Weekly Vulnerabilities Reports > March 14 to 20, 2022
Overview
554 new vulnerabilities reported during this period, including 102 critical vulnerabilities and 134 high severity vulnerabilities. This weekly summary report vulnerabilities in 446 products from 205 vendors including Apple, Google, Adobe, Tenda, and Jenkins. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Out-of-bounds Read", "SQL Injection", and "OS Command Injection".
- 437 reported vulnerabilities are remotely exploitables.
- 5 reported vulnerabilities have public exploit available.
- 179 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 397 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 78 reported vulnerabilities.
- Tenda has the most reported critical vulnerabilities, with 29 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
102 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-18 | CVE-2022-25390 | Dcnglobal | Unspecified vulnerability in Dcnglobal Dcme-520 Firmware DCN Firewall DCME-520 was discovered to contain a remote command execution (RCE) vulnerability via the host parameter in the file /system/tool/ping.php. | 10.0 |
2022-03-18 | CVE-2022-25445 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function. | 10.0 |
2022-03-18 | CVE-2022-25446 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedstarttime parameter in the openSchedWifi function. | 10.0 |
2022-03-18 | CVE-2022-25447 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function. | 10.0 |
2022-03-18 | CVE-2022-25448 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the day parameter in the openSchedWifi function. | 10.0 |
2022-03-18 | CVE-2022-25449 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the deviceId parameter in the saveParentControlInfo function. | 10.0 |
2022-03-18 | CVE-2022-25450 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 V15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the SetVirtualServerCfg function. | 10.0 |
2022-03-18 | CVE-2022-25451 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 V15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the setstaticroutecfg function. | 10.0 |
2022-03-18 | CVE-2022-25452 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the URLs parameter in the saveParentControlInfo function. | 10.0 |
2022-03-18 | CVE-2022-25453 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the time parameter in the saveParentControlInfo function. | 10.0 |
2022-03-18 | CVE-2022-25454 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the loginpwd parameter in the SetFirewallCfg function. | 10.0 |
2022-03-18 | CVE-2022-25455 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the list parameter in the SetIpMacBind function. | 10.0 |
2022-03-18 | CVE-2022-25456 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the security_5g parameter in the WifiBasicSet function. | 10.0 |
2022-03-18 | CVE-2022-25457 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the ntpserver parameter in the SetSysTimeCfg function. | 10.0 |
2022-03-18 | CVE-2022-25458 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the cmdinput parameter in the exeCommand function. | 10.0 |
2022-03-18 | CVE-2022-25459 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the S1 parameter in the SetSysTimeCfg function. | 10.0 |
2022-03-18 | CVE-2022-25460 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the endip parameter in the SetPptpServerCfg function. | 10.0 |
2022-03-18 | CVE-2022-25461 | Tenda | Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.09 Tenda AC6 v15.03.05.09_multi was discovered to contain a stack overflow via the startip parameter in the SetPptpServerCfg function. | 10.0 |
2022-03-18 | CVE-2022-27250 | Unisoc | Unspecified vulnerability in Unisoc Chipset The UNISOC chipset through 2022-03-15 allows attackers to obtain remote control of a mobile phone, e.g., to obtain sensitive information from text messages or the device's screen, record video of the device's physical environment, or modify data. | 10.0 |
2022-03-18 | CVE-2022-22586 | Apple | Out-of-bounds Write vulnerability in Apple Macos An out-of-bounds write issue was addressed with improved bounds checking. | 10.0 |
2022-03-18 | CVE-2022-22587 | Apple | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS A memory corruption issue was addressed with improved input validation. | 10.0 |
2022-03-18 | CVE-2021-45966 | Pascom | OS Command Injection vulnerability in Pascom Cloud Phone System An issue was discovered in Pascom Cloud Phone System before 7.20.x. | 10.0 |
2022-03-17 | CVE-2021-45040 | Spatie | Unrestricted Upload of File with Dangerous Type vulnerability in Spatie Laravel Media Library The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route. | 10.0 |
2022-03-17 | CVE-2022-25760 | Accesslog Project | Code Injection vulnerability in Accesslog Project Accesslog All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. | 10.0 |
2022-03-16 | CVE-2021-23165 | Htmldoc Project | Out-of-bounds Write vulnerability in Htmldoc Project Htmldoc A flaw was found in htmldoc before v1.9.12. | 10.0 |
2022-03-16 | CVE-2021-39710 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-202160245References: N/A | 10.0 | |
2022-03-16 | CVE-2021-39720 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-207433926References: N/A | 10.0 | |
2022-03-16 | CVE-2021-39723 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-209014813References: N/A | 10.0 | |
2022-03-16 | CVE-2021-39737 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-208229524References: N/A | 10.0 | |
2022-03-16 | CVE-2022-25247 | PTC | Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain commands to a specific port without authentication. | 10.0 |
2022-03-18 | CVE-2022-25578 | Taogogo | Code Injection vulnerability in Taogogo Taocms 3.0.2 taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file. | 9.8 |
2022-03-18 | CVE-2022-26265 | Contao | OS Command Injection vulnerability in Contao 1.5.0 Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. | 9.8 |
2022-03-18 | CVE-2022-25427 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the schedendtime parameter in the openSchedWifi function. | 9.8 |
2022-03-18 | CVE-2022-25428 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the deviceId parameter in the saveparentcontrolinfo function. | 9.8 |
2022-03-18 | CVE-2022-25429 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a buffer overflow via the time parameter in the saveparentcontrolinfo function. | 9.8 |
2022-03-18 | CVE-2022-25431 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain multiple stack overflows via the NPTR, V12, V10 and V11 parameter in the Formsetqosband function. | 9.8 |
2022-03-18 | CVE-2022-25433 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the urls parameter in the saveparentcontrolinfo function. | 9.8 |
2022-03-18 | CVE-2022-25434 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the firewallen parameter in the SetFirewallCfg function. | 9.8 |
2022-03-18 | CVE-2022-25435 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetStaticRoutecfg function. | 9.8 |
2022-03-18 | CVE-2022-25437 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetVirtualServerCfg function. | 9.8 |
2022-03-18 | CVE-2022-25438 | Tenda | OS Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the SetIPTVCfg function. | 9.8 |
2022-03-18 | CVE-2022-25439 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the list parameter in the SetIpMacBind function. | 9.8 |
2022-03-18 | CVE-2022-25440 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a stack overflow via the ntpserver parameter in the SetSysTimeCfg function. | 9.8 |
2022-03-18 | CVE-2022-25441 | Tenda | OS Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21 Tenda AC9 v15.03.2.21 was discovered to contain a remote command execution (RCE) vulnerability via the vlanid parameter in the SetIPTVCfg function. | 9.8 |
2022-03-18 | CVE-2022-0547 | Openvpn Fedoraproject Debian | Improper Authentication vulnerability in multiple products OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. | 9.8 |
2022-03-18 | CVE-2022-24637 | Openwebanalytics | Improper Privilege Management vulnerability in Openwebanalytics Open web Analytics Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. | 9.8 |
2022-03-18 | CVE-2022-24595 | Automotivelinux | Unspecified vulnerability in Automotivelinux Kooky KOI Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. | 9.8 |
2022-03-18 | CVE-2021-45967 | Pascom Igniterealtime | Path Traversal vulnerability in multiple products An issue was discovered in Pascom Cloud Phone System before 7.20.x. | 9.8 |
2022-03-17 | CVE-2022-26501 | Veeam | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2). | 9.8 |
2022-03-17 | CVE-2020-15591 | UNI Stuttgart | Code Injection vulnerability in Uni-Stuttgart Frams' Fast File Exchange fexsrv in F*EX (aka Frams' Fast File EXchange) before fex-20160919_2 allows eval injection (for unauthenticated remote code execution). | 9.8 |
2022-03-17 | CVE-2021-44906 | Substack | Unspecified vulnerability in Substack Minimist Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | 9.8 |
2022-03-17 | CVE-2022-0748 | Post Loader Project | Cross-site Scripting vulnerability in Post-Loader Project Post-Loader The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed. | 9.8 |
2022-03-17 | CVE-2022-24074 | Navercorp | Exposure of Resource to Wrong Sphere vulnerability in Navercorp Whale Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lead to controlling Whale Bridge if the rendering process compromises. | 9.8 |
2022-03-17 | CVE-2022-22273 | Sonicwall | OS Command Injection vulnerability in Sonicwall products Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions | 9.8 |
2022-03-16 | CVE-2022-23812 | Node IPC Project | Unspecified vulnerability in Node-Ipc Project Node-Ipc This affects the package node-ipc from 10.1.1 and before 10.1.3. | 9.8 |
2022-03-16 | CVE-2021-39708 | Out-of-bounds Write vulnerability in Google Android 12.0 In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to an incorrect bounds check. | 9.8 | |
2022-03-15 | CVE-2022-26206 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setLanguageCfg, via the langType parameter. | 9.8 |
2022-03-15 | CVE-2022-26207 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. | 9.8 |
2022-03-15 | CVE-2022-26208 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter. | 9.8 |
2022-03-15 | CVE-2022-26209 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter. | 9.8 |
2022-03-15 | CVE-2022-26210 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. | 9.8 |
2022-03-15 | CVE-2022-26211 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. | 9.8 |
2022-03-15 | CVE-2022-26212 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters. | 9.8 |
2022-03-15 | CVE-2022-26213 | Totolink | OS Command Injection vulnerability in Totolink X5000R Firmware 9.1.0U.6118B20201102 Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. | 9.8 |
2022-03-15 | CVE-2022-26214 | Totolink | OS Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function NTPSyncWithHost. | 9.8 |
2022-03-15 | CVE-2022-26990 | Arris | OS Command Injection vulnerability in Arris products Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. | 9.8 |
2022-03-15 | CVE-2022-26991 | Arris | OS Command Injection vulnerability in Arris products Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ntp function via the TimeZone parameter. | 9.8 |
2022-03-15 | CVE-2022-26992 | Arris | OS Command Injection vulnerability in Arris products Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ddns function via the DdnsUserName, DdnsHostName, and DdnsPassword parameters. | 9.8 |
2022-03-15 | CVE-2022-26993 | Arris | OS Command Injection vulnerability in Arris products Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. | 9.8 |
2022-03-15 | CVE-2022-26994 | Arris | OS Command Injection vulnerability in Arris products Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPassword parameters. | 9.8 |
2022-03-15 | CVE-2022-26995 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. | 9.8 |
2022-03-15 | CVE-2022-26996 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. | 9.8 |
2022-03-15 | CVE-2022-26997 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. | 9.8 |
2022-03-15 | CVE-2022-26998 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. | 9.8 |
2022-03-15 | CVE-2022-26999 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. | 9.8 |
2022-03-15 | CVE-2022-27000 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. | 9.8 |
2022-03-15 | CVE-2022-27001 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. | 9.8 |
2022-03-15 | CVE-2022-27002 | Commscope | Command Injection vulnerability in Commscope Arris Tr3300 Firmware 1.0.13 Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters. | 9.8 |
2022-03-15 | CVE-2022-27003 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter. | 9.8 |
2022-03-15 | CVE-2022-27004 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. | 9.8 |
2022-03-15 | CVE-2022-27005 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware and X5000R Firmware Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. | 9.8 |
2022-03-15 | CVE-2022-25498 | Cuppacms | Code Injection vulnerability in Cuppacms 1.0 CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. | 9.8 |
2022-03-14 | CVE-2022-21187 | Libvcs Project | Argument Injection or Modification vulnerability in Libvcs Project Libvcs The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. | 9.8 |
2022-03-14 | CVE-2021-25003 | Wptaskforce | Unrestricted Upload of File with Dangerous Type vulnerability in Wptaskforce Wpcargo Track & Trace The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE | 9.8 |
2022-03-14 | CVE-2022-22720 | Apache Fedoraproject Debian Oracle Apple | HTTP Request Smuggling vulnerability in multiple products Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling | 9.8 |
2022-03-14 | CVE-2022-23943 | Apache Fedoraproject Debian Oracle | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. | 9.8 |
2022-03-19 | CVE-2022-27226 | IRZ | Cross-Site Request Forgery (CSRF) vulnerability in IRZ products A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. | 9.3 |
2022-03-18 | CVE-2020-25176 | Schneider Electric Rockwellautomation Xylem | Path Traversal vulnerability in multiple products Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. | 9.3 |
2022-03-18 | CVE-2020-25178 | Schneider Electric Rockwellautomation Xylem | Cleartext Transmission of Sensitive Information vulnerability in multiple products ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. | 9.3 |
2022-03-18 | CVE-2022-22591 | Apple | Out-of-bounds Write vulnerability in Apple Macos 12.0.0/12.0.1 A memory corruption issue was addressed with improved memory handling. | 9.3 |
2022-03-18 | CVE-2022-22593 | Apple | Classic Buffer Overflow vulnerability in Apple products A buffer overflow issue was addressed with improved memory handling. | 9.3 |
2022-03-18 | CVE-2022-22634 | Apple | Classic Buffer Overflow vulnerability in Apple Ipados and Iphone OS A buffer overflow was addressed with improved bounds checking. | 9.3 |
2022-03-18 | CVE-2022-22636 | Apple | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS An out-of-bounds write issue was addressed with improved bounds checking. | 9.3 |
2022-03-18 | CVE-2022-22667 | Apple | Use After Free vulnerability in Apple Ipados and Iphone OS A use after free issue was addressed with improved memory management. | 9.3 |
2022-03-16 | CVE-2021-39692 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 10.0/11.0/12.0 In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. | 9.3 | |
2022-03-16 | CVE-2021-39701 | Improper Input Validation vulnerability in Google Android 11.0/12.0 In serviceConnection of ControlsProviderLifecycleManager.kt, there is a possible way to keep service running in foreground without notification or permission due to improper input validation. | 9.3 | |
2022-03-16 | CVE-2021-39702 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Google Android 12.0 In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. | 9.3 | |
2022-03-16 | CVE-2021-39706 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check. | 9.3 | |
2022-03-14 | CVE-2022-22721 | Apache Fedoraproject Debian Oracle Apple | Integer Overflow or Wraparound vulnerability in multiple products If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. | 9.1 |
2022-03-18 | CVE-2020-25197 | GE | Code Injection vulnerability in GE Rt430 Firmware, Rt431 Firmware and Rt434 Firmware A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system. | 9.0 |
2022-03-16 | CVE-2022-0811 | Kubernetes | Code Injection vulnerability in Kubernetes Cri-O A flaw was found in CRI-O in the way it set kernel options for a pod. | 9.0 |
2022-03-16 | CVE-2022-25246 | PTC | Use of Hard-coded Credentials vulnerability in PTC Axeda Agent and Axeda Desktop Server Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) uses hard-coded credentials for its UltraVNC installation. | 9.0 |
134 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-20 | CVE-2022-24125 | Fromsoftware | Unspecified vulnerability in Fromsoftware Dark Souls III The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. | 8.8 |
2022-03-18 | CVE-2022-22620 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 8.8 |
2022-03-17 | CVE-2022-26500 | Veeam | Path Traversal vulnerability in Veeam Backup & Replication Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. | 8.8 |
2022-03-17 | CVE-2022-26504 | Veeam | Improper Authentication vulnerability in Veeam Backup & Replication Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4,10.x and 11.x component used for Microsoft System Center Virtual Machine Manager (SCVMM) allows attackers execute arbitrary code via Veeam.Backup.PSManager.exe | 8.8 |
2022-03-16 | CVE-2020-25721 | Samba | Improper Input Validation vulnerability in Samba Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). | 8.8 |
2022-03-16 | CVE-2022-27223 | Linux Netapp Debian | Improper Validation of Array Index vulnerability in multiple products In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access. | 8.8 |
2022-03-15 | CVE-2022-22771 | Tibco | Path Traversal vulnerability in Tibco Jasperreports Library and Jasperreports Server The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. | 8.8 |
2022-03-15 | CVE-2022-27204 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Extended Choice Parameter 346.Vd87693C5A86C A cross-site request forgery vulnerability in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers to connect to an attacker-specified URL. | 8.8 |
2022-03-14 | CVE-2021-43304 | Yandex Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.8 |
2022-03-14 | CVE-2021-43305 | Yandex Debian | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.8 |
2022-03-17 | CVE-2022-25364 | Gradle | Incorrect Default Permissions vulnerability in Gradle Enterprise In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. | 8.1 |
2022-03-14 | CVE-2021-42387 | Yandex Debian | Out-of-bounds Read vulnerability in multiple products Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.1 |
2022-03-14 | CVE-2021-42388 | Yandex Debian | Out-of-bounds Read vulnerability in multiple products Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.1 |
2022-03-15 | CVE-2022-27198 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cloudbees AWS Credentials A cross-site request forgery (CSRF) vulnerability in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. | 8.0 |
2022-03-18 | CVE-2022-1011 | Linux Fedoraproject Redhat Netapp Debian Oracle | Use After Free vulnerability in multiple products A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). | 7.8 |
2022-03-18 | CVE-2022-22578 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved validation. | 7.8 |
2022-03-18 | CVE-2022-22579 | Apple | Unspecified vulnerability in Apple products An information disclosure issue was addressed with improved state management. | 7.8 |
2022-03-18 | CVE-2022-22612 | Apple | Out-of-bounds Write vulnerability in Apple products A memory consumption issue was addressed with improved memory handling. | 7.8 |
2022-03-18 | CVE-2022-22613 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved bounds checking. | 7.8 |
2022-03-18 | CVE-2022-22614 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 7.8 |
2022-03-18 | CVE-2022-22615 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 7.8 |
2022-03-18 | CVE-2022-22617 | Apple | Unspecified vulnerability in Apple mac OS X and Macos A logic issue was addressed with improved state management. | 7.8 |
2022-03-18 | CVE-2022-22618 | Apple | Unspecified vulnerability in Apple Iphone OS This issue was addressed with improved checks. | 7.8 |
2022-03-18 | CVE-2022-22631 | Apple | Out-of-bounds Write vulnerability in Apple mac OS X and Macos An out-of-bounds write issue was addressed with improved bounds checking. | 7.8 |
2022-03-18 | CVE-2022-22633 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved state management. | 7.8 |
2022-03-18 | CVE-2022-22639 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved state management. | 7.8 |
2022-03-18 | CVE-2022-22640 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved validation. | 7.8 |
2022-03-18 | CVE-2022-22661 | Apple | Type Confusion vulnerability in Apple mac OS X and Macos A type confusion issue was addressed with improved state handling. | 7.8 |
2022-03-18 | CVE-2022-22665 | Apple | Unspecified vulnerability in Apple mac OS X and Macos A logic issue was addressed with improved validation. | 7.8 |
2022-03-18 | CVE-2022-24091 | Adobe | Out-of-bounds Write vulnerability in Adobe products Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-17 | CVE-2022-21822 | Nvidia | Allocation of Resources Without Limits or Throttling vulnerability in Nvidia Federated Learning Application Runtime Environment NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable. | 7.8 |
2022-03-17 | CVE-2022-26526 | Anaconda Conda | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. | 7.8 |
2022-03-16 | CVE-2021-0957 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 In NotificationStackScrollLayout of NotificationStackScrollLayout.java, there is a possible way to bypass Factory Reset Protections. | 7.8 | |
2022-03-16 | CVE-2021-39693 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 12.0 In onUidStateChanged of AppOpsService.java, there is a possible way to access location without a visible indicator due to a logic error in the code. | 7.8 | |
2022-03-16 | CVE-2021-39714 | Use After Free vulnerability in Google Android In ion_buffer_kmap_get of ion.c, there is a possible use-after-free due to an integer overflow. | 7.8 | |
2022-03-16 | CVE-2021-40738 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Audition 13.0.5/13.0.6/14.4 Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a WAV file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40739 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Audition 13.0.5/13.0.6/14.4 Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40740 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Audition 13.0.5/13.0.6/14.4 Adobe Audition version 14.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40763 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Character Animator Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a WAF file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40764 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Character Animator Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40765 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Character Animator Adobe Character Animator version 4.4 (and earlier) is affected by a memory corruption vulnerability when parsing a M4A file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40779 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40780 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Media Encoder Adobe Media Encoder version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40786 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40787 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40792 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere PRO Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40793 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere PRO Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-40794 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere PRO Adobe Premiere Pro version 15.4.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-42526 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-42527 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-42719 | Adobe | Out-of-bounds Read vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted .jpe file, which could result in a read past the end of an allocated memory structure. | 7.8 |
2022-03-16 | CVE-2021-42724 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-42729 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-16 | CVE-2021-42730 | Adobe | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious PSD file, potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-03-15 | CVE-2022-25486 | Cuppacms | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Cuppacms 1.0 CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. | 7.8 |
2022-03-14 | CVE-2022-0943 | VIM Fedoraproject Debian Apple | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563. | 7.8 |
2022-03-14 | CVE-2022-20001 | Fishshell Fedoraproject Debian | Injection vulnerability in multiple products fish is a command line shell. | 7.8 |
2022-03-14 | CVE-2022-24578 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 GPAC 1.0.1 is affected by a heap-based buffer overflow in SFS_AddString () at bifs/script_dec.c. | 7.8 |
2022-03-14 | CVE-2022-24577 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. | 7.8 |
2022-03-20 | CVE-2021-39383 | Diaowen | Code Injection vulnerability in Diaowen Dwsurvey 3.2.0 DWSurvey v3.2.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /sysuser/SysPropertyAction.java. | 7.5 |
2022-03-20 | CVE-2021-39384 | Diaowen | Unrestricted Upload of File with Dangerous Type vulnerability in Diaowen Dwsurvey 3.2.0 DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java. | 7.5 |
2022-03-20 | CVE-2021-44345 | Wvti | SQL Injection vulnerability in Wvti ONE Card Integrated Management System 3.0 Beijing Wisdom Vision Technology Industry Co., Ltd One Card Integrated Management System 3.0 is vulnerable to SQL Injection. | 7.5 |
2022-03-20 | CVE-2022-24126 | Fromsoftware | Out-of-bounds Write vulnerability in Fromsoftware Dark Souls III A buffer overflow in the NRSessionSearchResult parser in Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allows remote attackers to execute arbitrary code via matchmaking servers, a different vulnerability than CVE-2021-34170. | 7.5 |
2022-03-18 | CVE-2022-26267 | Piwigo | Missing Authentication for Critical Function vulnerability in Piwigo 12.2.0 Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php. | 7.5 |
2022-03-18 | CVE-2020-16232 | Yokogawa | Classic Buffer Overflow vulnerability in Yokogawa Widefield3 In Yokogawa WideField3 R1.01 - R4.03, a buffer overflow could be caused when a user loads a maliciously crafted project file. | 7.5 |
2022-03-18 | CVE-2022-22632 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved state management. | 7.5 |
2022-03-18 | CVE-2022-22635 | Apple | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS An out-of-bounds write issue was addressed with improved bounds checking. | 7.5 |
2022-03-18 | CVE-2022-22641 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 7.5 |
2022-03-18 | CVE-2022-22642 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS This issue was addressed with improved checks. | 7.5 |
2022-03-18 | CVE-2022-22643 | Apple | Unspecified vulnerability in Apple Iphone OS This issue was addressed with improved checks. | 7.5 |
2022-03-18 | CVE-2022-22651 | Apple | Out-of-bounds Write vulnerability in Apple Macos An out-of-bounds write issue was addressed with improved bounds checking. | 7.5 |
2022-03-18 | CVE-2022-22653 | Apple | Unspecified vulnerability in Apple Iphone OS A logic issue was addressed with improved restrictions. | 7.5 |
2022-03-18 | CVE-2022-0742 | Linux Netapp | Memory Leak vulnerability in multiple products Memory leak in icmp6 implementation in Linux Kernel 5.13+ allows a remote attacker to DoS a host by making it go out-of-memory via icmp6 packets of type 130 or 131. | 7.5 |
2022-03-18 | CVE-2021-45834 | Opendocman | Unrestricted Upload of File with Dangerous Type vulnerability in Opendocman 1.4.4 An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution. | 7.5 |
2022-03-18 | CVE-2021-45835 | Online Admission System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Admission System Project Online Admissions System 1.0 The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution. | 7.5 |
2022-03-18 | CVE-2022-27191 | Golang Fedoraproject Redhat | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | 7.5 |
2022-03-18 | CVE-2022-27240 | Glewlwyd SSO Server Project | Classic Buffer Overflow vulnerability in Glewlwyd SSO Server Project Glewlwyd SSO Server scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion. | 7.5 |
2022-03-17 | CVE-2021-44087 | Attendance AND Payroll System Project | Unspecified vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0 A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload. | 7.5 |
2022-03-17 | CVE-2021-44088 | Attendance AND Payroll System Project | SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0 An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters. | 7.5 |
2022-03-17 | CVE-2021-44259 | Wavlink | Missing Authentication for Critical Function vulnerability in Wavlink Wl-Wn531G3 Firmware A42W1.27.620180418 A vulnerability is in the 'wx.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. | 7.5 |
2022-03-17 | CVE-2021-23632 | GIT Project | OS Command Injection vulnerability in GIT Project GIT All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. | 7.5 |
2022-03-17 | CVE-2021-44908 | Sailsjs | Unspecified vulnerability in Sailsjs Sails SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | 7.5 |
2022-03-17 | CVE-2022-0749 | Singoo | Deserialization of Untrusted Data vulnerability in Singoo Singoocms.Utility This affects all versions of package SinGooCMS.Utility. | 7.5 |
2022-03-17 | CVE-2022-25296 | Bodymen Project | Unspecified vulnerability in Bodymen Project Bodymen The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | 7.5 |
2022-03-17 | CVE-2022-25352 | Libnested Project | Unspecified vulnerability in Libnested Project Libnested The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. | 7.5 |
2022-03-17 | CVE-2022-25354 | SET IN Project | Unspecified vulnerability in Set-In Project Set-In The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. | 7.5 |
2022-03-17 | CVE-2022-1000 | Tiny File Manager Project | Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. | 7.5 |
2022-03-17 | CVE-2022-25514 | Nothings | Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26 stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttUSHORT() at stb_truetype.h. | 7.5 |
2022-03-16 | CVE-2022-26293 | Online Project Time Management System Project | SQL Injection vulnerability in Online Project Time Management System Project Online Project Time Management System 1.0 Online Project Time Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the function save_employee at /ptms/classes/Users.php. | 7.5 |
2022-03-16 | CVE-2022-24729 | Ckeditor Drupal Oracle Fedoraproject | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | 7.5 |
2022-03-16 | CVE-2021-20299 | Openexr Debian | NULL Pointer Dereference vulnerability in multiple products A flaw was found in OpenEXR's Multipart input file functionality. | 7.5 |
2022-03-16 | CVE-2021-23158 | Htmldoc Project | Double Free vulnerability in Htmldoc Project Htmldoc 1.9.12 A flaw was found in htmldoc in v1.9.12. | 7.5 |
2022-03-16 | CVE-2022-0918 | Port389 Redhat | A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. | 7.5 |
2022-03-16 | CVE-2022-0982 | Accel PPP | Out-of-bounds Write vulnerability in Accel-Ppp 1.10.0 The telnet_input_char function in opt/src/accel-pppd/cli/telnet.c suffers from a memory corruption vulnerability, whereby user input cmdline_len is copied into a fixed buffer b->buf without any bound checks. | 7.5 |
2022-03-16 | CVE-2022-25251 | PTC | Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send certain XML messages to a specific port without proper authentication. | 7.5 |
2022-03-16 | CVE-2022-26353 | Qemu Debian | Missing Release of Resource after Effective Lifetime vulnerability in multiple products A flaw was found in the virtio-net device of QEMU. | 7.5 |
2022-03-16 | CVE-2021-45786 | Maccms | Improper Authentication vulnerability in Maccms 10.0 In maccms v10, an attacker can log in through /index.php/user/login in the "col" and "openid" parameters to gain privileges. | 7.5 |
2022-03-16 | CVE-2021-43958 | Atlassian | Improper Restriction of Excessive Authentication Attempts vulnerability in Atlassian Crucible Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | 7.5 |
2022-03-15 | CVE-2022-23989 | Stormshield | Unspecified vulnerability in Stormshield Network Security In Stormshield Network Security (SNS) before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5, a flood of connections to the SSLVPN service might lead to saturation of the loopback interface. | 7.5 |
2022-03-15 | CVE-2021-45848 | Nicotine Plus Fedoraproject | Improper Encoding or Escaping of Output vulnerability in multiple products Denial of service (DoS) vulnerability in Nicotine+ 3.0.3 and later allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. | 7.5 |
2022-03-15 | CVE-2022-25487 | Thedigitalcraft | Unrestricted Upload of File with Dangerous Type vulnerability in Thedigitalcraft Atomcms 2.0 Atom CMS v2.0 was discovered to contain a remote code execution (RCE) vulnerability via /admin/uploads.php. | 7.5 |
2022-03-15 | CVE-2022-25488 | Thedigitalcraft | SQL Injection vulnerability in Thedigitalcraft Atomcms 2.0 Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php. | 7.5 |
2022-03-15 | CVE-2022-25490 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in department.php. | 7.5 |
2022-03-15 | CVE-2022-25491 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in appointment.php. | 7.5 |
2022-03-15 | CVE-2022-25492 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 HMS v1.0 was discovered to contain a SQL injection vulnerability via the medicineid parameter in ajaxmedicine.php. | 7.5 |
2022-03-15 | CVE-2022-25494 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via staff_login.php. | 7.5 |
2022-03-15 | CVE-2022-25495 | Cuppacms | Unrestricted Upload of File with Dangerous Type vulnerability in Cuppacms 1.0 The component /jquery_file_upload/server/php/index.php of CuppaCMS v1.0 allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file. | 7.5 |
2022-03-15 | CVE-2022-0778 | Openssl Debian Netapp Fedoraproject Tenable Mariadb Nodejs | Infinite Loop vulnerability in multiple products The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. | 7.5 |
2022-03-15 | CVE-2022-24752 | Sylius | SQL Injection vulnerability in Sylius Syliusgridbundle 1.11.0 SyliusGridBundle is a package of generic data grids for Symfony applications. | 7.5 |
2022-03-14 | CVE-2021-25007 | Molie Instructure Canvas Linking Tool Project | SQL Injection vulnerability in Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection | 7.5 |
2022-03-14 | CVE-2022-0169 | 10Web | SQL Injection vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection | 7.5 |
2022-03-14 | CVE-2022-0254 | Highfivery | SQL Injection vulnerability in Highfivery Zero-Spam The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection | 7.5 |
2022-03-14 | CVE-2022-0658 | Wielebenwir | SQL Injection vulnerability in Wielebenwir Commonsbooking The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection | 7.5 |
2022-03-14 | CVE-2022-22719 | Apache Debian Fedoraproject Oracle Apple | Improper Initialization vulnerability in multiple products A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. | 7.5 |
2022-03-18 | CVE-2022-22596 | Apple | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS A memory corruption issue was addressed with improved validation. | 7.2 |
2022-03-18 | CVE-2022-22669 | Apple | Use After Free vulnerability in Apple Macos 12.0.0/12.0.1 A use after free issue was addressed with improved memory management. | 7.2 |
2022-03-18 | CVE-2022-24655 | Netgear | Out-of-bounds Write vulnerability in Netgear products A stack overflow vulnerability exists in the upnpd service in Netgear EX6100v1 201.0.2.28, CAX80 2.1.2.6, and DC112A 1.0.0.62, which may lead to the execution of arbitrary code without authentication. | 7.2 |
2022-03-17 | CVE-2022-0237 | Rapid7 | Unquoted Search Path or Element vulnerability in Rapid7 Insight Agent Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. | 7.2 |
2022-03-17 | CVE-2022-25949 | Kingsoft | Out-of-bounds Write vulnerability in Kingsoft Internet Security 9 Plus 2010.06.23.247 The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow. | 7.2 |
2022-03-17 | CVE-2022-26503 | Veeam | Deserialization of Untrusted Data vulnerability in Veeam Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges. | 7.2 |
2022-03-16 | CVE-2021-39685 | Out-of-bounds Write vulnerability in Google Android In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. | 7.2 | |
2022-03-16 | CVE-2021-39689 | Insufficient Verification of Data Authenticity vulnerability in Google Android 12.0 In multiple functions of odsign_main.cpp, there is a possible way to persist system attack due to a logic error in the code. | 7.2 | |
2022-03-16 | CVE-2021-39694 | Incorrect Default Permissions vulnerability in Google Android 12.0 In parse of RoleParser.java, there is a possible way for default apps to get permissions explicitly denied by the user due to a permissions bypass. | 7.2 | |
2022-03-16 | CVE-2021-39695 | Improper Preservation of Permissions vulnerability in Google Android 11.0 In createOrUpdate of BasePermission.java, there is a possible permission bypass due to a logic error in the code. | 7.2 | |
2022-03-16 | CVE-2021-39697 | Missing Authorization vulnerability in Google Android 11.0/12.0 In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check. | 7.2 | |
2022-03-16 | CVE-2021-39698 | Use After Free vulnerability in Google Android In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. | 7.2 | |
2022-03-16 | CVE-2021-39703 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.0 In updateState of UsbDeviceManager.java, there is a possible unauthorized access of files due to a confused deputy. | 7.2 | |
2022-03-16 | CVE-2021-39707 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 10.0/11.0/12.0 In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. | 7.2 | |
2022-03-16 | CVE-2021-39709 | Unspecified vulnerability in Google Android 12.0 In sendSipAccountsRemovedNotification of SipAccountRegistry.java, there is a possible permission bypass due to an unsafe PendingIntent. | 7.2 | |
2022-03-16 | CVE-2021-39793 | Out-of-bounds Write vulnerability in Google Android In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code. | 7.2 | |
2022-03-18 | CVE-2022-22625 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read was addressed with improved input validation. | 7.1 |
2022-03-18 | CVE-2022-22626 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read was addressed with improved bounds checking. | 7.1 |
2022-03-18 | CVE-2022-22627 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read was addressed with improved bounds checking. | 7.1 |
2022-03-16 | CVE-2021-39713 | Google Debian | Race Condition vulnerability in multiple products Product: AndroidVersions: Android kernelAndroid ID: A-173788806References: Upstream kernel | 7.0 |
251 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-16 | CVE-2021-39686 | Race Condition vulnerability in Google Android In several functions of binder.c, there is a possible way to represent the wrong domain to SELinux due to a race condition. | 6.9 | |
2022-03-20 | CVE-2020-26007 | Shopxo | Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 1.9.0 An arbitrary file upload vulnerability in the upload payment plugin of ShopXO v1.9.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 6.8 |
2022-03-20 | CVE-2020-26008 | Shopxo | Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 1.9.0 The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file. | 6.8 |
2022-03-18 | CVE-2022-25581 | Classcms | Unrestricted Upload of File with Dangerous Type vulnerability in Classcms Classcms v2.5 and below contains an arbitrary file upload via the component \class\classupload. | 6.8 |
2022-03-18 | CVE-2021-30771 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write was addressed with improved input validation. | 6.8 |
2022-03-18 | CVE-2022-22584 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved validation. | 6.8 |
2022-03-18 | CVE-2022-22590 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 6.8 |
2022-03-18 | CVE-2022-22597 | Apple | Out-of-bounds Write vulnerability in Apple mac OS X A memory corruption issue was addressed with improved validation. | 6.8 |
2022-03-18 | CVE-2022-22601 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22602 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22603 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22604 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22605 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22606 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22607 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22608 | Apple | Out-of-bounds Read vulnerability in Apple Xcode An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22611 | Apple | Out-of-bounds Read vulnerability in Apple products An out-of-bounds read was addressed with improved input validation. | 6.8 |
2022-03-18 | CVE-2022-22657 | Apple | Improper Initialization vulnerability in Apple Garageband and Logic PRO X A memory initialization issue was addressed with improved memory handling. | 6.8 |
2022-03-18 | CVE-2022-22664 | Apple | Out-of-bounds Read vulnerability in Apple Garageband and Logic PRO X An out-of-bounds read was addressed with improved bounds checking. | 6.8 |
2022-03-18 | CVE-2022-22666 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved validation. | 6.8 |
2022-03-18 | CVE-2022-27243 | Misp | Unspecified vulnerability in Misp An issue was discovered in MISP before 2.4.156. | 6.8 |
2022-03-18 | CVE-2022-27245 | Misp | Server-Side Request Forgery (SSRF) vulnerability in Misp An issue was discovered in MISP before 2.4.156. | 6.8 |
2022-03-17 | CVE-2022-24770 | Gradio Project | Improper Neutralization of Formula Elements in a CSV File vulnerability in Gradio Project Gradio `gradio` is an open source framework for building interactive machine learning models and demos. | 6.8 |
2022-03-17 | CVE-2022-25969 | Kingsoft | Uncontrolled Search Path Element vulnerability in Kingsoft WPS Office 10.8.0.6186 The installer of WPS Office Version 10.8.0.6186 insecurely load VERSION.DLL (or some other DLLs), allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer. | 6.8 |
2022-03-17 | CVE-2022-26081 | Kingsoft | Uncontrolled Search Path Element vulnerability in Kingsoft WPS Office 10.8.0.5745 The installer of WPS Office Version 10.8.0.5745 insecurely load shcore.dll, allowing an attacker to execute arbitrary code with the privilege of the user invoking the installer. | 6.8 |
2022-03-17 | CVE-2022-26511 | Kingsoft | Uncontrolled Search Path Element vulnerability in Kingsoft WPS Presentation 11.8.0.5745 WPS Presentation 11.8.0.5745 insecurely load d3dx9_41.dll when opening .pps files('current directory type' DLL loading). | 6.8 |
2022-03-16 | CVE-2021-41987 | Mikrotik | Out-of-bounds Write vulnerability in Mikrotik Routeros 6.46.8/6.47.10/6.47.9 In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution. | 6.8 |
2022-03-16 | CVE-2021-42720 | Adobe | Out-of-bounds Read vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. | 6.8 |
2022-03-16 | CVE-2021-42728 | Adobe | Classic Buffer Overflow vulnerability in Adobe Bridge Adobe Bridge 11.1.1 (and earlier) is affected by a stack overflow vulnerability due to insecure handling of a crafted file, potentially resulting in arbitrary code execution in the context of the current user. | 6.8 |
2022-03-15 | CVE-2022-25485 | Cuppacms | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Cuppacms 1.0 CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. | 6.8 |
2022-03-15 | CVE-2022-24755 | Bareos | Incorrect Authorization vulnerability in Bareos Bareos is open source software for backup, archiving, and recovery of data for operating systems. | 6.8 |
2022-03-14 | CVE-2022-22346 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.13.xxx is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 6.8 |
2022-03-14 | CVE-2022-24575 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.0.1 GPAC 1.0.1 is affected by a stack-based buffer overflow through MP4Box. | 6.8 |
2022-03-20 | CVE-2021-42194 | Eyoucms | XXE vulnerability in Eyoucms 1.5.4 The wechat_return function in /controller/Index.php of EyouCms V1.5.4-UTF8-SP3 passes the user's input directly into the simplexml_ load_ String function, which itself does not prohibit external entities, triggering a XML external entity (XXE) injection vulnerability. | 6.5 |
2022-03-18 | CVE-2022-26266 | Piwigo | SQL Injection vulnerability in Piwigo 12.2.0 Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php. | 6.5 |
2022-03-18 | CVE-2022-22638 | Apple | NULL Pointer Dereference vulnerability in Apple products A null pointer dereference was addressed with improved validation. | 6.5 |
2022-03-18 | CVE-2022-25602 | Expresstech | Unrestricted Upload of File with Dangerous Type vulnerability in Expresstech Responsive Menu Nonce token leak vulnerability leading to arbitrary file upload, theme deletion, plugin settings change discovered in Responsive Menu WordPress plugin (versions <= 4.1.7). | 6.5 |
2022-03-18 | CVE-2022-25607 | Foliovision | SQL Injection vulnerability in Foliovision FV Flowplayer Video Player Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). | 6.5 |
2022-03-18 | CVE-2022-26965 | Pluck CMS | Unrestricted Upload of File with Dangerous Type vulnerability in Pluck-Cms Pluck 4.7.16 In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution. | 6.5 |
2022-03-17 | CVE-2022-0757 | Rapid7 | SQL Injection vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. | 6.5 |
2022-03-17 | CVE-2021-45791 | Slims | SQL Injection vulnerability in Slims Senayan Library Management System 8.3.1 Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. | 6.5 |
2022-03-17 | CVE-2022-25515 | Nothings | Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26 stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function ttULONG() at stb_truetype.h. | 6.5 |
2022-03-17 | CVE-2022-25516 | Nothings | Out-of-bounds Write vulnerability in Nothings STB Truetype.H 1.26 stb_truetype.h v1.26 was discovered to contain a heap-buffer-overflow via the function stbtt__find_table at stb_truetype.h. | 6.5 |
2022-03-16 | CVE-2021-20257 | Qemu Fedoraproject Redhat Debian | Infinite Loop vulnerability in multiple products An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. | 6.5 |
2022-03-16 | CVE-2021-45821 | Btiteam | SQL Injection vulnerability in Btiteam Xbtit 3.1 A blind SQL injection vulnerability exists in Xbtit 3.1 via the sid parameter in ajaxchat/getHistoryChatData.php file that is accessible by a registered user. | 6.5 |
2022-03-16 | CVE-2022-0959 | Postgresql | Unrestricted Upload of File with Dangerous Type vulnerability in Postgresql Pgadmin 4 A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. | 6.5 |
2022-03-15 | CVE-2022-27201 | Jenkins | Unspecified vulnerability in Jenkins Semantic Versioning Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | 6.5 |
2022-03-15 | CVE-2022-27203 | Jenkins | Path Traversal vulnerability in Jenkins Extended Choice Parameter 346.Vd87693C5A86C Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. | 6.5 |
2022-03-15 | CVE-2022-27206 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Gitlab Authentication Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-03-15 | CVE-2022-27208 | Jenkins | Path Traversal vulnerability in Jenkins Kubernetes Continuous Deploy Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. | 6.5 |
2022-03-15 | CVE-2022-27209 | Jenkins | Missing Authorization vulnerability in Jenkins Kubernetes Continuous Deploy A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 6.5 |
2022-03-15 | CVE-2022-27210 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy A cross-site request forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-03-15 | CVE-2022-27211 | Jenkins | Missing Authorization vulnerability in Jenkins Kubernetes Continuous Deploy A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-03-15 | CVE-2022-27216 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Dbcharts 0.4/0.5.2 Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-03-15 | CVE-2022-27217 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins VMWare Vrealize Codestream Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |
2022-03-15 | CVE-2021-45010 | Tiny File Manager Project | Path Traversal vulnerability in Tiny File Manager Project Tiny File Manager A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution. | 6.5 |
2022-03-15 | CVE-2022-0944 | Sqlpad | Code Injection vulnerability in Sqlpad Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1. | 6.5 |
2022-03-14 | CVE-2022-24762 | Sysend JS Project | Origin Validation Error vulnerability in Sysend.Js Project Sysend.Js sysend.js is a library that allows a user to send messages between pages that are open in the same browser. | 6.5 |
2022-03-14 | CVE-2021-24959 | Techspawn | SQL Injection vulnerability in Techspawn Wp-Email-Users The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. | 6.5 |
2022-03-14 | CVE-2021-42171 | Tribalsystems | Unrestricted Upload of File with Dangerous Type vulnerability in Tribalsystems Zenario 9.0.54156 Zenario CMS 9.0.54156 is vulnerable to File Upload. | 6.5 |
2022-03-14 | CVE-2022-0478 | Mage People | SQL Injection vulnerability in Mage-People Event Manager and Tickets Selling for Woocommerce The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks | 6.5 |
2022-03-14 | CVE-2022-22735 | Sedlex | SQL Injection vulnerability in Sedlex Simple Quotation The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks | 6.5 |
2022-03-14 | CVE-2022-24387 | Smartertools | Unrestricted Upload of File with Dangerous Type vulnerability in Smartertools Smartertrack With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. | 6.5 |
2022-03-19 | CVE-2022-0991 | Admidio | Insufficient Session Expiration vulnerability in Admidio Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9. | 6.4 |
2022-03-17 | CVE-2021-23771 | Argencoders Notevil Project Notevil Project | This affects all versions of package notevil; all versions of package argencoders-notevil. | 6.4 |
2022-03-16 | CVE-2021-39712 | Race Condition vulnerability in Google Android In TBD of TBD, there is a possible user after free vulnerability due to a race condition. | 6.4 | |
2022-03-14 | CVE-2022-24743 | Sylius | Insufficient Session Expiration vulnerability in Sylius Sylius is an open source eCommerce platform. | 6.4 |
2022-03-14 | CVE-2022-26320 | Rambus Fujifilm Canon | Use of Insufficiently Random Values vulnerability in multiple products The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon imagePROGRAF and imageRUNNER devices through 2022-03-14, and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method. | 6.4 |
2022-03-14 | CVE-2021-39051 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to server-side request forgery, caused by improper input of application server registration function. | 6.4 |
2022-03-14 | CVE-2022-0593 | Idehweb | External Control of File Name or Path vulnerability in Idehweb Login With Phone Number The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation. | 6.4 |
2022-03-18 | CVE-2022-22589 | Apple | Unspecified vulnerability in Apple products A validation issue was addressed with improved input sanitization. | 6.1 |
2022-03-18 | CVE-2022-22652 | Apple | Missing Authentication for Critical Function vulnerability in Apple Iphone OS The GSMA authentication panel could be presented on the lock screen. | 6.1 |
2022-03-16 | CVE-2021-23648 | Paypal Fedoraproject | Cross-site Scripting vulnerability in multiple products The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | 6.1 |
2022-03-16 | CVE-2022-21945 | Opensuse | Insecure Temporary File vulnerability in Opensuse Cscreen 1.2/1.3 A Insecure Temporary File vulnerability in cscreen of openSUSE Factory allows local attackers to cause DoS for cscreen and a system DoS for non-default systems. | 6.1 |
2022-03-14 | CVE-2022-22344 | IBM | Injection vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 6.1 |
2022-03-14 | CVE-2022-0165 | King Theme | Open Redirect vulnerability in King-Theme Kingcomposer 2.7.6/2.9.4 The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users | 6.1 |
2022-03-14 | CVE-2022-22734 | Sedlex | Improper Encoding or Escaping of Output vulnerability in Sedlex Simple Quotation 1.3.2 The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. | 6.1 |
2022-03-14 | CVE-2022-24386 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartertrack Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | 6.1 |
2022-03-17 | CVE-2021-23556 | Guake Project | Unspecified vulnerability in Guake-Project Guake The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. | 6.0 |
2022-03-14 | CVE-2022-24740 | Plone | Improper Authentication vulnerability in Plone Volto 14.0.0/15.0.0 Volto is a ReactJS-based frontend for the Plone Content Management System. | 6.0 |
2022-03-17 | CVE-2022-24302 | Paramiko Debian Fedoraproject | Race Condition vulnerability in multiple products In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. | 5.9 |
2022-03-17 | CVE-2022-24759 | Chainsafe | Improper Verification of Cryptographic Signature vulnerability in Chainsafe Js-Libp2P-Noise `@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. | 5.8 |
2022-03-17 | CVE-2022-24073 | Navercorp | Unspecified vulnerability in Navercorp Whale The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. | 5.8 |
2022-03-16 | CVE-2022-24751 | Zulip | Race Condition vulnerability in Zulip Zulip is an open source group chat application. | 5.8 |
2022-03-14 | CVE-2022-24733 | Sylius | Improper Restriction of Rendered UI Layers or Frames vulnerability in Sylius Sylius is an open source eCommerce platform. | 5.8 |
2022-03-18 | CVE-2020-25184 | Schneider Electric Rockwellautomation Xylem | Insufficiently Protected Credentials vulnerability in multiple products Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. | 5.5 |
2022-03-18 | CVE-2022-22583 | Apple | Unspecified vulnerability in Apple mac OS X and Macos A permissions issue was addressed with improved validation. | 5.5 |
2022-03-18 | CVE-2022-22588 | Apple | Improper Input Validation vulnerability in Apple Iphone OS A resource exhaustion issue was addressed with improved input validation. | 5.5 |
2022-03-18 | CVE-2022-22648 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 5.5 |
2022-03-18 | CVE-2022-22650 | Apple | Improper Preservation of Permissions vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 5.5 |
2022-03-18 | CVE-2022-22660 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed with a new entitlement. | 5.5 |
2022-03-18 | CVE-2021-45868 | Linux Netapp | Use After Free vulnerability in multiple products In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). | 5.5 |
2022-03-16 | CVE-2021-39624 | Unspecified vulnerability in Google Android In PackageManager, there is a possible permanent denial of service due to resource exhaustion. | 5.5 | |
2022-03-16 | CVE-2021-39690 | Improper Validation of Specified Quantity in Input vulnerability in Google Android 12.0 In setDisplayPadding of WallpaperManagerService.java, there is a possible way to cause a persistent DoS due to improper input validation. | 5.5 | |
2022-03-15 | CVE-2022-27195 | Jenkins | Unspecified vulnerability in Jenkins Parameterized Trigger Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their `build.xml` files. | 5.5 |
2022-03-15 | CVE-2022-24721 | Cometd | Incorrect Authorization vulnerability in Cometd CometD is a scalable comet implementation for web messaging. | 5.5 |
2022-03-15 | CVE-2022-27193 | Cvrf Csaf Converter Project | XXE vulnerability in Cvrf-Csaf-Converter Project Cvrf-Csaf-Converter 1.0.0 CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). | 5.5 |
2022-03-14 | CVE-2022-24742 | Sylius | Exposure of Resource to Wrong Sphere vulnerability in Sylius Sylius is an open source eCommerce platform. | 5.5 |
2022-03-14 | CVE-2022-24574 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.0.1 GPAC 1.0.1 is affected by a NULL pointer dereference in gf_dump_vrml_field.isra (). | 5.5 |
2022-03-18 | CVE-2021-44760 | WP Downloadmanager Project | Cross-site Scripting vulnerability in Wp-Downloadmanager Project Wp-Downloadmanager Auth. | 5.4 |
2022-03-18 | CVE-2022-25604 | Price Table Project | Cross-site Scripting vulnerability in Price Table Project Price Table 0.2.2 Authenticated (contributor of higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Price Table plugin (versions <= 0.2.2). | 5.4 |
2022-03-16 | CVE-2022-24728 | Ckeditor Drupal Oracle Fedoraproject | Cross-site Scripting vulnerability in multiple products CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | 5.4 |
2022-03-15 | CVE-2022-27196 | Jenkins | Cross-site Scripting vulnerability in Jenkins Favorite Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions. | 5.4 |
2022-03-15 | CVE-2022-27197 | Jenkins | Cross-site Scripting vulnerability in Jenkins Dashboard View Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views. | 5.4 |
2022-03-15 | CVE-2022-27202 | Jenkins | Cross-site Scripting vulnerability in Jenkins Extended Choice Parameter 346.Vd87693C5A86C Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-03-15 | CVE-2022-27212 | Jenkins | Cross-site Scripting vulnerability in Jenkins List GIT Branches Parameter Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-03-15 | CVE-2022-27213 | Jenkins | Cross-site Scripting vulnerability in Jenkins Environment Dashboard Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | 5.4 |
2022-03-15 | CVE-2022-0950 | Showdoc | Unrestricted Upload of File with Dangerous Type vulnerability in Showdoc Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4. | 5.4 |
2022-03-18 | CVE-2020-25193 | GE | Use of Hard-coded Credentials vulnerability in GE Rt430 Firmware, Rt431 Firmware and Rt434 Firmware By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection. | 5.3 |
2022-03-16 | CVE-2022-21946 | Opensuse | Incorrect Permission Assignment for Critical Resource vulnerability in Opensuse Cscreen 1.2/1.3 A Incorrect Permission Assignment for Critical Resource vulnerability in the sudoers configuration in cscreen of openSUSE Factory allows any local users to gain the privileges of the tty and dialout groups and access and manipulate any running cscreen seesion. | 5.3 |
2022-03-16 | CVE-2022-23610 | Wire | Improper Verification of Cryptographic Signature vulnerability in Wire Wire-Server wire-server provides back end services for Wire, an open source messenger. | 5.1 |
2022-03-20 | CVE-2022-25462 | Yafu Project | Unspecified vulnerability in Yafu Project Yafu Yafu v2.0 contains a segmentation fault via the component /factor/avx-ecm/vecarith52.c. | 5.0 |
2022-03-18 | CVE-2022-25389 | Dcnglobal | Unspecified vulnerability in Dcnglobal Dcme-520 Firmware DCN Firewall DCME-520 was discovered to contain an arbitrary file download vulnerability via the path parameter in the file /audit/log/log_management.php. | 5.0 |
2022-03-18 | CVE-2021-4031 | Syltek | Insufficient Verification of Data Authenticity vulnerability in Syltek Syltek application before its 10.22.00 version, does not correctly check that a product ID has a valid payment associated to it. | 5.0 |
2022-03-18 | CVE-2022-22585 | Apple | Link Following vulnerability in Apple products An issue existed within the path validation logic for symlinks. | 5.0 |
2022-03-18 | CVE-2022-22609 | Apple | Unspecified vulnerability in Apple products The issue was addressed with additional permissions checks. | 5.0 |
2022-03-18 | CVE-2022-24771 | Digitalbazaar | Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. | 5.0 |
2022-03-18 | CVE-2022-24772 | Digitalbazaar | Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. | 5.0 |
2022-03-18 | CVE-2022-24773 | Digitalbazaar | Improper Verification of Cryptographic Signature vulnerability in Digitalbazaar Forge Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. | 5.0 |
2022-03-18 | CVE-2021-45968 | Jivesoftware Pascom | Server-Side Request Forgery (SSRF) vulnerability in multiple products An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products). | 5.0 |
2022-03-17 | CVE-2021-46107 | Ligeo Archives | Server-Side Request Forgery (SSRF) vulnerability in Ligeo-Archives Ligeo Basics 02012022 Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features. | 5.0 |
2022-03-17 | CVE-2021-44260 | Wavlink | Missing Authentication for Critical Function vulnerability in Wavlink Wl-Wn531G3 Firmware A42W1.27.620180418 A vulnerability is in the 'live_mfg.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. | 5.0 |
2022-03-17 | CVE-2021-44261 | Netgear | Missing Authentication for Critical Function vulnerability in Netgear products A vulnerability is in the 'BRS_top.html' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. | 5.0 |
2022-03-17 | CVE-2021-44262 | Netgear | Missing Authentication for Critical Function vulnerability in Netgear products A vulnerability is in the 'MNU_top.htm' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. | 5.0 |
2022-03-17 | CVE-2022-24761 | Agendaless Debian | HTTP Request Smuggling vulnerability in multiple products Waitress is a Web Server Gateway Interface server for Python 2 and 3. | 5.0 |
2022-03-17 | CVE-2021-45793 | Slims | SQL Injection vulnerability in Slims Senayan Library Management System 9.4.2 Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. | 5.0 |
2022-03-17 | CVE-2021-45794 | Slims | SQL Injection vulnerability in Slims Senayan Library Management System 9.4.2 Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. | 5.0 |
2022-03-17 | CVE-2022-21221 | Fasthttp Project | Path Traversal vulnerability in Fasthttp Project Fasthttp The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. | 5.0 |
2022-03-17 | CVE-2021-42219 | Ethereum | Unspecified vulnerability in Ethereum GO Ethereum 1.10.9 Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. | 5.0 |
2022-03-17 | CVE-2022-26300 | Eosio Project | Out-of-bounds Write vulnerability in Eosio Project EOS 2.1.0 EOS v2.1.0 was discovered to contain a heap-buffer-overflow via the function txn_test_gen_plugin. | 5.0 |
2022-03-17 | CVE-2022-26534 | Fisco Bcos | Unspecified vulnerability in Fisco-Bcos 3.0.0 FISCO-BCOS release-3.0.0-rc2 was discovered to contain an issue where a malicious node, via a malicious viewchange packet, will cause normal nodes to change view excessively and stop generating blocks. | 5.0 |
2022-03-16 | CVE-2022-21164 | Node Lmdb Project | Unspecified vulnerability in Node-Lmdb Project Node-Lmdb The package node-lmdb before 0.9.7 are vulnerable to Denial of Service (DoS) when defining a non-invokable ToString value, which will cause a crash during type check. | 5.0 |
2022-03-16 | CVE-2021-39716 | Unspecified vulnerability in Google Android Product: AndroidVersions: Android kernelAndroid ID: A-206977562References: N/A | 5.0 | |
2022-03-16 | CVE-2021-39726 | Out-of-bounds Read vulnerability in Google Android In cd_ParseMsg of cd_codec.c, there is a possible out of bounds read due to an incorrect bounds check. | 5.0 | |
2022-03-16 | CVE-2022-25248 | PTC | Information Exposure vulnerability in PTC Axeda Agent and Axeda Desktop Server When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) supplies the event log of the specific service. | 5.0 |
2022-03-16 | CVE-2022-25249 | PTC | Path Traversal vulnerability in PTC Axeda Agent and Axeda Desktop Server When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal, which could allow a remote unauthenticated attacker to obtain file system read access via web server.. | 5.0 |
2022-03-16 | CVE-2022-25250 | PTC | Missing Authentication for Critical Function vulnerability in PTC Axeda Agent and Axeda Desktop Server When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) may allow an attacker to send a certain command to a specific port without authentication. | 5.0 |
2022-03-16 | CVE-2022-25252 | PTC | Improper Check for Unusual or Exceptional Conditions vulnerability in PTC Axeda Agent and Axeda Desktop Server When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) when receiving certain input throws an exception. | 5.0 |
2022-03-16 | CVE-2022-26660 | Robotronic | Use of Hard-coded Credentials vulnerability in Robotronic Runasspc 4.0.0.0 RunAsSpc 4.0 uses a universal and recoverable encryption key. | 5.0 |
2022-03-16 | CVE-2021-45851 | Frangoteam | Server-Side Request Forgery (SSRF) vulnerability in Frangoteam Fuxa 1.1.3 A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server. | 5.0 |
2022-03-16 | CVE-2021-45852 | Projectworlds | Always-Incorrect Control Flow Implementation vulnerability in Projectworlds Hospital Management System in PHP 1.0 An issue was discovered in Projectworlds Hospital Management System v1.0. | 5.0 |
2022-03-16 | CVE-2021-43957 | Atlassian | Authorization Bypass Through User-Controlled Key vulnerability in Atlassian Crucible Affected versions of Atlassian Fisheye & Crucible allowed remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory and bypass the fix for CVE-2020-29446 due to a lack of url decoding. | 5.0 |
2022-03-15 | CVE-2021-29134 | Gitea | Path Traversal vulnerability in Gitea The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL. | 5.0 |
2022-03-15 | CVE-2022-25497 | Cuppacms | Files or Directories Accessible to External Parties vulnerability in Cuppacms 1.0 CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function. | 5.0 |
2022-03-15 | CVE-2022-0430 | Httpie | Unspecified vulnerability in Httpie Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0. | 5.0 |
2022-03-14 | CVE-2021-42391 | Yandex | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query. | 5.0 |
2022-03-14 | CVE-2022-22354 | IBM | Unspecified vulnerability in IBM products IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. | 5.0 |
2022-03-18 | CVE-2021-23150 | Ampforwp | Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in AMP for WP – Accelerated Mobile Pages plugin <= 1.0.77.31 versions. | 4.8 |
2022-03-18 | CVE-2021-23209 | Ampforwp | Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages Multiple Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) vulnerabilities discovered in AMP for WP – Accelerated Mobile Pages WordPress plugin (versions <= 1.0.77.32). | 4.8 |
2022-03-15 | CVE-2022-27200 | Jenkins | Cross-site Scripting vulnerability in Jenkins Folder-Based Authorization Strategy Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | 4.8 |
2022-03-15 | CVE-2022-27207 | Jenkins | Cross-site Scripting vulnerability in Jenkins Global-Build-Stats Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | 4.8 |
2022-03-18 | CVE-2020-25182 | Schneider Electric Rockwellautomation Xylem | Uncontrolled Search Path Element vulnerability in multiple products Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. | 4.6 |
2022-03-18 | CVE-2022-22621 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 4.6 |
2022-03-18 | CVE-2022-22622 | Apple | Unspecified vulnerability in Apple Iphone OS This issue was addressed with improved checks. | 4.6 |
2022-03-18 | CVE-2022-22647 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 4.6 |
2022-03-16 | CVE-2021-39704 | Improper Preservation of Permissions vulnerability in Google Android 10.0/11.0/12.0 In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. | 4.6 | |
2022-03-16 | CVE-2021-39718 | Out-of-bounds Write vulnerability in Google Android In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds write due to an incorrect bounds check. | 4.6 | |
2022-03-16 | CVE-2021-39719 | Integer Overflow or Wraparound vulnerability in Google Android In lwis_top_register_io of lwis_device_top.c, there is a possible out of bounds write due to an integer overflow. | 4.6 | |
2022-03-16 | CVE-2021-39721 | Out-of-bounds Write vulnerability in Google Android In TBD of TBD, there is a possible out of bounds write due to memory corruption. | 4.6 | |
2022-03-16 | CVE-2021-39725 | Double Free vulnerability in Google Android In gasket_free_coherent_memory_all of gasket_page_table.c, there is a possible memory corruption due to a double free. | 4.6 | |
2022-03-16 | CVE-2021-39729 | Out-of-bounds Write vulnerability in Google Android In the TitanM chip, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-03-16 | CVE-2021-39731 | Out-of-bounds Write vulnerability in Google Android In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds write due to an incorrect bounds check. | 4.6 | |
2022-03-16 | CVE-2021-39732 | Integer Overflow or Wraparound vulnerability in Google Android In copy_io_entries of lwis_ioctl.c, there is a possible out of bounds write due to an integer overflow. | 4.6 | |
2022-03-16 | CVE-2021-39733 | Out-of-bounds Write vulnerability in Google Android In amcs_cdev_unlocked_ioctl of audiometrics.c, there is a possible out of bounds write due to improper input validation. | 4.6 | |
2022-03-16 | CVE-2021-39734 | Missing Authorization vulnerability in Google Android In sendMessage of OneToOneChatImpl.java (? TBD), there is a possible way to send an RCS message without permissions due to a missing permission check. | 4.6 | |
2022-03-16 | CVE-2021-39736 | Integer Overflow or Wraparound vulnerability in Google Android In prepare_io_entry and prepare_response of lwis_ioctl.c and lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow. | 4.6 | |
2022-03-15 | CVE-2022-26779 | Apache | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cloudstack Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. | 4.6 |
2022-03-16 | CVE-2021-39715 | Information Exposure Through Log Files vulnerability in Google Android In __show_regs of process.c, there is a possible leak of kernel memory and addresses due to log information disclosure. | 4.4 | |
2022-03-16 | CVE-2021-39735 | Race Condition vulnerability in Google Android In gasket_alloc_coherent_memory of gasket_page_table.c, there is a possible memory corruption due to a race condition. | 4.4 | |
2022-03-16 | CVE-2021-42722 | Adobe | Out-of-bounds Read vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. | 4.4 |
2022-03-16 | CVE-2021-46705 | GNU | Insecure Temporary File vulnerability in GNU Grub2 A Insecure Temporary File vulnerability in grub-once of grub2 in SUSE Linux Enterprise Server 15 SP4, openSUSE Factory allows local attackers to truncate arbitrary files. | 4.4 |
2022-03-20 | CVE-2022-26246 | TMS Project | Cross-site Scripting vulnerability in TMS Project TMS 2.28.0 TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /TMS/admin/setting/mail/createorupdate. | 4.3 |
2022-03-20 | CVE-2022-26247 | Teamwork Management System Project | Incorrect Permission Assignment for Critical Resource vulnerability in Teamwork Management System Project Teamwork Management System 2.28.0 TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. | 4.3 |
2022-03-18 | CVE-2020-25180 | Schneider Electric Rockwellautomation Xylem | Use of Hard-coded Credentials vulnerability in multiple products Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. | 4.3 |
2022-03-18 | CVE-2022-22592 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved state management. | 4.3 |
2022-03-18 | CVE-2022-22594 | Apple | Origin Validation Error vulnerability in Apple products A cross-origin issue in the IndexDB API was addressed with improved input validation. | 4.3 |
2022-03-18 | CVE-2022-22600 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved permissions logic. | 4.3 |
2022-03-18 | CVE-2022-22644 | Apple | Unspecified vulnerability in Apple Macos 12.0.0/12.0.1 A privacy issue existed in the handling of Contact cards. | 4.3 |
2022-03-18 | CVE-2022-22654 | Apple | Unspecified vulnerability in Apple Watchos A user interface issue was addressed. | 4.3 |
2022-03-18 | CVE-2022-22670 | Apple | Unspecified vulnerability in Apple products An access issue was addressed with improved access restrictions. | 4.3 |
2022-03-18 | CVE-2022-27246 | Misp | Cross-site Scripting vulnerability in Misp An issue was discovered in MISP before 2.4.156. | 4.3 |
2022-03-17 | CVE-2022-0758 | Rapid7 | Cross-site Scripting vulnerability in Rapid7 Nexpose Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. | 4.3 |
2022-03-17 | CVE-2021-43961 | Sonatype | Cross-site Scripting vulnerability in Sonatype Nexus Repository Manager Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection. | 4.3 |
2022-03-17 | CVE-2022-24072 | Navercorp | Unspecified vulnerability in Navercorp Whale The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool. | 4.3 |
2022-03-17 | CVE-2022-24075 | Navercorp | Files or Directories Accessible to External Parties vulnerability in Navercorp Whale Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. | 4.3 |
2022-03-16 | CVE-2021-45822 | Btiteam | Cross-site Scripting vulnerability in Btiteam Xbtit 3.1 A cross-site scripting vulnerability is present in Xbtit 3.1. | 4.3 |
2022-03-16 | CVE-2021-39667 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In ih264d_parse_decode_slice of ih264d_parse_slice.c, there is a possible out of bounds write due to a heap buffer overflow. | 4.3 | |
2022-03-16 | CVE-2021-40737 | Adobe | NULL Pointer Dereference vulnerability in Adobe Audition 13.0.5/13.0.6 Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40742 | Adobe | NULL Pointer Dereference vulnerability in Adobe Audition 13.0.5/13.0.6 Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40750 | Adobe | NULL Pointer Dereference vulnerability in Adobe Bridge Adobe Bridge version 11.1.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40762 | Adobe | NULL Pointer Dereference vulnerability in Adobe Character Animator 2.1/3.2/3.3 Adobe Character Animator version 4.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40766 | Adobe | Out-of-bounds Read vulnerability in Adobe Character Animator 2.1/3.2/3.3 Adobe Character Animator version 4.4 (and earlier versions) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. | 4.3 |
2022-03-16 | CVE-2021-40768 | Adobe | NULL Pointer Dereference vulnerability in Adobe Character Animator 2.1/3.2/3.3 Adobe Character Animator version 4.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40778 | Adobe | NULL Pointer Dereference vulnerability in Adobe Media Encoder Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40781 | Adobe | NULL Pointer Dereference vulnerability in Adobe Media Encoder Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40782 | Adobe | NULL Pointer Dereference vulnerability in Adobe Media Encoder Adobe Media Encoder 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40785 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40788 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40789 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere Elements Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-40796 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere PRO Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-42263 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere PRO Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-42264 | Adobe | NULL Pointer Dereference vulnerability in Adobe Premiere PRO Adobe Premiere Pro 15.4.1 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 4.3 |
2022-03-16 | CVE-2021-42552 | Archivista | Cross-site Scripting vulnerability in Archivista Archivistabox Cross-site Scripting (XSS) vulnerability in ArchivistaBox webclient allows an attacker to craft a malicious link, executing JavaScript in the context of a victim's browser. | 4.3 |
2022-03-16 | CVE-2022-0986 | Hestiacp | Cross-site Scripting vulnerability in Hestiacp Control Panel Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11. | 4.3 |
2022-03-16 | CVE-2021-43955 | Atlassian | Unspecified vulnerability in Atlassian Crucible The /rest-service-fecru/server-v1 resource in Fisheye and Crucible before version 4.8.9 allowed authenticated remote attackers to obtain information about installation directories via information disclosure vulnerability. | 4.3 |
2022-03-16 | CVE-2021-43956 | Atlassian | Unspecified vulnerability in Atlassian Crucible The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability. | 4.3 |
2022-03-16 | CVE-2022-27225 | Gradle | Missing Encryption of Sensitive Data vulnerability in Gradle Enterprise Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. | 4.3 |
2022-03-15 | CVE-2022-25493 | Hospital Management System Project | Cross-site Scripting vulnerability in Hospital Management System Project Hospital Management System 1.0 HMS v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via treatmentrecord.php. | 4.3 |
2022-03-15 | CVE-2022-27199 | Jenkins | Missing Authorization vulnerability in Jenkins Cloudbees AWS Credentials A missing permission check in Jenkins CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. | 4.3 |
2022-03-15 | CVE-2022-27205 | Jenkins | Missing Authorization vulnerability in Jenkins Extended Choice Parameter 346.Vd87693C5A86C A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | 4.3 |
2022-03-15 | CVE-2022-27214 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Release Helper A cross-site request forgery (CSRF) vulnerability in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | 4.3 |
2022-03-15 | CVE-2022-27215 | Jenkins | Missing Authorization vulnerability in Jenkins Release Helper A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | 4.3 |
2022-03-15 | CVE-2022-27218 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Incapptic Connect Uploader Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 4.3 |
2022-03-15 | CVE-2022-0961 | Microweber | Integer Overflow or Wraparound vulnerability in Microweber The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 4.3 |
2022-03-15 | CVE-2022-24756 | Bareos | Memory Leak vulnerability in Bareos Bareos is open source software for backup, archiving, and recovery of data for operating systems. | 4.3 |
2022-03-15 | CVE-2022-0951 | Showdoc | Cross-site Scripting vulnerability in Showdoc File Upload Restriction Bypass leading to Stored XSS Vulnerability in GitHub repository star7th/showdoc prior to 2.10.4. | 4.3 |
2022-03-14 | CVE-2022-24749 | Sylius | Cross-site Scripting vulnerability in Sylius Sylius is an open source eCommerce platform. | 4.3 |
2022-03-14 | CVE-2021-24940 | Woocommerce | Cross-site Scripting vulnerability in Woocommerce Persian-Woocommerce The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | 4.3 |
2022-03-14 | CVE-2021-24996 | WKI | Cross-site Scripting vulnerability in WKI Idpay for Contact Form 7 The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting | 4.3 |
2022-03-14 | CVE-2021-25006 | Molie Instructure Canvas Linking Tool Project | Cross-site Scripting vulnerability in Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool The MOLIE WordPress plugin through 0.5 does not escape the course_id parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-03-14 | CVE-2021-44964 | LUA | Use After Free vulnerability in LUA Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file. | 4.3 |
2022-03-14 | CVE-2022-0147 | Cookieinformation | Cross-site Scripting vulnerability in Cookieinformation Wp-Gdpr-Compliance The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-03-14 | CVE-2022-0161 | ARI Soft | Cross-site Scripting vulnerability in Ari-Soft ARI Fancy Lightbox The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-03-14 | CVE-2022-0230 | BWP Google XML Sitemaps Project | Cross-site Scripting vulnerability in Bwp-Google-Xml-Sitemaps Project Bwp-Google-Xml-Sitemaps The Better WordPress Google XML Sitemaps WordPress plugin through 1.4.1 does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins | 4.3 |
2022-03-14 | CVE-2022-0248 | Contact Form Submissions Project | Cross-site Scripting vulnerability in Contact Form Submissions Project Contact Form Submissions The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. | 4.3 |
2022-03-14 | CVE-2022-0321 | Ohiowebtech | Cross-site Scripting vulnerability in Ohiowebtech WP Voting Contest The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-03-14 | CVE-2022-0327 | Jeweltheme | Cross-site Scripting vulnerability in Jeweltheme Master Addons for Elementor The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-03-14 | CVE-2022-0399 | Berocket | Cross-site Scripting vulnerability in Berocket Advanced Product Labels for Woocommerce The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-03-14 | CVE-2022-0449 | Odude | Cross-site Scripting vulnerability in Odude Flexi The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-03-14 | CVE-2022-0503 | Obtaininfotech | Cross-site Scripting vulnerability in Obtaininfotech Multisite Content Copier/Updater The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.2 does not sanitise and escape the s parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in the network dashboard | 4.3 |
2022-03-14 | CVE-2022-0601 | Edmonsoft | Cross-site Scripting vulnerability in Edmonsoft Countdown, Coming Soon, Maintenance - Countdown & Clock The Countdown, Coming Soon, Maintenance WordPress plugin before 2.2.9 does not sanitize and escape the post parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 4.3 |
2022-03-14 | CVE-2022-0648 | I13Websolution | Cross-site Scripting vulnerability in I13Websolution Team Circle Image Slider With Lightbox The Team Circle Image Slider With Lightbox WordPress plugin before 1.0.16 does not sanitize and escape the order_pos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 4.3 |
2022-03-14 | CVE-2022-24576 | Gpac | Use After Free vulnerability in Gpac 1.0.1 GPAC 1.0.1 is affected by Use After Free through MP4Box. | 4.3 |
2022-03-14 | CVE-2022-24384 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartertrack Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | 4.3 |
2022-03-18 | CVE-2020-15388 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System A vulnerability in the Brocade Fabric OS before Brocade Fabric OS v9.0.1a, v8.2.3, v8.2.0_CBN4, and v7.4.2h could allow an authenticated CLI user to abuse the history command to write arbitrary content to files. | 4.0 |
2022-03-18 | CVE-2021-27789 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System The Web application of Brocade Fabric OS before versions Brocade Fabric OS v9.0.1a and v8.2.3a contains debug statements that expose sensitive information to the program's standard output device. | 4.0 |
2022-03-18 | CVE-2022-1003 | Mattermost | Improper Privilege Management vulnerability in Mattermost One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | 4.0 |
2022-03-18 | CVE-2022-22659 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A logic issue was addressed with improved state management. | 4.0 |
2022-03-18 | CVE-2021-29899 | IBM | Unspecified vulnerability in IBM Engineering Requirements Quality Assistant On-Premises 3.0 IBM Engineering Requirements Quality Assistant prior to 3.1.3 could allow an authenticated user to cause a denial of service. | 4.0 |
2022-03-18 | CVE-2021-39046 | IBM | Insufficiently Protected Credentials vulnerability in IBM products IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. | 4.0 |
2022-03-16 | CVE-2020-36519 | Mimecast | Unspecified vulnerability in Mimecast Email Security Mimecast Email Security before 2020-01-10 allows any admin to spoof any domain, and pass DMARC alignment via SPF. | 4.0 |
2022-03-15 | CVE-2020-4989 | IBM | Exposure of Resource to Wrong Sphere vulnerability in IBM Rational Team Concert IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 and IBM Rational Team Concert 6.0.6 and 6.0.0.1 could allow an authenticated user to obtain sensitive information about build definitions. | 4.0 |
2022-03-15 | CVE-2022-0968 | Microweber | Integer Overflow or Wraparound vulnerability in Microweber The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 4.0 |
2022-03-14 | CVE-2021-42389 | Yandex | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-42390 | Yandex | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-38971 | IBM | Unspecified vulnerability in IBM Data Virtualization on Cloud PAK for Data IBM Data Virtualization on Cloud Pak for Data 1.3.0, 1.4.1, 1.5.0, 1.7.1 and 1.7.3 could allow an authorized user to bypass data masking rules and obtain sensitve information. | 4.0 |
2022-03-14 | CVE-2022-22353 | IBM | Unspecified vulnerability in IBM BIG SQL 7.1.0/7.1.1/7.2.3 IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. | 4.0 |
2022-03-14 | CVE-2021-24692 | Tipsandtricks HQ | Path Traversal vulnerability in Tipsandtricks-Hq Simple Download Monitor The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector. | 4.0 |
2022-03-14 | CVE-2021-24966 | Bestwebsoft | External Control of File Name or Path vulnerability in Bestwebsoft Error LOG Viewer The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder | 4.0 |
2022-03-14 | CVE-2022-24385 | Smartertools | Forced Browsing vulnerability in Smartertools Smartertrack A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | 4.0 |
2022-03-14 | CVE-2021-43954 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian Crucible The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | 4.0 |
67 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-03-20 | CVE-2022-25464 | Html JS | Cross-site Scripting vulnerability in Html-Js Doracms 2.1.8 A stored cross-site scripting (XSS) vulnerability in the component /admin/contenttemp of DoraCMS v2.1.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 3.5 |
2022-03-20 | CVE-2022-26555 | Eova | Cross-site Scripting vulnerability in Eova 1.6.0 A stored cross-site scripting (XSS) vulnerability in the Add a Button function of Eova v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the button name text box. | 3.5 |
2022-03-18 | CVE-2022-1002 | Mattermost | Cross-site Scripting vulnerability in Mattermost Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | 3.5 |
2022-03-18 | CVE-2022-25603 | Maxfoundry | Cross-site Scripting vulnerability in Maxfoundry Maxgalleria 6.2.5 Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability discovered in MaxGalleria WordPress plugin (versions 6.2.5). | 3.5 |
2022-03-18 | CVE-2022-25605 | WP Downloadmanager Project | Cross-site Scripting vulnerability in Wp-Downloadmanager Project Wp-Downloadmanager Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). | 3.5 |
2022-03-18 | CVE-2022-27244 | Misp | Cross-site Scripting vulnerability in Misp An issue was discovered in MISP before 2.4.156. | 3.5 |
2022-03-17 | CVE-2021-45792 | Slims | Cross-site Scripting vulnerability in Slims Senayan Library Management System 9.4.2 Slims9 Bulian 9.4.2 is affected by Cross Site Scripting (XSS) in /admin/modules/system/custom_field.php. | 3.5 |
2022-03-16 | CVE-2022-26295 | Online Project Time Management System Project | Cross-site Scripting vulnerability in Online Project Time Management System Project Online Project Time Management System 1.0 A stored cross-site scripting (XSS) vulnerability in /ptms/?page=user of Online Project Time Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the user name field. | 3.5 |
2022-03-16 | CVE-2021-33853 | X2Engine | Cross-site Scripting vulnerability in X2Engine X2Crm 8.0 A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. | 3.5 |
2022-03-16 | CVE-2021-45787 | Maccms | Cross-site Scripting vulnerability in Maccms 10.0 There is a stored Cross Site Scripting (XSS) vulnerability in maccms v10 through adding videos. | 3.5 |
2022-03-16 | CVE-2022-0705 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. | 3.5 |
2022-03-16 | CVE-2022-0704 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. | 3.5 |
2022-03-16 | CVE-2022-0911 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. | 3.5 |
2022-03-15 | CVE-2022-25489 | Thedigitalcraft | Cross-site Scripting vulnerability in Thedigitalcraft Atomcms 2.0 Atom CMS v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "A" parameter in /widgets/debug.php. | 3.5 |
2022-03-15 | CVE-2022-0970 | Getgrav | Cross-site Scripting vulnerability in Getgrav Grav Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31. | 3.5 |
2022-03-15 | CVE-2022-0963 | Microweber | Cross-site Scripting vulnerability in Microweber Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12. | 3.5 |
2022-03-15 | CVE-2022-0964 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva .webmv file upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0965 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva .ofd file upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0966 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS via File Upload in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.4.10. | 3.5 |
2022-03-15 | CVE-2022-0967 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0942 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0956 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS via File Upload in GitHub repository star7th/showdoc prior to v.2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0957 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS via File Upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-15 | CVE-2022-0954 | Microweber | Cross-site Scripting vulnerability in Microweber Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11. | 3.5 |
2022-03-15 | CVE-2022-0893 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. | 3.5 |
2022-03-15 | CVE-2022-0894 | Pimcore | Cross-site Scripting vulnerability in Pimcore Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0. | 3.5 |
2022-03-15 | CVE-2022-0945 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHub repository star7th/showdoc prior to v2.10.4. | 3.5 |
2022-03-14 | CVE-2021-39055 | IBM | Cross-site Scripting vulnerability in IBM Spectrum Copy Data Management IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to cross-site scripting. | 3.5 |
2022-03-14 | CVE-2022-22348 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.13.xxx is vulnerable to reverse tabnabbing where it could allow a page linked to from within Operations Center to rewrite it. | 3.5 |
2022-03-14 | CVE-2022-0962 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-14 | CVE-2021-24895 | Webbigt | Cross-site Scripting vulnerability in Webbigt Cybersoldier The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2021-24897 | Viitorcloud | Cross-site Scripting vulnerability in Viitorcloud ADD Subtitle 1.1.0 The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | 3.5 |
2022-03-14 | CVE-2021-24950 | Thememove | Missing Authorization vulnerability in Thememove Insight Core 1.0 The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. | 3.5 |
2022-03-14 | CVE-2021-24958 | Mekshq | Cross-site Scripting vulnerability in Mekshq Meks Easy Photo Feed Widget The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. | 3.5 |
2022-03-14 | CVE-2021-24982 | Childtheme Generator | Cross-site Scripting vulnerability in Childtheme-Generator Child Theme Generator The Child Theme Generator WordPress plugin through 2.2.7 does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard | 3.5 |
2022-03-14 | CVE-2021-24995 | Html5 Responsive FAQ Project | Cross-site Scripting vulnerability in Html5 Responsive FAQ Project Html5 Responsive FAQ The HTML5 Responsive FAQ WordPress plugin through 2.8.5 does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2022-03-14 | CVE-2021-25026 | Patreon | Cross-site Scripting vulnerability in Patreon Wordpress The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2021-41952 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 9.0.54156 Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. | 3.5 |
2022-03-14 | CVE-2022-0659 | Sync Qcloud COS Project | Cross-site Scripting vulnerability in Sync Qcloud COS Project Sync Qcloud COS The Sync QCloud COS WordPress plugin before 2.0.1 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0674 | Kunze Medien | Cross-site Scripting vulnerability in Kunze-Medien Kunze LAW The Kunze Law WordPress plugin before 2.1 does not escape its 'E-Mail Error "From" Address' settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0684 | WP Home Page Menu Project | Cross-site Scripting vulnerability in WP Home Page Menu Project WP Home Page Menu The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0700 | Chrsinteractive | Cross-site Scripting vulnerability in Chrsinteractive Simple Tracking The Simple Tracking WordPress plugin before 1.7 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0701 | SEO 301 Meta Project | Cross-site Scripting vulnerability in Seo-301-Meta Project Seo-301-Meta The SEO 301 Meta WordPress plugin through 1.9.1 does not escape its Request and Destination settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0702 | Unboxinteractive | Cross-site Scripting vulnerability in Unboxinteractive Petfinder-Listings The Petfinder Listings WordPress plugin through 1.0.18 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0703 | GD Mylist Project | Cross-site Scripting vulnerability in Gd-Mylist Project Gd-Mylist The GD Mylist WordPress plugin through 1.1.1 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-03-14 | CVE-2022-0960 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-14 | CVE-2022-0946 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc prior to v2.10.4. | 3.5 |
2022-03-14 | CVE-2022-0941 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4. | 3.5 |
2022-03-14 | CVE-2022-0940 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4. | 3.5 |
2022-03-14 | CVE-2022-0938 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4. | 3.5 |
2022-03-14 | CVE-2022-0341 | B3Log | Cross-site Scripting vulnerability in B3Log Vditor Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12. | 3.5 |
2022-03-14 | CVE-2022-0937 | Showdoc | Cross-site Scripting vulnerability in Showdoc Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4. | 3.5 |
2022-03-18 | CVE-2022-22598 | Apple | Unspecified vulnerability in Apple Iphone OS An issue with app access to camera metadata was addressed with improved logic. | 3.3 |
2022-03-18 | CVE-2022-22656 | Apple | Improper Authentication vulnerability in Apple mac OS X and Macos An authentication issue was addressed with improved state management. | 3.3 |
2022-03-16 | CVE-2022-26354 | Qemu Debian | Missing Release of Resource after Effective Lifetime vulnerability in multiple products A flaw was found in the vhost-vsock device of QEMU. | 3.2 |
2022-03-18 | CVE-2022-22599 | Apple | Unspecified vulnerability in Apple products Description: A permissions issue was addressed with improved validation. | 2.4 |
2022-03-18 | CVE-2022-22671 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS An authentication issue was addressed with improved state management. | 2.1 |
2022-03-18 | CVE-2021-22571 | Incorrect Default Permissions vulnerability in Google Sa360 Webquery to Bigquery Exporter A local attacker could read files from some other users' SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery. | 2.1 | |
2022-03-16 | CVE-2021-20180 | Redhat | Information Exposure Through Log Files vulnerability in Redhat Ansible A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. | 2.1 |
2022-03-16 | CVE-2021-39711 | Out-of-bounds Read vulnerability in Google Android In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value. | 2.1 | |
2022-03-16 | CVE-2021-39717 | Out-of-bounds Read vulnerability in Google Android In iaxxx_btp_write_words of iaxxx-btp.c, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2022-03-16 | CVE-2021-39722 | Out-of-bounds Read vulnerability in Google Android In ProtocolStkProactiveCommandAdapter::Init of protocolstkadapter.cpp, there is a possible out of bounds read due to an incorrect bounds check. | 2.1 | |
2022-03-16 | CVE-2021-39724 | Out-of-bounds Read vulnerability in Google Android In TuningProviderBase::GetTuningTreeSet of tuning_provider_base.cc, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2022-03-16 | CVE-2021-39730 | Out-of-bounds Read vulnerability in Google Android In TBD of TBD, there is a possible out of bounds read due to a missing bounds check. | 2.1 | |
2022-03-16 | CVE-2022-23234 | Netapp | Cleartext Storage of Sensitive Information vulnerability in Netapp Snapcenter SnapCenter versions prior to 4.5 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext HANA credentials. | 2.1 |
2022-03-16 | CVE-2021-39727 | Race Condition vulnerability in Google Android In eicPresentationRetrieveEntryValue of acropora/app/identity/libeic/EicPresentation.c, there is a possible information disclosure due to a race condition. | 1.9 | |
2022-03-16 | CVE-2021-39792 | Race Condition vulnerability in Google Android In usb_gadget_giveback_request of core.c, there is a possible use after free out of bounds read due to a race condition. | 1.9 |