 Release 1 allows attacker to change enable/disable without authentication | 4.6 | |
2022-03-10 | CVE-2022-25820 | Improper Restriction of Excessive Authentication Attempts vulnerability in Google Android 11.0/12.0 A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password. | 4.6 | |
2022-03-10 | CVE-2022-24932 | Google Samsung | Improper Protection of Alternate Path vulnerability in Setup wizard process prior to SMR Mar-2022 Release 1 allows physical attacker package installation before finishing Setup wizard. | 4.6 |
2022-03-10 | CVE-2022-26355 | Citrix | Exposure of Resource to Wrong Sphere vulnerability in Citrix Federated Authentication Service 10.6/7.17 Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). | 4.4 |
2022-03-09 | CVE-2022-24349 | Zabbix Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. | 4.4 |
2022-03-09 | CVE-2022-24917 | Zabbix Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. | 4.4 |
2022-03-09 | CVE-2022-24918 | Zabbix Fedoraproject | Cross-site Scripting vulnerability in multiple products An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. | 4.4 |
2022-03-09 | CVE-2022-24919 | Zabbix Debian Fedoraproject | Cross-site Scripting vulnerability in multiple products An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. | 4.4 |
2022-03-09 | CVE-2022-0022 | Paloaltonetworks | Use of Password Hash With Insufficient Computational Effort vulnerability in Paloaltonetworks Pan-Os Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. | 4.4 |
2022-03-11 | CVE-2021-32472 | Moodle | Missing Authorization vulnerability in Moodle Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. | 4.3 |
2022-03-11 | CVE-2021-32477 | Moodle | Missing Authorization vulnerability in Moodle The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). | 4.3 |
2022-03-11 | CVE-2018-25031 | Smartbear | Improper Input Validation vulnerability in Smartbear Swagger UI Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. | 4.3 |
2022-03-10 | CVE-2021-32006 | Secomea | Incorrect Default Permissions vulnerability in Secomea Gatemanager 9.6.621421014 This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions. | 4.3 |
2022-03-10 | CVE-2021-3660 | Cockpit Project Redhat | Cockpit (and its plugins) do not seem to protect itself against clickjacking. | 4.3 |
2022-03-08 | CVE-2021-41241 | Nextcloud | Unspecified vulnerability in Nextcloud Server Nextcloud server is a self hosted system designed to provide cloud style services. | 4.3 |
2022-03-07 | CVE-2022-0755 | Salesagility | Unspecified vulnerability in Salesagility Suitecrm Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5. | 4.3 |
2022-03-07 | CVE-2021-24824 | Custom Content Shortcode Project | Incorrect Authorization vulnerability in Custom Content Shortcode Project Custom Content Shortcode The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. | 4.3 |
2022-03-07 | CVE-2021-24825 | Custom Content Shortcode Project | Unspecified vulnerability in Custom Content Shortcode Project Custom Content Shortcode The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. | 4.3 |
2022-03-07 | CVE-2022-0384 | Imdpen | Unspecified vulnerability in Imdpen Video Conferencing With Zoom The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog | 4.3 |
2022-03-07 | CVE-2022-0442 | Ayecode | Authorization Bypass Through User-Controlled Key vulnerability in Ayecode Userswp The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. | 4.3 |
15 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-13 | CVE-2021-36368 | Openbsd Debian | Improper Authentication vulnerability in multiple products An issue was discovered in OpenSSH before 8.9. | 3.7 |
2022-03-10 | CVE-2022-21170 | DAJ | Improper Certificate Validation vulnerability in DAJ I-Filter and I-Filter Browser & Cloud Multiagent Improper check for certificate revocation in i-FILTER Ver.10.45R01 and earlier, i-FILTER Ver.9.50R10 and earlier, i-FILTER Browser & Cloud MultiAgent for Windows Ver.4.93R04 and earlier, and D-SPA (Ver.3 / Ver.4) using i-FILTER allows a remote unauthenticated attacker to conduct a man-in-the-middle attack and eavesdrop on an encrypted communication. | 3.7 |
2022-03-09 | CVE-2022-24744 | Shopware | Unspecified vulnerability in Shopware Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. | 3.5 |
2022-03-10 | CVE-2022-25817 | Unspecified vulnerability in Google Android 10.0/11.0 Improper authentication in One UI Home prior to SMR Mar-2022 Release 1 allows attacker to generate pinned-shortcut without user consent. | 3.3 | |
2022-03-10 | CVE-2022-25823 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch Plugin 2.2.05.21033151/2.2.05.22012751 Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.220126741 allows attackers to access user information in log. | 3.3 |
2022-03-10 | CVE-2022-25824 | Samsung | Unspecified vulnerability in Samsung Bixby Touch Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview. | 3.3 |
2022-03-10 | CVE-2022-25826 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch 3 Plugin Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log | 3.3 |
2022-03-10 | CVE-2022-25827 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch Plugin 2.2.05.21033151 Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.22012751 allows attacker to access password information of connected WiFiAp in the log | 3.3 |
2022-03-10 | CVE-2022-25828 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Watch Active Plugin 2.2.07.21033151 Information Exposure vulnerability in Watch Active Plugin prior to version 2.2.07.22012751 allows attacker to access password information of connected WiFiAp in the log | 3.3 |
2022-03-10 | CVE-2022-25829 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Watch Active2 Plugin 2.2.08.21033151 Information Exposure vulnerability in Watch Active2 Plugin prior to version 2.2.08.22012751 allows attacker to access password information of connected WiFiAp in the log | 3.3 |
2022-03-10 | CVE-2022-25830 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Galaxy Watch 3 Plugin Information Exposure vulnerability in Galaxy Watch3 Plugin prior to version 2.2.09.22012751 allows attacker to access password information of connected WiFiAp in the log | 3.3 |
2022-03-10 | CVE-2022-24929 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication. | 3.3 | |
2022-03-10 | CVE-2022-24930 | Samsung | Unspecified vulnerability in Samsung Wear OS 3.0 An Improper access control vulnerability in StRetailModeReceiver in Wear OS 3.0 prior to Firmware update MAR-2022 Release allows untrusted applications to reset default app settings without a proper permission | 3.3 |
2022-03-10 | CVE-2021-3981 | GNU Fedoraproject | A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. | 3.3 |
2022-03-08 | CVE-2021-41181 | Nextcloud | Improper Authentication vulnerability in Nextcloud Talk Nextcloud talk is a self hosting messaging service. | 2.4 |