Weekly Vulnerabilities Reports > March 14 to 20, 2022

Overview

566 new vulnerabilities reported during this period, including 97 critical vulnerabilities and 95 high severity vulnerabilities. This weekly summary report vulnerabilities in 423 products from 204 vendors including Apple, Google, Adobe, Tenda, and Jenkins. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Command Injection", "Out-of-bounds Read", and "SQL Injection".

  • 493 reported vulnerabilities are remotely exploitables.
  • 5 reported vulnerabilities have public exploit available.
  • 187 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 435 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 75 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 29 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

97 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-18 CVE-2022-25390 Dcnglobal Unspecified vulnerability in Dcnglobal Dcme-520 Firmware

DCN Firewall DCME-520 was discovered to contain a remote command execution (RCE) vulnerability via the host parameter in the file /system/tool/ping.php.

10.0
2022-03-18 CVE-2022-25427 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function.

10.0
2022-03-18 CVE-2022-25428 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the deviceId parameter in the saveparentcontrolinfo function.

10.0
2022-03-18 CVE-2022-25429 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a buffer overflow via the time parameter in the saveparentcontrolinfo function.

10.0
2022-03-18 CVE-2022-25431 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain multiple stack overflows via the NPTR, V12, V10 and V11 parameter in the Formsetqosband function.

10.0
2022-03-18 CVE-2022-25433 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the urls parameter in the saveparentcontrolinfo function.

10.0
2022-03-18 CVE-2022-25434 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the firewallen parameter in the SetFirewallCfg function.

10.0
2022-03-18 CVE-2022-25435 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetStaticRoutecfg function.

10.0
2022-03-18 CVE-2022-25437 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetVirtualServerCfg function.

10.0
2022-03-18 CVE-2022-25438 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the SetIPTVCfg function.

10.0
2022-03-18 CVE-2022-25439 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetIpMacBind function.

10.0
2022-03-18 CVE-2022-25440 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the ntpserver parameter in the SetSysTimeCfg function.

10.0
2022-03-18 CVE-2022-25441 Tenda Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21

Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the vlanid parameter in the SetIPTVCfg function.

10.0
2022-03-18 CVE-2022-25445 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function.

10.0
2022-03-18 CVE-2022-25446 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedstarttime parameter in the openSchedWifi function.

10.0
2022-03-18 CVE-2022-25447 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function.

10.0
2022-03-18 CVE-2022-25448 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the day parameter in the openSchedWifi function.

10.0
2022-03-18 CVE-2022-25449 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the deviceId parameter in the saveParentControlInfo function.

10.0
2022-03-18 CVE-2022-25450 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 V15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the SetVirtualServerCfg function.

10.0
2022-03-18 CVE-2022-25451 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 V15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the setstaticroutecfg function.

10.0
2022-03-18 CVE-2022-25452 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the URLs parameter in the saveParentControlInfo function.

10.0
2022-03-18 CVE-2022-25453 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the time parameter in the saveParentControlInfo function.

10.0
2022-03-18 CVE-2022-25454 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the loginpwd parameter in the SetFirewallCfg function.

10.0
2022-03-18 CVE-2022-25455 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the SetIpMacBind function.

10.0
2022-03-18 CVE-2022-25456 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the security_5g parameter in the WifiBasicSet function.

10.0
2022-03-18 CVE-2022-25457 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the ntpserver parameter in the SetSysTimeCfg function.

10.0
2022-03-18 CVE-2022-25458 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the cmdinput parameter in the exeCommand function.

10.0
2022-03-18 CVE-2022-25459 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the S1 parameter in the SetSysTimeCfg function.

10.0
2022-03-18 CVE-2022-25460 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the endip parameter in the SetPptpServerCfg function.

10.0
2022-03-18 CVE-2022-25461 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09

Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the startip parameter in the SetPptpServerCfg function.

10.0
2022-03-18 CVE-2022-27250 Unisoc Unspecified vulnerability in Unisoc Chipset

The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device's screen, record video of the device's physical environment, or modify data.

10.0
2022-03-18 CVE-2022-22586 Apple Out-of-bounds Write vulnerability in Apple Macos

An out-of-bounds write issue was addressed with improved bounds checking.

10.0
2022-03-18 CVE-2022-22587 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

A memory corruption issue was addressed with improved input validation.

10.0
2022-03-18 CVE-2021-45966 Pascom Command Injection vulnerability in Pascom Cloud Phone System

An issue was discovered in Pascom Cloud Phone System before 7.20.x.

10.0
2022-03-17 CVE-2021-45040 Spatie Unrestricted Upload of File with Dangerous Type vulnerability in Spatie Laravel Media Library

The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.

10.0
2022-03-17 CVE-2022-26501 Veeam Incorrect Authorization vulnerability in Veeam Backup & Replication

Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).

10.0
2022-03-17 CVE-2022-25760 Accesslog Project Code Injection vulnerability in Accesslog Project Accesslog

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization.

10.0
2022-03-16 CVE-2022-23812 Node Ipic Project Code Injection vulnerability in Node-Ipic Project Node-Ipic

This affects the package node-ipc from 10.1.1 and before 10.1.3.

10.0
2022-03-16 CVE-2021-23165 Htmldoc Project Out-of-bounds Write vulnerability in Htmldoc Project Htmldoc

A flaw was found in htmldoc before v1.9.12.

10.0
2022-03-16 CVE-2021-39708 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0

In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to an incorrect bounds check.

10.0
2022-03-16 CVE-2021-39710 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-202160245References: N/A

10.0
2022-03-16 CVE-2021-39720 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-207433926References: N/A

10.0
2022-03-16 CVE-2021-39723 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-209014813References: N/A

10.0
2022-03-16 CVE-2021-39737 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-208229524References: N/A

10.0
2022-03-16 CVE-2022-25247 PTC Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server

Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain commands to a specific port without authentication.

10.0
2022-03-15 CVE-2022-26995 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters.

10.0
2022-03-15 CVE-2022-26996 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters.

10.0
2022-03-15 CVE-2022-26997 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter.

10.0
2022-03-15 CVE-2022-26998 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter.

10.0
2022-03-15 CVE-2022-26999 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters.

10.0
2022-03-15 CVE-2022-27000 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters.

10.0
2022-03-15 CVE-2022-27001 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter.

10.0
2022-03-15 CVE-2022-27002 Commscope OS Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters.

10.0
2022-03-19 CVE-2022-27226 IRZ Cross-Site Request Forgery (CSRF) vulnerability in IRZ products

A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel.

9.3
2022-03-18 CVE-2020-25176 Schneider Electric
Rockwellautomation
Xylem
Path Traversal vulnerability in multiple products

Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system.

9.3
2022-03-18 CVE-2020-25178 Schneider Electric
Rockwellautomation
Xylem
Cleartext Transmission of Sensitive Information vulnerability in multiple products

ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP.

9.3
2022-03-18 CVE-2022-22578 Apple Improper Privilege Management vulnerability in Apple products

A logic issue was addressed with improved validation.

9.3
2022-03-18 CVE-2022-22579 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple products

An information disclosure issue was addressed with improved state management.

9.3
2022-03-18 CVE-2022-22591 Apple Out-of-bounds Write vulnerability in Apple Macos 12.0.0/12.0.1

A memory corruption issue was addressed with improved memory handling.

9.3
2022-03-18 CVE-2022-22593 Apple Classic Buffer Overflow vulnerability in Apple products

A buffer overflow issue was addressed with improved memory handling.

9.3
2022-03-18 CVE-2022-22613 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

9.3
2022-03-18 CVE-2022-22614 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

9.3
2022-03-18 CVE-2022-22615 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

9.3
2022-03-18 CVE-2022-22633 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

9.3
2022-03-18 CVE-2022-22634 Apple Classic Buffer Overflow vulnerability in Apple Ipados and Iphone OS

A buffer overflow was addressed with improved bounds checking.

9.3
2022-03-18 CVE-2022-22636 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

An out-of-bounds write issue was addressed with improved bounds checking.

9.3
2022-03-18 CVE-2022-22640 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

9.3
2022-03-18 CVE-2022-22661 Apple Type Confusion vulnerability in Apple Macos

A type confusion issue was addressed with improved state handling.

9.3
2022-03-18 CVE-2022-22665 Apple Improper Privilege Management vulnerability in Apple Macos 12.0.0/12.0.1

A logic issue was addressed with improved validation.

9.3
2022-03-18 CVE-2022-22667 Apple Use After Free vulnerability in Apple Ipados and Iphone OS

A use after free issue was addressed with improved memory management.

9.3
2022-03-18 CVE-2022-24091 Adobe Out-of-bounds Write vulnerability in Adobe products

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

9.3
2022-03-18 CVE-2022-24092 Adobe Out-of-bounds Write vulnerability in Adobe products

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

9.3
2022-03-17 CVE-2022-25364 Gradle Incorrect Authorization vulnerability in Gradle Enterprise

In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access.

9.3
2022-03-16 CVE-2021-39692 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 10.0/11.0/12.0

In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack.

9.3
2022-03-16 CVE-2021-39701 Google Improper Input Validation vulnerability in Google Android 11.0/12.0

In serviceConnection of ControlsProviderLifecycleManager.kt, there is a possible way to keep service running in foreground without notification or permission due to improper input validation.

9.3
2022-03-16 CVE-2021-39702 Google Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 12.0

In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack.

9.3
2022-03-16 CVE-2021-39706 Google Incorrect Default Permissions vulnerability in Google Android 10.0/11.0/12.0

In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check.

9.3
2022-03-16 CVE-2021-40734 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a SVG file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40735 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40736 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40738 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a WAV file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40739 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40740 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40763 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a WAF file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40764 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40765 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40777 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40779 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40780 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Media Encoder

Adobe Media Encoder version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40786 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-40787 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-42526 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-16 CVE-2021-42527 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

9.3
2022-03-18 CVE-2020-25197 GE Code Injection vulnerability in GE Rt430 Firmware, Rt431 Firmware and Rt434 Firmware

A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system.

9.0
2022-03-17 CVE-2022-26504 Veeam Improper Authentication vulnerability in Veeam Backup & Replication

Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4,10.x and 11.x component used for Microsoft System Center Virtual Machine Manager (SCVMM) allows attackers execute arbitrary code via Veeam.Backup.PSManager.exe

9.0
2022-03-16 CVE-2022-0811 Kubernetes Code Injection vulnerability in Kubernetes Cri-O

A flaw was found in CRI-O in the way it set kernel options for a pod.

9.0
2022-03-16 CVE-2022-25246 PTC Use of Hard-coded Credentials vulnerability in PTC Axeda Agent and Axeda Desktop Server

Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) uses hard-coded credentials for its UltraVNC installation.

9.0

95 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-18 CVE-2022-22651 Apple Out-of-bounds Write vulnerability in Apple Macos 12.0.0/12.0.1

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-03-18 CVE-2022-0742 Linux
Netapp
Memory Leak vulnerability in multiple products

Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131.

7.8
2022-03-17 CVE-2022-21822 Nvida Allocation of Resources Without Limits or Throttling vulnerability in Nvida Federated Learning Application Runtime Environment

NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.

7.8
2022-03-20 CVE-2021-39383 Diaowen Command Injection vulnerability in Diaowen Dwsurvey 3.2.0

DWSurvey v3.2.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /sysuser/SysPropertyAction.java.

7.5
2022-03-20 CVE-2021-39384 Diaowen Unrestricted Upload of File with Dangerous Type vulnerability in Diaowen Dwsurvey 3.2.0

DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java.

7.5
2022-03-20 CVE-2022-24126 Fromsoftware Out-of-bounds Write vulnerability in Fromsoftware Dark Souls III

A buffer overflow in the NRSessionSearchResult parser in Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allows remote attackers to execute arbitrary code via matchmaking servers, a different vulnerability than CVE-2021-34170.

7.5
2022-03-18 CVE-2022-25578 Taogogo Code Injection vulnerability in Taogogo Taocms 3.0.2

taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file.

7.5
2022-03-18 CVE-2022-26265 Contao Command Injection vulnerability in Contao 1.5.0

Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.

7.5
2022-03-18 CVE-2020-16232 Yokogawa Classic Buffer Overflow vulnerability in Yokogawa Widefield3

In Yokogawa WideField3 R1.01 - R4.03, a buffer overflow could be caused when a user loads a maliciously crafted project file.

7.5
2022-03-18 CVE-2022-0547 Openvpn
Fedoraproject
Improper Authentication vulnerability in multiple products

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

7.5
2022-03-18 CVE-2022-22623 Apple
Haxx
Multiple issues were addressed by updating to curl version 7.79.1.
7.5
2022-03-18 CVE-2022-22632 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

7.5
2022-03-18 CVE-2022-22635 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

An out-of-bounds write issue was addressed with improved bounds checking.

7.5
2022-03-18 CVE-2022-22641 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

7.5
2022-03-18 CVE-2022-22642 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

7.5
2022-03-18 CVE-2022-24595 Automotivelinux Missing Authorization vulnerability in Automotivelinux Kooky KOI

Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon.

7.5
2022-03-18 CVE-2021-45834 Opendocman Unrestricted Upload of File with Dangerous Type vulnerability in Opendocman 1.4.4

An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution.

7.5
2022-03-18 CVE-2021-45835 Online Admission System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Admission System Project Online Admissions System 1.0

The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution.

7.5
2022-03-18 CVE-2022-27240 Glewlwyd SSO Server Project Classic Buffer Overflow vulnerability in Glewlwyd SSO Server Project Glewlwyd SSO Server

scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion.

7.5
2022-03-18 CVE-2021-45967 Pascom Cloud Phone System
Igniterealtime
Server-Side Request Forgery (SSRF) vulnerability in multiple products

An issue was discovered in Pascom Cloud Phone System before 7.20.x.

7.5
2022-03-17 CVE-2021-44087 Attendance AND Payroll System Project Unspecified vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload.

7.5
2022-03-17 CVE-2021-44088 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.

7.5
2022-03-17 CVE-2020-15591 UNI Stuttgart Code Injection vulnerability in Uni-Stuttgart Frams' Fast File Exchange

fexsrv in F*EX (aka Frams' Fast File EXchange) before fex-20160919_2 allows eval injection (for unauthenticated remote code execution).

7.5
2022-03-17 CVE-2021-44906 Substack Unspecified vulnerability in Substack Minimist

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

7.5
2022-03-17 CVE-2021-44259 Wavlink Missing Authentication for Critical Function vulnerability in Wavlink Wl-Wn531G3 Firmware A42W1.27.620180418

A vulnerability is in the 'wx.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication.

7.5
2022-03-17 CVE-2021-23632 GIT Project OS Command Injection vulnerability in GIT Project GIT

All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands.

7.5
2022-03-17 CVE-2021-44908 Sailsjs Unspecified vulnerability in Sailsjs Sails

SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().

7.5
2022-03-17 CVE-2022-0748 Post Loader Project Code Injection vulnerability in Post-Loader Project Post-Loader

The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.

7.5
2022-03-17 CVE-2022-0749 Singoo Deserialization of Untrusted Data vulnerability in Singoo Singoocms.Utility

This affects all versions of package SinGooCMS.Utility.

7.5
2022-03-17 CVE-2022-25296 Bodymen Project Unspecified vulnerability in Bodymen Project Bodymen

The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

7.5
2022-03-17 CVE-2022-25352 Libnested Project Unspecified vulnerability in Libnested Project Libnested

The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js.

7.5
2022-03-17 CVE-2022-25354 SET IN Project Unspecified vulnerability in Set-In Project Set-In

The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it.

7.5
2022-03-17 CVE-2022-1000 Tiny File Manager Project Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager

Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.

7.5
2022-03-17 CVE-2022-24074 Navercorp Incorrect Permission Assignment for Critical Resource vulnerability in Navercorp Whale

Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lead to controlling Whale Bridge if the rendering process compromises.

7.5
2022-03-17 CVE-2022-22273 Sonicwall OS Command Injection vulnerability in Sonicwall products

** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions.

7.5
2022-03-16 CVE-2022-26293 Online Project Time Management System Project SQL Injection vulnerability in Online Project Time Management System Project Online Project Time Management System 1.0

Online Project Time Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the function save_employee at /ptms/classes/Users.php.

7.5
2022-03-16 CVE-2021-23158 Htmldoc Project Double Free vulnerability in Htmldoc Project Htmldoc 1.9.12

A flaw was found in htmldoc in v1.9.12.

7.5
2022-03-16 CVE-2021-39713 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel

7.5
2022-03-16 CVE-2022-0982 Accel PPP Out-of-bounds Write vulnerability in Accel-Ppp 1.10.0

The telnet_input_char function in opt/src/accel-pppd/cli/telnet.c suffers from a memory corruption vulnerability, whereby user input cmdline_len is copied into a fixed buffer b->buf without any bound checks.

7.5
2022-03-16 CVE-2022-25251 PTC Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication.

7.5
2022-03-16 CVE-2021-45786 Maccms Improper Authentication vulnerability in Maccms 10.0

In maccms v10, an attacker can log in through /index.php/user/login in the "col" and "openid" parameters to gain privileges.

7.5
2022-03-16 CVE-2021-43958 Atlassian Improper Restriction of Excessive Authentication Attempts vulnerability in Atlassian Crucible

Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.

7.5
2022-03-15 CVE-2022-26206 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setLanguageCfg, via the langType parameter.

7.5
2022-03-15 CVE-2022-26207 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter.

7.5
2022-03-15 CVE-2022-26208 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter.

7.5
2022-03-15 CVE-2022-26209 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter.

7.5
2022-03-15 CVE-2022-26210 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter.

7.5
2022-03-15 CVE-2022-26211 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters.

7.5
2022-03-15 CVE-2022-26212 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters.

7.5
2022-03-15 CVE-2022-26213 Totolink Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102

Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters.

7.5
2022-03-15 CVE-2022-26214 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function NTPSyncWithHost.

7.5
2022-03-15 CVE-2022-26990 Arris Command Injection vulnerability in Arris products

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters.

7.5
2022-03-15 CVE-2022-26991 Arris Command Injection vulnerability in Arris products

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ntp function via the TimeZone parameter.

7.5
2022-03-15 CVE-2022-26992 Arris Command Injection vulnerability in Arris products

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ddns function via the DdnsUserName, DdnsHostName, and DdnsPassword parameters.

7.5
2022-03-15 CVE-2022-26993 Arris Command Injection vulnerability in Arris products

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters.

7.5
2022-03-15 CVE-2022-26994 Arris Command Injection vulnerability in Arris products

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPassword parameters.

7.5
2022-03-15 CVE-2022-27003 Totolink Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter.

7.5
2022-03-15 CVE-2022-27004 Totolink Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter.

7.5
2022-03-15 CVE-2022-27005 Totolink Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter.

7.5
2022-03-15 CVE-2022-25487 Thedigitalcraft Unrestricted Upload of File with Dangerous Type vulnerability in Thedigitalcraft Atomcms 2.0

Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php.

7.5
2022-03-15 CVE-2022-25488 Thedigitalcraft SQL Injection vulnerability in Thedigitalcraft Atomcms 2.0

Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php.

7.5
2022-03-15 CVE-2022-25490 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in department.php.

7.5
2022-03-15 CVE-2022-25491 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in appointment.php.

7.5
2022-03-15 CVE-2022-25492 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

HMS v1.0 was discovered to contain a SQL injection vulnerability via the medicineid parameter in ajaxmedicine.php.

7.5
2022-03-15 CVE-2022-25494 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via staff_login.php.

7.5
2022-03-15 CVE-2022-25495 Cuppacms Unrestricted Upload of File with Dangerous Type vulnerability in Cuppacms 1.0

The component /jquery_file_upload/server/php/index.php of CuppaCMS v1.0 allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file.

7.5
2022-03-15 CVE-2022-25498 Cuppacms Improper Input Validation vulnerability in Cuppacms 1.0

CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php.

7.5
2022-03-15 CVE-2022-24752 Sylius SQL Injection vulnerability in Sylius Syliusgridbundle 1.11.0

SyliusGridBundle is a package of generic data grids for Symfony applications.

7.5
2022-03-14 CVE-2022-21187 Libvcs Project Command Injection vulnerability in Libvcs Project Libvcs

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection.

7.5
2022-03-14 CVE-2021-25003 Wptaskforce Code Injection vulnerability in Wptaskforce Wpcargo Track & Trace

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

7.5
2022-03-14 CVE-2021-25007 Molie Instructure Canvas Linking Tool Project SQL Injection vulnerability in Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool

The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection

7.5
2022-03-14 CVE-2021-42171 Tribalsystems Unrestricted Upload of File with Dangerous Type vulnerability in Tribalsystems Zenario 9.0.54156

Zenario CMS 9.0.54156 is vulnerable to File Upload.

7.5
2022-03-14 CVE-2022-0169 10Web SQL Injection vulnerability in 10Web Photo Gallery

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection

7.5
2022-03-14 CVE-2022-0254 Highfivery SQL Injection vulnerability in Highfivery Zero-Spam

The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection

7.5
2022-03-14 CVE-2022-0658 Wielebenwir SQL Injection vulnerability in Wielebenwir Commonsbooking

The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection

7.5
2022-03-14 CVE-2022-22720 Apache
Fedoraproject
Debian
HTTP Request Smuggling vulnerability in multiple products

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

7.5
2022-03-14 CVE-2022-23943 Apache
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

7.5
2022-03-18 CVE-2022-22596 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

A memory corruption issue was addressed with improved validation.

7.2
2022-03-18 CVE-2022-22669 Apple Use After Free vulnerability in Apple Macos 12.0.0/12.0.1

A use after free issue was addressed with improved memory management.

7.2
2022-03-18 CVE-2022-24655 Netgear Out-of-bounds Write vulnerability in Netgear products

A stack overflow vulnerability exists in the upnpd service in Netgear EX6100v1 201.0.2.28, CAX80 2.1.2.6, and DC112A 1.0.0.62, which may lead to the execution of arbitrary code without authentication.

7.2
2022-03-17 CVE-2022-0237 Rapid7 Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent

Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine.

7.2
2022-03-17 CVE-2022-25949 Kingsoft Out-of-bounds Write vulnerability in Kingsoft Internet Security 9 Plus 2010.06.23.247

The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow.

7.2
2022-03-17 CVE-2022-26503 Veeam Deserialization of Untrusted Data vulnerability in Veeam

Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges.

7.2
2022-03-16 CVE-2021-0957 Google Improper Privilege Management vulnerability in Google Android 10.0/11.0/12.0

In NotificationStackScrollLayout of NotificationStackScrollLayout.java, there is a possible way to bypass Factory Reset Protections.

7.2
2022-03-16 CVE-2021-39685 Google Out-of-bounds Write vulnerability in Google Android

In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check.

7.2
2022-03-16 CVE-2021-39689 Google Improper Privilege Management vulnerability in Google Android 12.0

In multiple functions of odsign_main.cpp, there is a possible way to persist system attack due to a logic error in the code.

7.2
2022-03-16 CVE-2021-39693 Google Improper Privilege Management vulnerability in Google Android 12.0

In onUidStateChanged of AppOpsService.java, there is a possible way to access location without a visible indicator due to a logic error in the code.

7.2
2022-03-16 CVE-2021-39694 Google Incorrect Default Permissions vulnerability in Google Android 12.0

In parse of RoleParser.java, there is a possible way for default apps to get permissions explicitly denied by the user due to a permissions bypass.

7.2
2022-03-16 CVE-2021-39695 Google Improper Preservation of Permissions vulnerability in Google Android 11.0

In createOrUpdate of BasePermission.java, there is a possible permission bypass due to a logic error in the code.

7.2
2022-03-16 CVE-2021-39697 Google Improper Preservation of Permissions vulnerability in Google Android 11.0/12.0

In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check.

7.2
2022-03-16 CVE-2021-39698 Google Use After Free vulnerability in Google Android

In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free.

7.2
2022-03-16 CVE-2021-39703 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.0

In updateState of UsbDeviceManager.java, there is a possible unauthorized access of files due to a confused deputy.

7.2
2022-03-16 CVE-2021-39707 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 10.0/11.0/12.0

In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy.

7.2
2022-03-16 CVE-2021-39709 Google Unspecified vulnerability in Google Android 12.0

In sendSipAccountsRemovedNotification of SipAccountRegistry.java, there is a possible permission bypass due to an unsafe PendingIntent.

7.2
2022-03-16 CVE-2021-39793 Google Out-of-bounds Write vulnerability in Google Android

In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code.

7.2

278 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-16 CVE-2021-39686 Google Improper Privilege Management vulnerability in Google Android

In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition.

6.9
2022-03-20 CVE-2020-26007 Shopxo Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 1.9.0

An arbitrary file upload vulnerability in the upload payment plugin of ShopXO v1.9.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.

6.8
2022-03-20 CVE-2020-26008 Shopxo Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 1.9.0

The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file.

6.8
2022-03-18 CVE-2022-25581 Classcms Unrestricted Upload of File with Dangerous Type vulnerability in Classcms

Classcms v2.5 and below contains an arbitrary file upload via the component \class\classupload.

6.8
2022-03-18 CVE-2021-30771 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write was addressed with improved input validation.

6.8
2022-03-18 CVE-2022-22584 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

6.8
2022-03-18 CVE-2022-22590 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2022-03-18 CVE-2022-22597 Apple Out-of-bounds Write vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved validation.

6.8
2022-03-18 CVE-2022-22601 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22602 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22603 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22604 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22605 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22606 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22607 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22608 Apple Out-of-bounds Read vulnerability in Apple Xcode

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22611 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

6.8
2022-03-18 CVE-2022-22612 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

A memory consumption issue was addressed with improved memory handling.

6.8
2022-03-18 CVE-2022-22620 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

6.8
2022-03-18 CVE-2022-22639 Apple Improper Privilege Management vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved state management.

6.8
2022-03-18 CVE-2022-22657 Apple Improper Initialization vulnerability in Apple Garageband and Logic PRO X

A memory initialization issue was addressed with improved memory handling.

6.8
2022-03-18 CVE-2022-22664 Apple Out-of-bounds Read vulnerability in Apple Garageband and Logic PRO X

An out-of-bounds read was addressed with improved bounds checking.

6.8
2022-03-18 CVE-2022-22666 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

6.8
2022-03-18 CVE-2022-27243 Misp Unspecified vulnerability in Misp

An issue was discovered in MISP before 2.4.156.

6.8
2022-03-18 CVE-2022-27245 Misp Server-Side Request Forgery (SSRF) vulnerability in Misp

An issue was discovered in MISP before 2.4.156.

6.8
2022-03-17 CVE-2022-24770 Gradio Project Improper Neutralization of Formula Elements in a CSV File vulnerability in Gradio Project Gradio

`gradio` is an open source framework for building interactive machine learning models and demos.

6.8
2022-03-17 CVE-2022-25969 Kingsoft Uncontrolled Search Path Element vulnerability in Kingsoft WPS Office 10.8.0.6186

The installer of WPS Office Version 10.8.0.6186 insecurely load VERSION.DLL (or some other DLLs), allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer.

6.8
2022-03-17 CVE-2022-26081 Kingsoft Uncontrolled Search Path Element vulnerability in Kingsoft WPS Office 10.8.0.5745

The installer of WPS Office Version 10.8.0.5745 insecurely load shcore.dll, allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer.

6.8
2022-03-17 CVE-2022-26511 Kingsoft Uncontrolled Search Path Element vulnerability in Kingsoft WPS Presentation 11.8.0.5745

WPS Presentation 11.8.0.5745 insecurely load d3dx9_41.dll when opening .pps files('current directory type' DLL loading).

6.8
2022-03-16 CVE-2021-40792 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere PRO

Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-40793 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere PRO

Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-40794 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Premiere PRO

Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-41987 Mikrotik Out-of-bounds Write vulnerability in Mikrotik Routeros

In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution.

6.8
2022-03-16 CVE-2021-42533 Adobe Double Free vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-42719 Adobe Out-of-bounds Read vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .jpe file, which could result in a read past the end of an allocated memory structure.

6.8
2022-03-16 CVE-2021-42720 Adobe Out-of-bounds Read vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

6.8
2022-03-16 CVE-2021-42724 Adobe Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-42728 Adobe Classic Buffer Overflow vulnerability in Adobe Bridge

Adobe Bridge 11.1.1 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-42729 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-16 CVE-2021-42730 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious PSD file, potentially resulting in arbitrary code execution in the context of the current user.

6.8
2022-03-15 CVE-2022-25485 Cuppacms Inclusion of Functionality from Untrusted Control Sphere vulnerability in Cuppacms 1.0

CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php.

6.8
2022-03-15 CVE-2022-25486 Cuppacms Inclusion of Functionality from Untrusted Control Sphere vulnerability in Cuppacms 1.0

CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php.

6.8
2022-03-15 CVE-2022-27204 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Extended Choice Parameter

A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL.

6.8
2022-03-15 CVE-2022-24755 Bareos Incorrect Authorization vulnerability in Bareos

Bareos is open source software for backup, archiving, and recovery of data for operating systems.

6.8
2022-03-14 CVE-2022-20001 Fishshell
Fedoraproject
Injection vulnerability in multiple products

fish is a command line shell.

6.8
2022-03-14 CVE-2022-24578 Gpac Out-of-bounds Write vulnerability in Gpac 1.0.1

GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_AddString () at bifs/script_dec.c.

6.8
2022-03-14 CVE-2022-22346 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.13.xxx is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2022-03-14 CVE-2022-0165 King Theme Open Redirect vulnerability in King-Theme Kingcomposer 2.7.6/2.9.4

The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users

6.8
2022-03-14 CVE-2022-24577 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen ().

6.8
2022-03-14 CVE-2022-24575 Gpac Out-of-bounds Write vulnerability in Gpac 1.0.1

GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box.

6.8
2022-03-14 CVE-2022-22721 Apache
Fedoraproject
Debian
Integer Overflow or Wraparound vulnerability in multiple products

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

6.8
2022-03-20 CVE-2021-42194 Eyoucms XXE vulnerability in Eyoucms 1.5.4

The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability.

6.5
2022-03-20 CVE-2022-24125 Fromsoftware Incorrect Permission Assignment for Critical Resource vulnerability in Fromsoftware Dark Souls III

The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request.

6.5
2022-03-18 CVE-2022-26266 Piwigo SQL Injection vulnerability in Piwigo 12.2.0

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.

6.5
2022-03-18 CVE-2022-25602 Expresstech Unrestricted Upload of File with Dangerous Type vulnerability in Expresstech Responsive Menu

Nonce token leak vulnerability leading to arbitrary file upload, theme deletion, plugin settings change discovered in Responsive Menu WordPress plugin (versions <= 4.1.7).

6.5
2022-03-18 CVE-2022-25607 Foliovision SQL Injection vulnerability in Foliovision FV Flowplayer Video Player

Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727).

6.5
2022-03-18 CVE-2022-26965 Pluck CMS Unrestricted Upload of File with Dangerous Type vulnerability in Pluck-Cms Pluck 4.7.16

In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.

6.5
2022-03-17 CVE-2022-0757 Rapid7 SQL Injection vulnerability in Rapid7 Nexpose

Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined.

6.5
2022-03-17 CVE-2022-26500 Veeam Path Traversal vulnerability in Veeam Backup & Replication

Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

6.5
2022-03-17 CVE-2021-45791 Slims SQL Injection vulnerability in Slims Senayan Library Management System 8.3.1

Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter.

6.5
2022-03-16 CVE-2020-25721 Samba Improper Input Validation vulnerability in Samba

Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).

6.5
2022-03-16 CVE-2021-45821 Btiteam SQL Injection vulnerability in Btiteam Xbtit 3.1

A blind SQL injection vulnerability exists in Xbtit 3.1 via the sid parameter in ajaxchat/getHistoryChatData.php file that is accessible by a registered user.

6.5
2022-03-16 CVE-2022-27223 Linux
Netapp
Improper Validation of Array Index vulnerability in multiple products

In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.

6.5
2022-03-15 CVE-2021-45010 Tiny File Manager Project Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager

A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.

6.5
2022-03-15 CVE-2022-0944 Sqlpad Code Injection vulnerability in Sqlpad

Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.

6.5
2022-03-14 CVE-2021-43304 Yandex Out-of-bounds Write vulnerability in Yandex Clickhouse

Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query.

6.5
2022-03-14 CVE-2021-43305 Yandex Out-of-bounds Write vulnerability in Yandex Clickhouse

Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query.

6.5
2022-03-14 CVE-2021-24959 Techspawn SQL Injection vulnerability in Techspawn Wp-Email-Users

The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

6.5
2022-03-14 CVE-2022-0478 Mage People SQL Injection vulnerability in Mage-People Event Manager and Tickets Selling for Woocommerce

The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks

6.5
2022-03-14 CVE-2022-22735 Sedlex SQL Injection vulnerability in Sedlex Simple Quotation

The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks

6.5
2022-03-14 CVE-2022-24387 Smartertools Unrestricted Upload of File with Dangerous Type vulnerability in Smartertools Smartertrack

With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g.

6.5
2022-03-19 CVE-2022-0991 Admidio Insufficient Session Expiration vulnerability in Admidio

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9.

6.4
2022-03-17 CVE-2021-23771 Argencoders Notevil Project
Notevil Project
This affects all versions of package notevil; all versions of package argencoders-notevil.
6.4
2022-03-14 CVE-2022-24743 Sylius Insufficient Session Expiration vulnerability in Sylius

Sylius is an open source eCommerce platform.

6.4
2022-03-14 CVE-2022-26320 Rambus
Fujifilm
Canon
Use of Insufficiently Random Values vulnerability in multiple products

The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon imagePROGRAF and imageRUNNER devices through 2022-03-14, and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method.

6.4
2022-03-14 CVE-2021-39051 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Spectrum Copy Data Management

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to server-side request forgery, caused by improper input of application server registration function.

6.4
2022-03-14 CVE-2022-0593 Idehweb External Control of File Name or Path vulnerability in Idehweb Login With Phone Number

The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.

6.4
2022-03-17 CVE-2021-23556 Guake Project Unspecified vulnerability in Guake-Project Guake

The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method.

6.0
2022-03-15 CVE-2022-27198 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cloudbees AWS Credentials 1.32

A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

6.0
2022-03-14 CVE-2022-24740 Plone Improper Authentication vulnerability in Plone Volto 14.0.0/15.0.0

Volto is a ReactJS-based frontend for the Plone Content Management System.

6.0
2022-03-18 CVE-2022-22625 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved input validation.

5.8
2022-03-18 CVE-2022-22626 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read was addressed with improved bounds checking.

5.8
2022-03-18 CVE-2022-22627 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds read was addressed with improved bounds checking.

5.8
2022-03-17 CVE-2022-24759 Chainsafe Improper Verification of Cryptographic Signature vulnerability in Chainsafe Js-Libp2P-Noise

`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p.

5.8
2022-03-17 CVE-2022-24073 Navercorp Unspecified vulnerability in Navercorp Whale

The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store.

5.8
2022-03-16 CVE-2022-24751 Zulip Race Condition vulnerability in Zulip

Zulip is an open source group chat application.

5.8
2022-03-14 CVE-2022-24733 Sylius Improper Restriction of Rendered UI Layers or Frames vulnerability in Sylius

Sylius is an open source eCommerce platform.

5.8
2022-03-15 CVE-2022-24721 Cometd Incorrect Authorization vulnerability in Cometd

CometD is a scalable comet implementation for web messaging.

5.5
2022-03-14 CVE-2021-42387 Yandex Out-of-bounds Read vulnerability in Yandex Clickhouse

Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query.

5.5
2022-03-14 CVE-2021-42388 Yandex Out-of-bounds Read vulnerability in Yandex Clickhouse

Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query.

5.5
2022-03-16 CVE-2022-23610 Wire Improper Verification of Cryptographic Signature vulnerability in Wire Wire-Server

wire-server provides back end services for Wire, an open source messenger.

5.1
2022-03-20 CVE-2022-25462 Yafu Project Unspecified vulnerability in Yafu Project Yafu

Yafu v2.0 contains a segmentation fault via the component /factor/avx-ecm/vecarith52.c.

5.0
2022-03-20 CVE-2021-44345 Wvti SQL Injection vulnerability in Wvti ONE Card Integrated Managment System 3.0

Beijing Wisdom Vision Technology Industry Co., Ltd One Card Integrated Management System 3.0 is vulnerable to SQL Injection.

5.0
2022-03-18 CVE-2022-26267 Piwigo Exposure of Resource to Wrong Sphere vulnerability in Piwigo 12.2.0

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.

5.0
2022-03-18 CVE-2022-25389 Dcnglobal Unspecified vulnerability in Dcnglobal Dcme-520 Firmware

DCN Firewall DCME-520 was discovered to contain an arbitrary file download vulnerability via the path parameter in the file /audit/log/log_management.php.

5.0
2022-03-18 CVE-2020-25193 GE Use of Hard-coded Credentials vulnerability in GE Rt430 Firmware, Rt431 Firmware and Rt434 Firmware

By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection.

5.0
2022-03-18 CVE-2021-4031 Syltek Insufficient Verification of Data Authenticity vulnerability in Syltek

Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it.

5.0
2022-03-18 CVE-2022-22585 Apple Link Following vulnerability in Apple products

An issue existed within the path validation logic for symlinks.

5.0
2022-03-18 CVE-2022-22609 Apple Unspecified vulnerability in Apple products

The issue was addressed with additional permissions checks.

5.0
2022-03-18 CVE-2022-22643 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

5.0
2022-03-18 CVE-2022-22653 Apple Improper Input Validation vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved restrictions.

5.0
2022-03-18 CVE-2022-24637 Openwebanalytics Improper Privilege Management vulnerability in Openwebanalytics Open web Analytics

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes.

5.0
2022-03-18 CVE-2022-24771 Digitalbazaar Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript.

5.0
2022-03-18 CVE-2022-24772 Digitalbazaar Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript.

5.0
2022-03-18 CVE-2022-24773 Digitalbazaar Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript.

5.0
2022-03-18 CVE-2021-45968 Jivesoftware
Pascom
Path Traversal vulnerability in multiple products

An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products).

5.0
2022-03-17 CVE-2021-44907 QS Project Unspecified vulnerability in QS Project QS

A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function.

5.0
2022-03-17 CVE-2021-46107 Ligeo Archives Server-Side Request Forgery (SSRF) vulnerability in Ligeo-Archives Ligeo Basics 02012022

Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features.

5.0
2022-03-17 CVE-2021-44260 Wavlink Missing Authentication for Critical Function vulnerability in Wavlink Wl-Wn531G3 Firmware A42W1.27.620180418

A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication.

5.0
2022-03-17 CVE-2021-44261 Netgear Missing Authentication for Critical Function vulnerability in Netgear products

A vulnerability is in the 'BRS_top.html' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication.

5.0
2022-03-17 CVE-2021-44262 Netgear Missing Authentication for Critical Function vulnerability in Netgear products

A vulnerability is in the 'MNU_top.htm' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication.

5.0
2022-03-17 CVE-2022-24761 Agendaless HTTP Request Smuggling vulnerability in Agendaless Waitress

Waitress is a Web Server Gateway Interface server for Python 2 and 3.

5.0
2022-03-17 CVE-2021-45793 Slims SQL Injection vulnerability in Slims Senayan Library Management System 9.4.2

Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php.

5.0
2022-03-17 CVE-2021-45794 Slims SQL Injection vulnerability in Slims Senayan Library Management System 9.4.2

Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php.

5.0
2022-03-17 CVE-2022-21221 Fasthttp Project Path Traversal vulnerability in Fasthttp Project Fasthttp

The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization.

5.0
2022-03-17 CVE-2022-25514 Nothings Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttUSHORT() at stb_truetype.h.

5.0
2022-03-17 CVE-2022-25515 Nothings Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttULONG() at stb_truetype.h.

5.0
2022-03-17 CVE-2022-25516 Nothings Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26

stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function stbtt__find_table at stb_truetype.h.

5.0
2022-03-17 CVE-2021-42219 Ethereum Unspecified vulnerability in Ethereum GO Ethereum 1.10.9

Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node.

5.0
2022-03-17 CVE-2022-26300 Eosio Project Out-of-bounds Write vulnerability in Eosio Project EOS 2.1.0

EOS v2.1.0 was discovered to contain a heap-buffer-overflow via the function txn_test_gen_plugin.

5.0
2022-03-17 CVE-2022-26534 Fisco Bcos Unspecified vulnerability in Fisco-Bcos 3.0.0

FISCO-BCOS release-3.0.0-rc2 was discovered to contain an issue where a malicious node, via a malicious viewchange packet, will cause normal nodes to change view excessively and stop generating blocks.

5.0
2022-03-16 CVE-2022-24729 Ckeditor
Drupal
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.
5.0
2022-03-16 CVE-2022-21164 Node Lmdb Project Unspecified vulnerability in Node-Lmdb Project Node-Lmdb

The package node-lmdb before 0.9.7 are vulnerable to Denial of Service (DoS) when defining a non-invokable ToString value, which will cause a crash during type check.

5.0
2022-03-16 CVE-2021-39716 Google Unspecified vulnerability in Google Android

Product: AndroidVersions: Android kernelAndroid ID: A-206977562References: N/A

5.0
2022-03-16 CVE-2021-39726 Google Out-of-bounds Read vulnerability in Google Android

In cd_ParseMsg of cd_codec.c, there is a possible out of bounds read due to an incorrect bounds check.

5.0
2022-03-16 CVE-2022-0918 Port389
Redhat
A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service.
5.0
2022-03-16 CVE-2022-25248 PTC Information Exposure vulnerability in PTC Axeda Agent and Axeda Desktop Server

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) supplies the event log of the specific service.

5.0
2022-03-16 CVE-2022-25249 PTC Path Traversal vulnerability in PTC Axeda Agent and Axeda Desktop Server

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal, which could allow a remote unauthenticated attacker to obtain file system read access via web server..

5.0
2022-03-16 CVE-2022-25250 PTC Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send a certain command to a specific port without authentication.

5.0
2022-03-16 CVE-2022-25252 PTC Improper Check for Unusual or Exceptional Conditions vulnerability in PTC Axeda Agent and Axeda Desktop Server

When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) when receiving certain input throws an exception.

5.0
2022-03-16 CVE-2022-26353 Qemu Missing Release of Resource after Effective Lifetime vulnerability in Qemu 6.2.0

A flaw was found in the virtio-net device of QEMU.

5.0
2022-03-16 CVE-2022-26660 Robotronic Use of Hard-coded Credentials vulnerability in Robotronic Runasspc 4.0.0.0

RunAsSpc 4.0 uses a universal and recoverable encryption key.

5.0
2022-03-16 CVE-2021-45851 Frangoteam Server-Side Request Forgery (SSRF) vulnerability in Frangoteam Fuxa 1.1.3

A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server.

5.0
2022-03-16 CVE-2021-45852 Projectworlds Missing Authorization vulnerability in Projectworlds Hospital Management System in PHP 1.0

An issue was discovered in Projectworlds Hospital Management System v1.0.

5.0
2022-03-16 CVE-2021-43957 Atlassian Authorization Bypass Through User-Controlled Key vulnerability in Atlassian Crucible

Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding.

5.0
2022-03-15 CVE-2021-29134 Gitea Path Traversal vulnerability in Gitea

The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL.

5.0
2022-03-15 CVE-2022-23989 Stormshield Unspecified vulnerability in Stormshield Network Security

In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturation of the loopback interface.

5.0
2022-03-15 CVE-2021-45848 Nicotine Plus
Fedoraproject
Improper Encoding or Escaping of Output vulnerability in multiple products

Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.

5.0
2022-03-15 CVE-2022-25497 Cuppacms Files or Directories Accessible to External Parties vulnerability in Cuppacms 1.0

CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function.

5.0
2022-03-15 CVE-2022-0778 Openssl
Debian
Netapp
Fedoraproject
Infinite Loop vulnerability in multiple products

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

5.0
2022-03-15 CVE-2022-0430 Httpie Unspecified vulnerability in Httpie

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.

5.0
2022-03-14 CVE-2021-42391 Yandex Divide By Zero vulnerability in Yandex Clickhouse

Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query.

5.0
2022-03-14 CVE-2022-22354 IBM Unspecified vulnerability in IBM products

IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place.

5.0
2022-03-14 CVE-2022-22719 Apache
Debian
Fedoraproject
Improper Initialization vulnerability in multiple products

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

5.0
2022-03-16 CVE-2021-39624 Google Resource Exhaustion vulnerability in Google Android 10.0/11.0/12.0

In Package Manger, there is a possible permanent denial of service due to resource exhaustion.

4.9
2022-03-16 CVE-2021-39690 Google Improper Input Validation vulnerability in Google Android 12.0

In setDisplayPadding of WallpaperManagerService.java, there is a possible way to cause a persistent DoS due to improper input validation.

4.9
2022-03-18 CVE-2020-25182 Schneider Electric
Rockwellautomation
Xylem
Uncontrolled Search Path Element vulnerability in multiple products

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries.

4.6
2022-03-18 CVE-2022-1011 Linux
Fedoraproject
Netapp
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write().

4.6
2022-03-18 CVE-2022-22617 Apple Improper Privilege Management vulnerability in Apple Macos

A logic issue was addressed with improved state management.

4.6
2022-03-18 CVE-2022-22618 Apple Incorrect Authorization vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

4.6
2022-03-18 CVE-2022-22631 Apple Out-of-bounds Write vulnerability in Apple Macos

An out-of-bounds write issue was addressed with improved bounds checking.

4.6
2022-03-17 CVE-2022-26526 Anaconda
Conda
Untrusted Search Path vulnerability in multiple products

Anaconda Anaconda3 through 2021.11.0.0 and Miniconda3 through 11.0.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable.

4.6
2022-03-16 CVE-2021-39704 Google Improper Preservation of Permissions vulnerability in Google Android 10.0/11.0/12.0

In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass.

4.6
2022-03-16 CVE-2021-39714 Google Use After Free vulnerability in Google Android

In ion_buffer_kmap_get of ion.c, there is a possible use-after-free due to an integer overflow.

4.6
2022-03-16 CVE-2021-39718 Google Out-of-bounds Write vulnerability in Google Android

In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds write due to an incorrect bounds check.

4.6
2022-03-16 CVE-2021-39719 Google Integer Overflow or Wraparound vulnerability in Google Android

In lwis_top_register_io of lwis_device_top.c, there is a possible out of bounds write due to an integer overflow.

4.6
2022-03-16 CVE-2021-39721 Google Out-of-bounds Write vulnerability in Google Android

In TBD of TBD, there is a possible out of bounds write due to memory corruption.

4.6
2022-03-16 CVE-2021-39725 Google Double Free vulnerability in Google Android

In gasket_free_coherent_memory_all of gasket_page_table.c, there is a possible memory corruption due to a double free.

4.6
2022-03-16 CVE-2021-39729 Google Out-of-bounds Write vulnerability in Google Android

In the TitanM chip, there is a possible out of bounds write due to a missing bounds check.

4.6
2022-03-16 CVE-2021-39731 Google Out-of-bounds Write vulnerability in Google Android

In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds write due to an incorrect bounds check.

4.6
2022-03-16 CVE-2021-39732 Google Integer Overflow or Wraparound vulnerability in Google Android

In copy_io_entries of lwis_ioctl.c, there is a possible out of bounds write due to an integer overflow.

4.6
2022-03-16 CVE-2021-39733 Google Out-of-bounds Write vulnerability in Google Android

In amcs_cdev_unlocked_ioctl of audiometrics.c, there is a possible out of bounds write due to improper input validation.

4.6
2022-03-16 CVE-2021-39734 Google Incorrect Default Permissions vulnerability in Google Android

In sendMessage of OneToOneChatImpl.java (? TBD), there is a possible way to send an RCS message without permissions due to a missing permission check.

4.6
2022-03-16 CVE-2021-39736 Google Integer Overflow or Wraparound vulnerability in Google Android

In prepare_io_entry and prepare_response of lwis_ioctl.c and lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow.

4.6
2022-03-16 CVE-2022-21946 Opensuse Improper Privilege Management vulnerability in Opensuse Cscreen

A Improper Privilege Management vulnerability in the sudoers configuration in cscreen of openSUSE Factory allows any local users to gain the privileges of the tty and dialout groups and access and manipulate any running cscreen seesion.

4.6
2022-03-15 CVE-2022-26779 Apache Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cloudstack

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens.

4.6
2022-03-14 CVE-2022-0943 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.

4.6
2022-03-16 CVE-2021-39712 Google Use After Free vulnerability in Google Android

In TBD of TBD, there is a possible user after free vulnerability due to a race condition.

4.4
2022-03-16 CVE-2021-39735 Google Race Condition vulnerability in Google Android

In gasket_alloc_coherent_memory of gasket_page_table.c, there is a possible memory corruption due to a race condition.

4.4
2022-03-16 CVE-2021-42722 Adobe Out-of-bounds Read vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

4.4
2022-03-20 CVE-2022-26246 TMS Project Cross-site Scripting vulnerability in TMS Project TMS 2.28.0

TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /TMS/admin/setting/mail/createorupdate.

4.3
2022-03-20 CVE-2022-26247 Teamwork Management System Project Incorrect Permission Assignment for Critical Resource vulnerability in Teamwork Management System Project Teamwork Management System 2.28.0

TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2.

4.3
2022-03-18 CVE-2020-25180 Schneider Electric
Rockwellautomation
Xylem
Use of Hard-coded Credentials vulnerability in multiple products

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands.

4.3
2022-03-18 CVE-2022-22588 Apple Resource Exhaustion vulnerability in Apple Ipados and Iphone OS

A resource exhaustion issue was addressed with improved input validation.

4.3
2022-03-18 CVE-2022-22589 Apple Improper Input Validation vulnerability in Apple products

A validation issue was addressed with improved input sanitization.

4.3
2022-03-18 CVE-2022-22592 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

4.3
2022-03-18 CVE-2022-22594 Apple Origin Validation Error vulnerability in Apple products

A cross-origin issue in the IndexDB API was addressed with improved input validation.

4.3
2022-03-18 CVE-2022-22600 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved permissions logic.

4.3
2022-03-18 CVE-2022-22644 Apple Unspecified vulnerability in Apple Macos 12.0.0/12.0.1

A privacy issue existed in the handling of Contact cards.

4.3
2022-03-18 CVE-2022-22654 Apple Improper Input Validation vulnerability in Apple Safari

A user interface issue was addressed.

4.3
2022-03-18 CVE-2022-22660 Apple Improper Input Validation vulnerability in Apple Macos 12.0.0/12.0.1

This issue was addressed with a new entitlement.

4.3
2022-03-18 CVE-2022-22670 Apple Unspecified vulnerability in Apple products

An access issue was addressed with improved access restrictions.

4.3
2022-03-18 CVE-2022-27246 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.156.

4.3
2022-03-18 CVE-2021-45868 Linux
Netapp
Use After Free vulnerability in multiple products

In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk).

4.3
2022-03-18 CVE-2022-27191 Golang
Fedoraproject
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

4.3
2022-03-17 CVE-2022-0758 Rapid7 Cross-site Scripting vulnerability in Rapid7 Nexpose

Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool.

4.3
2022-03-17 CVE-2021-43961 Sonatype Injection vulnerability in Sonatype Nexus Repository Manager

Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection.

4.3
2022-03-17 CVE-2022-24302 Paramiko
Debian
Race Condition vulnerability in multiple products

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

4.3
2022-03-17 CVE-2022-24072 Navercorp Unspecified vulnerability in Navercorp Whale

The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool.

4.3
2022-03-17 CVE-2022-24075 Navercorp Files or Directories Accessible to External Parties vulnerability in Navercorp Whale

Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files.

4.3
2022-03-16 CVE-2021-23648 Paypal Cross-site Scripting vulnerability in Paypal Braintree/Sanitize-Url

The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

4.3
2022-03-16 CVE-2021-45822 Btiteam Cross-site Scripting vulnerability in Btiteam Xbtit 3.1

A cross-site scripting vulnerability is present in Xbtit 3.1.

4.3
2022-03-16 CVE-2021-20299 Openexr NULL Pointer Dereference vulnerability in Openexr

A flaw was found in OpenEXR's Multipart input file functionality.

4.3
2022-03-16 CVE-2021-39667 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In ih264d_parse_decode_slice of ih264d_parse_slice.c, there is a possible out of bounds write due to a heap buffer overflow.

4.3
2022-03-16 CVE-2021-40737 Adobe NULL Pointer Dereference vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40741 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by an Access of Memory Location After End of Buffer vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40742 Adobe NULL Pointer Dereference vulnerability in Adobe Audition 13.0.5/13.0.6

Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40750 Adobe NULL Pointer Dereference vulnerability in Adobe Bridge

Adobe Bridge version 11.1.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40762 Adobe NULL Pointer Dereference vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40766 Adobe Out-of-bounds Read vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier versions) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2022-03-16 CVE-2021-40767 Adobe Access of Memory Location After End of Buffer vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by an Access of Memory Location After End of Buffer vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40768 Adobe NULL Pointer Dereference vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40769 Adobe Out-of-bounds Read vulnerability in Adobe Character Animator 2.1/3.2/3.3

Adobe Character Animator version 4.4 (and earlier versions) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.

4.3
2022-03-16 CVE-2021-40778 Adobe NULL Pointer Dereference vulnerability in Adobe Media Encoder

Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40781 Adobe NULL Pointer Dereference vulnerability in Adobe Media Encoder

Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40782 Adobe NULL Pointer Dereference vulnerability in Adobe Media Encoder

Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40785 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40788 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40789 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere Elements

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-40796 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere PRO

Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-42263 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere PRO

Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-42264 Adobe NULL Pointer Dereference vulnerability in Adobe Premiere PRO

Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.

4.3
2022-03-16 CVE-2021-42552 Archivista Cross-site Scripting vulnerability in Archivista Archivistabox

Cross-site Scripting (XSS) vulnerability in ArchivistaBox webclient allows an attacker to craft a malicious link, executing JavaScript in the context of a victim's browser.

4.3
2022-03-16 CVE-2022-0986 Hestiacp Cross-site Scripting vulnerability in Hestiacp Control Panel

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

4.3
2022-03-16 CVE-2021-43956 Atlassian Unspecified vulnerability in Atlassian Crucible

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.

4.3
2022-03-16 CVE-2022-27225 Gradle Missing Encryption of Sensitive Data vulnerability in Gradle Enterprise

Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations.

4.3
2022-03-15 CVE-2022-25493 Hospital Management System Project Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System 1.0

HMS v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via treatmentrecord.php.

4.3
2022-03-15 CVE-2022-27210 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Kubernetes Continous Deploy

A cross-site request forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.3
2022-03-15 CVE-2022-0961 Microweber Integer Overflow or Wraparound vulnerability in Microweber

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

4.3
2022-03-15 CVE-2022-24756 Bareos Memory Leak vulnerability in Bareos

Bareos is open source software for backup, archiving, and recovery of data for operating systems.

4.3
2022-03-15 CVE-2022-0951 Showdoc Cross-site Scripting vulnerability in Showdoc

File Upload Restriction Bypass leading to Stored XSS Vulnerability in GitHub repository star7th/showdoc prior to 2.10.4.

4.3
2022-03-15 CVE-2022-27193 Cvrf Csaf Converter Project Files or Directories Accessible to External Parties vulnerability in Cvrf-Csaf-Converter Project Cvrf-Csaf-Converter 1.0.0

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE).

4.3
2022-03-14 CVE-2022-24762 Sysend JS Project Information Exposure vulnerability in Sysend.Js Project Sysend.Js

sysend.js is a library that allows a user to send messages between pages that are open in the same browser.

4.3
2022-03-14 CVE-2022-24749 Sylius Cross-site Scripting vulnerability in Sylius

Sylius is an open source eCommerce platform.

4.3
2022-03-14 CVE-2022-24742 Sylius Information Exposure vulnerability in Sylius

Sylius is an open source eCommerce platform.

4.3
2022-03-14 CVE-2022-22344 IBM Improper Encoding or Escaping of Output vulnerability in IBM Spectrum Copy Data Management

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

4.3
2022-03-14 CVE-2021-24940 Woocommerce Cross-site Scripting vulnerability in Woocommerce Persian-Woocommerce

The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue

4.3
2022-03-14 CVE-2021-24996 WKI Cross-site Scripting vulnerability in WKI Idpay for Contact Form 7

The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting

4.3
2022-03-14 CVE-2021-25006 Molie Instructure Canvas Linking Tool Project Cross-site Scripting vulnerability in Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool

The MOLIE WordPress plugin through 0.5 does not escape the course_id parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

4.3
2022-03-14 CVE-2021-44964 LUA Use After Free vulnerability in LUA

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.

4.3
2022-03-14 CVE-2022-0147 Cookieinformation Cross-site Scripting vulnerability in Cookieinformation Wp-Gdpr-Compliance

The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

4.3
2022-03-14 CVE-2022-0161 ARI Soft Cross-site Scripting vulnerability in Ari-Soft ARI Fancy Lightbox

The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

4.3
2022-03-14 CVE-2022-0230 BWP Google XML Sitemaps Project Cross-site Scripting vulnerability in Bwp-Google-Xml-Sitemaps Project Bwp-Google-Xml-Sitemaps

The Better WordPress Google XML Sitemaps WordPress plugin through 1.4.1 does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins

4.3
2022-03-14 CVE-2022-0248 Contact Form Submissions Project Cross-site Scripting vulnerability in Contact Form Submissions Project Contact Form Submissions

The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission.

4.3
2022-03-14 CVE-2022-0321 Ohiowebtech Cross-site Scripting vulnerability in Ohiowebtech WP Voting Contest

The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue

4.3
2022-03-14 CVE-2022-0327 Jeweltheme Cross-site Scripting vulnerability in Jeweltheme Master Addons for Elementor

The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting

4.3
2022-03-14 CVE-2022-0399 Berocket Cross-site Scripting vulnerability in Berocket Advanced Product Labels for Woocommerce

The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting

4.3
2022-03-14 CVE-2022-0449 Odude Cross-site Scripting vulnerability in Odude Flexi

The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting

4.3
2022-03-14 CVE-2022-0503 Obtaininfotech Cross-site Scripting vulnerability in Obtaininfotech Multisite Content Copier/Updater

The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.2 does not sanitise and escape the s parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in the network dashboard

4.3
2022-03-14 CVE-2022-0601 Edmonsoft Cross-site Scripting vulnerability in Edmonsoft Countdown, Coming Soon, Maintenance - Countdown & Clock

The Countdown, Coming Soon, Maintenance WordPress plugin before 2.2.9 does not sanitize and escape the post parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

4.3
2022-03-14 CVE-2022-0648 I13Websolution Cross-site Scripting vulnerability in I13Websolution Team Circle Image Slider With Lightbox

The Team Circle Image Slider With Lightbox WordPress plugin before 1.0.16 does not sanitize and escape the order_pos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

4.3
2022-03-14 CVE-2022-22734 Sedlex Cross-Site Request Forgery (CSRF) vulnerability in Sedlex Simple Quotation

The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes.

4.3
2022-03-14 CVE-2022-24574 Gpac NULL Pointer Dereference vulnerability in Gpac 1.0.1

GPAC 1.0.1 is affected by a NULL pointer dereference in gf_dump_vrml_field.isra ().

4.3
2022-03-14 CVE-2022-24576 Gpac Use After Free vulnerability in Gpac 1.0.1

GPAC 1.0.1 is affected by Use After Free through MP4Box.

4.3
2022-03-14 CVE-2022-24384 Smartertools Cross-site Scripting vulnerability in Smartertools Smartertrack

Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.

4.3
2022-03-18 CVE-2020-15388 Broadcom Incorrect Permission Assignment for Critical Resource vulnerability in Broadcom Fabric Operating System

A vulnerability in the Brocade Fabric OS before Brocade Fabric OS v9.0.1a, v8.2.3, v8.2.0_CBN4, and v7.4.2h could allow an authenticated CLI user to abuse the history command to write arbitrary content to files.

4.0
2022-03-18 CVE-2021-27789 Broadcom Unspecified vulnerability in Broadcom Fabric Operating System

The Web application of Brocade Fabric OS before versions Brocade Fabric OS v9.0.1a and v8.2.3a contains debug statements that expose sensitive information to the program's standard output device.

4.0
2022-03-18 CVE-2022-1003 Mattermost Improper Privilege Management vulnerability in Mattermost

One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.

4.0
2022-03-18 CVE-2022-22638 Apple NULL Pointer Dereference vulnerability in Apple products

A null pointer dereference was addressed with improved validation.

4.0
2022-03-18 CVE-2022-22659 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved state management.

4.0
2022-03-18 CVE-2021-29899 IBM Unspecified vulnerability in IBM Engineering Requirements Quality Assistant On-Premises 3.0

IBM Engineering Requirements Quality Assistant prior to 3.1.3 could allow an authenticated user to cause a denial of service.

4.0
2022-03-18 CVE-2021-39046 IBM Information Exposure vulnerability in IBM products

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user.

4.0
2022-03-16 CVE-2021-43955 Atlassian Exposure of Resource to Wrong Sphere vulnerability in Atlassian Crucible

The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability.

4.0
2022-03-16 CVE-2020-36519 Mimecast Unspecified vulnerability in Mimecast Email Security

Mimecast Email Security before 2020-01-10 allows any admin to spoof any domain, and pass DMARC alignment via SPF.

4.0
2022-03-15 CVE-2020-4989 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Rational Team Concert

IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 and IBM Rational Team Concert 6.0.6 and 6.0.0.1 could allow an authenticated user to obtain sensitive information about build definitions.

4.0
2022-03-15 CVE-2022-22771 Tibco Path Traversal vulnerability in Tibco Jasperreports Library and Jasperreports Server

The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.

4.0
2022-03-15 CVE-2022-27199 Jenkins Incorrect Default Permissions vulnerability in Jenkins Cloudbees AWS Credentials

A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

4.0
2022-03-15 CVE-2022-27201 Jenkins Server-Side Request Forgery (SSRF) vulnerability in Jenkins Semantic Versioning

Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

4.0
2022-03-15 CVE-2022-27203 Jenkins Path Traversal vulnerability in Jenkins Extended Choice Parameter

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

4.0
2022-03-15 CVE-2022-27205 Jenkins Incorrect Default Permissions vulnerability in Jenkins Extended Choice Parameter

A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

4.0
2022-03-15 CVE-2022-27206 Jenkins Missing Encryption of Sensitive Data vulnerability in Jenkins Gitlab Authentication

Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

4.0
2022-03-15 CVE-2022-27208 Jenkins Path Traversal vulnerability in Jenkins Kubernetes Continuous Deploy

Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller.

4.0
2022-03-15 CVE-2022-27209 Kubernetes Missing Authorization vulnerability in Kubernetes Continuous Deploy

A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.0
2022-03-15 CVE-2022-27211 Jenkins Missing Authorization vulnerability in Jenkins Kubernetes Continuous Deploy

A missing/An incorrect permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

4.0
2022-03-15 CVE-2022-27214 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Release Helper

A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

4.0
2022-03-15 CVE-2022-27215 Jenkins Improper Preservation of Permissions vulnerability in Jenkins Release Helper

A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

4.0
2022-03-15 CVE-2022-27216 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Dbcharts 0.4/0.5.2

Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.0
2022-03-15 CVE-2022-27217 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins VMWare Vrealize Automation

Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

4.0
2022-03-15 CVE-2022-27218 Jenkins Unspecified vulnerability in Jenkins Incapptic Connect Uploader

Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

4.0
2022-03-15 CVE-2022-0968 Microweber Integer Overflow or Wraparound vulnerability in Microweber

The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

4.0
2022-03-14 CVE-2021-42389 Yandex Divide By Zero vulnerability in Yandex Clickhouse

Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query.

4.0
2022-03-14 CVE-2021-42390 Yandex Divide By Zero vulnerability in Yandex Clickhouse

Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query.

4.0
2022-03-14 CVE-2021-38971 IBM Incorrect Authorization vulnerability in IBM Data Virtualization on Cloud PAK for Data

IBM Data Virtualization on Cloud Pak for Data 1.3.0, 1.4.1, 1.5.0, 1.7.1 and 1.7.3 could allow an authorized user to bypass data masking rules and obtain sensitve information.

4.0
2022-03-14 CVE-2022-22353 IBM Unspecified vulnerability in IBM BIG SQL 7.1.0/7.1.1/7.2.3

IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement.

4.0
2022-03-14 CVE-2021-24692 Tipsandtricks HQ Path Traversal vulnerability in Tipsandtricks-Hq Simple Download Monitor

The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

4.0
2022-03-14 CVE-2021-24966 Bestwebsoft External Control of File Name or Path vulnerability in Bestwebsoft Error LOG Viewer

The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder

4.0
2022-03-14 CVE-2022-24385 Smartertools Forced Browsing vulnerability in Smartertools Smartertrack

A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.

4.0
2022-03-14 CVE-2021-43954 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian Crucible

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

4.0

96 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-03-18 CVE-2022-22652 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple Ipados and Iphone OS

The GSMA authentication panel could be presented on the lock screen.

3.6
2022-03-20 CVE-2022-25464 Html JS Cross-site Scripting vulnerability in Html-Js Doracms 2.1.8

A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

3.5
2022-03-20 CVE-2022-26555 Eova Cross-site Scripting vulnerability in Eova 1.6.0

A stored cross-site scripting (XSS) vulnerability in the Add a Button function of Eova v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the button name text box.

3.5
2022-03-18 CVE-2021-23150 Ampforwp Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions <= 1.0.77.31).

3.5
2022-03-18 CVE-2021-23209 Ampforwp Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages

Multiple Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) vulnerabilities discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions <= 1.0.77.32).

3.5
2022-03-18 CVE-2021-44760 WP Downloadmanager Project Cross-site Scripting vulnerability in Wp-Downloadmanager Project Wp-Downloadmanager

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6).

3.5
2022-03-18 CVE-2022-1002 Mattermost Cross-site Scripting vulnerability in Mattermost

Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.

3.5
2022-03-18 CVE-2022-25603 Maxfoundry Cross-site Scripting vulnerability in Maxfoundry Maxgalleria 6.2.5

Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in MaxGalleria WordPress plugin (versions 6.2.5).

3.5
2022-03-18 CVE-2022-25604 Pricetable Project Cross-site Scripting vulnerability in Pricetable Project Price Table

Authenticated (contributor of higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Price Table plugin (versions <= 0.2.2).

3.5
2022-03-18 CVE-2022-25605 WP Downloadmanager Project Cross-site Scripting vulnerability in Wp-Downloadmanager Project Wp-Downloadmanager

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6).

3.5
2022-03-18 CVE-2022-27244 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.156.

3.5
2022-03-17 CVE-2021-45792 Slims Cross-site Scripting vulnerability in Slims Senayan Library Management System 9.4.2

Slims9 Bulian 9.4.2 is affected by Cross Site Scripting (XSS) in /admin/modules/system/custom_field.php.

3.5
2022-03-16 CVE-2022-26295 Online Project Time Management System Project Cross-site Scripting vulnerability in Online Project Time Management System Project Online Project Time Management System 1.0

A stored cross-site scripting (XSS) vulnerability in /ptms/?page=user of Online Project Time Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the user name field.

3.5
2022-03-16 CVE-2022-24728 Ckeditor
Drupal
Cross-site Scripting vulnerability in multiple products

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.

3.5
2022-03-16 CVE-2021-33853 X2Engine Cross-site Scripting vulnerability in X2Engine X2Crm 8.0

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website.

3.5
2022-03-16 CVE-2022-0959 Postgresql Unrestricted Upload of File with Dangerous Type vulnerability in Postgresql Pgadmin 4

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.

3.5
2022-03-16 CVE-2021-45787 Maccms Cross-site Scripting vulnerability in Maccms 10.0

There is a stored Cross Site Scripting (XSS) vulnerability in maccms v10 through adding videos.

3.5
2022-03-16 CVE-2022-0705 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

3.5
2022-03-16 CVE-2022-0704 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

3.5
2022-03-16 CVE-2022-0911 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

3.5
2022-03-15 CVE-2022-25489 Thedigitalcraft Cross-site Scripting vulnerability in Thedigitalcraft Atomcms 2.0

Atom CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "A" parameter in /widgets/debug.php.

3.5
2022-03-15 CVE-2022-0970 Getgrav Cross-site Scripting vulnerability in Getgrav Grav

Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.

3.5
2022-03-15 CVE-2022-27196 Jenkins Cross-site Scripting vulnerability in Jenkins Favorite

Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions.

3.5
2022-03-15 CVE-2022-27197 Jenkins Cross-site Scripting vulnerability in Jenkins Dashboard View

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

3.5
2022-03-15 CVE-2022-27200 Jenkins Cross-site Scripting vulnerability in Jenkins Folder-Based Authorization Strategy

Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

3.5
2022-03-15 CVE-2022-27202 Jenkins Cross-site Scripting vulnerability in Jenkins Extended Choice Parameter

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-03-15 CVE-2022-27207 Jenkins Cross-site Scripting vulnerability in Jenkins Global-Build-Stats

Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

3.5
2022-03-15 CVE-2022-27212 Jenkins Cross-site Scripting vulnerability in Jenkins List GIT Branches Parameter

Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-03-15 CVE-2022-27213 Jenkins Cross-site Scripting vulnerability in Jenkins Environment Dashboard

Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

3.5
2022-03-15 CVE-2022-0963 Microweber Cross-site Scripting vulnerability in Microweber

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

3.5
2022-03-15 CVE-2022-0964 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva .webmv file upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0965 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva .ofd file upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0966 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS via File Upload in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.4.10.

3.5
2022-03-15 CVE-2022-0967 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0942 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0956 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS via File Upload in GitHub repository star7th/showdoc prior to v.2.10.4.

3.5
2022-03-15 CVE-2022-0957 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS via File Upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0954 Microweber Cross-site Scripting vulnerability in Microweber

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.

3.5
2022-03-15 CVE-2022-0893 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

3.5
2022-03-15 CVE-2022-0894 Pimcore Cross-site Scripting vulnerability in Pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

3.5
2022-03-15 CVE-2022-0950 Showdoc Cross-site Scripting vulnerability in Showdoc

Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-15 CVE-2022-0945 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4.

3.5
2022-03-14 CVE-2021-39055 IBM Cross-site Scripting vulnerability in IBM Spectrum Copy Data Management

IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to cross-site scripting.

3.5
2022-03-14 CVE-2022-22348 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.13.xxx is vulnerable to reverse tabnabbing where it could allow a page linked to from within Operations Center to rewrite it.

3.5
2022-03-14 CVE-2022-0962 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-14 CVE-2021-24895 Webbigt Cross-site Scripting vulnerability in Webbigt Cybersoldier

The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2021-24897 Viitorcloud Cross-site Scripting vulnerability in Viitorcloud ADD Subtitle 1.1.0

The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

3.5
2022-03-14 CVE-2021-24950 Thememove Missing Authorization vulnerability in Thememove Insight Core 1.0

The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response.

3.5
2022-03-14 CVE-2021-24958 Mekshq Cross-site Scripting vulnerability in Mekshq Meks Easy Photo Feed Widget

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings.

3.5
2022-03-14 CVE-2021-24982 Childtheme Generator Cross-site Scripting vulnerability in Childtheme-Generator Child Theme Generator

The Child Theme Generator WordPress plugin through 2.2.7 does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard

3.5
2022-03-14 CVE-2021-24995 Html5 Responsive FAQ Project Cross-site Scripting vulnerability in Html5 Responsive FAQ Project Html5 Responsive FAQ

The HTML5 Responsive FAQ WordPress plugin through 2.8.5 does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

3.5
2022-03-14 CVE-2021-25026 Patreon Cross-site Scripting vulnerability in Patreon Wordpress

The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2021-41952 Tribalsystems Cross-site Scripting vulnerability in Tribalsystems Zenario 9.0.54156

Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG.

3.5
2022-03-14 CVE-2022-0659 Sync Qcloud COS Project Cross-site Scripting vulnerability in Sync Qcloud COS Project Sync Qcloud COS

The Sync QCloud COS WordPress plugin before 2.0.1 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0674 Kunze Medien Cross-site Scripting vulnerability in Kunze-Medien Kunze LAW

The Kunze Law WordPress plugin before 2.1 does not escape its 'E-Mail Error "From" Address' settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0684 WP Home Page Menu Project Cross-site Scripting vulnerability in WP Home Page Menu Project WP Home Page Menu

The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0700 Chrsinteractive Cross-site Scripting vulnerability in Chrsinteractive Simple Tracking

The Simple Tracking WordPress plugin before 1.7 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0701 SEO 301 Meta Project Cross-site Scripting vulnerability in Seo-301-Meta Project Seo-301-Meta

The SEO 301 Meta WordPress plugin through 1.9.1 does not escape its Request and Destination settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0702 Unboxinteractive Cross-site Scripting vulnerability in Unboxinteractive Petfinder-Listings

The Petfinder Listings WordPress plugin through 1.0.18 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0703 GD Mylist Project Cross-site Scripting vulnerability in Gd-Mylist Project Gd-Mylist

The GD Mylist WordPress plugin through 1.1.1 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-03-14 CVE-2022-0960 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-14 CVE-2022-0946 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc prior to v2.10.4.

3.5
2022-03-14 CVE-2022-0941 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.

3.5
2022-03-14 CVE-2022-24386 Smartertools Cross-site Scripting vulnerability in Smartertools Smartertrack

Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.

3.5
2022-03-14 CVE-2022-0940 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.

3.5
2022-03-14 CVE-2022-0938 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4.

3.5
2022-03-14 CVE-2022-0341 B3Log Cross-site Scripting vulnerability in B3Log Vditor

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.

3.5
2022-03-14 CVE-2022-0937 Showdoc Cross-site Scripting vulnerability in Showdoc

Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.

3.5
2022-03-18 CVE-2020-25184 Schneider Electric
Rockwellautomation
Xylem
Insufficiently Protected Credentials vulnerability in multiple products

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file.

2.1
2022-03-18 CVE-2022-22583 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple Macos

A permissions issue was addressed with improved validation.

2.1
2022-03-18 CVE-2022-22598 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple Ipados and Iphone OS

An issue with app access to camera metadata was addressed with improved logic.

2.1
2022-03-18 CVE-2022-22599 Apple Incorrect Permission Assignment for Critical Resource vulnerability in Apple products

Description: A permissions issue was addressed with improved validation.

2.1
2022-03-18 CVE-2022-22621 Apple Information Exposure vulnerability in Apple products

This issue was addressed with improved checks.

2.1
2022-03-18 CVE-2022-22622 Apple Exposure of Resource to Wrong Sphere vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

2.1
2022-03-18 CVE-2022-22647 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

2.1
2022-03-18 CVE-2022-22648 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

2.1
2022-03-18 CVE-2022-22650 Apple Improper Preservation of Permissions vulnerability in Apple Macos

This issue was addressed with improved checks.

2.1
2022-03-18 CVE-2022-22656 Apple Improper Authentication vulnerability in Apple Macos

An authentication issue was addressed with improved state management.

2.1
2022-03-18 CVE-2022-22671 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

An authentication issue was addressed with improved state management.

2.1
2022-03-18 CVE-2021-22571 Google Incorrect Default Permissions vulnerability in Google Sa360 Webquery to Bigquery Exporter

A local attacker could read files from some other users' SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery.

2.1
2022-03-16 CVE-2021-20180 Redhat Information Exposure Through Log Files vulnerability in Redhat Ansible

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module.

2.1
2022-03-16 CVE-2021-20257 Qemu
Fedoraproject
Redhat
Infinite Loop vulnerability in multiple products

An infinite loop flaw was found in the e1000 NIC emulator of the QEMU.

2.1
2022-03-16 CVE-2021-39705 Google Incorrect Default Permissions vulnerability in Google Android 10.0/11.0/12.0

In getNotificationTag of LegacyVoicemailNotifier.java, there is a possible leak of ICCID due to a permissions bypass.

2.1
2022-03-16 CVE-2021-39711 Google Out-of-bounds Read vulnerability in Google Android

In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value.

2.1
2022-03-16 CVE-2021-39715 Google Exposure of Resource to Wrong Sphere vulnerability in Google Android

In __show_regs of process.c, there is a possible leak of kernel memory and addresses due to log information disclosure.

2.1
2022-03-16 CVE-2021-39717 Google Out-of-bounds Read vulnerability in Google Android

In iaxxx_btp_write_words of iaxxx-btp.c, there is a possible out of bounds read due to an incorrect bounds check.

2.1
2022-03-16 CVE-2021-39722 Google Out-of-bounds Read vulnerability in Google Android

In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds read due to an incorrect bounds check.

2.1
2022-03-16 CVE-2021-39724 Google Out-of-bounds Read vulnerability in Google Android

In TuningProviderBase::GetTuningTreeSet of tuning_provider_base.cc, there is a possible out of bounds read due to a missing bounds check.

2.1
2022-03-16 CVE-2021-39730 Google Out-of-bounds Read vulnerability in Google Android

In TBD of TBD, there is a possible out of bounds read due to a missing bounds check.

2.1
2022-03-16 CVE-2022-23234 Netapp Cleartext Storage of Sensitive Information vulnerability in Netapp Snapcenter

SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials.

2.1
2022-03-16 CVE-2022-26354 Qemu
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

A flaw was found in the vhost-vsock device of QEMU.

2.1
2022-03-16 CVE-2021-46705 GNU Insecure Temporary File vulnerability in GNU Grub2

A Insecure Temporary File vulnerability in grub-once of grub2 in SUSE Linux Enterprise Server 15 SP4, openSUSE Factory allows local attackers to truncate arbitrary files.

2.1
2022-03-16 CVE-2022-21945 Opensuse Insecure Temporary File vulnerability in Opensuse Cscreen

A Insecure Temporary File vulnerability in cscreen of openSUSE Factory allows local attackers to cause DoS for cscreen and a system DoS for non-default systems.

2.1
2022-03-15 CVE-2022-27195 Jenkins Information Exposure Through Log Files vulnerability in Jenkins Parameterized Remote Trigger

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files.

2.1
2022-03-16 CVE-2021-39727 Google Race Condition vulnerability in Google Android

In eicPresentationRetrieveEntryValue of acropora/app/identity/libeic/EicPresentation.c, there is a possible information disclosure due to a race condition.

1.9
2022-03-16 CVE-2021-39792 Google Out-of-bounds Read vulnerability in Google Android

In usb_gadget_giveback_request of core.c, there is a possible use after free out of bounds read due to a race condition.

1.9