Weekly Vulnerabilities Reports > March 28 to April 3, 2022

Overview

516 new vulnerabilities reported during this period, including 109 critical vulnerabilities and 184 high severity vulnerabilities. This weekly summary report vulnerabilities in 779 products from 233 vendors including Google, Jenkins, Gitlab, Deltaww, and Qualcomm. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Missing Authorization", "Out-of-bounds Write", and "Path Traversal".

  • 376 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 172 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 288 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 58 reported vulnerabilities.
  • Deltaww has the most reported critical vulnerabilities, with 15 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

109 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-01 CVE-2022-22570 UI Classic Buffer Overflow vulnerability in UI UA Lite Firmware 3.8.28.20/3.8.28.24

A buffer overflow vulnerability found in the UniFi Door Access Reader Lite’s (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control all connected UA devices.

10.0
2022-03-28 CVE-2021-46433 Fenom Project Unspecified vulnerability in Fenom Project Fenom

In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCode()to bypass sandbox to execute arbitrary PHP code when disable_native_funcs is true.

10.0
2022-04-03 CVE-2021-30064 Belden
Schneider Electric
Use of Hard-coded Credentials vulnerability in multiple products

On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an SSH login can succeed with hardcoded default credentials (if the device is in the uncommissioned state).

9.8
2022-04-03 CVE-2022-28381 Allmediaserver Out-of-bounds Write vulnerability in Allmediaserver 1.6

Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.

9.8
2022-04-03 CVE-2022-28368 Dompdf Project Cross-site Scripting vulnerability in Dompdf Project Dompdf

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

9.8
2022-04-01 CVE-2021-23247 Oppo Command Injection vulnerability in Oppo Quick APP 4.5.0

A command injection vulerability found in quick game engine allows arbitrary remote code in quick app.

9.8
2022-04-01 CVE-2021-26623 Bandisoft Out-of-bounds Write vulnerability in Bandisoft Bandizip

A remote code execution vulnerability due to incomplete check for 'xheader_decode_path_record' function's parameter length value in the ark library.

9.8
2022-04-01 CVE-2021-27497 Philips Unspecified vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

9.8
2022-04-01 CVE-2021-27501 Philips Unspecified vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

9.8
2022-04-01 CVE-2021-32933 Auvesy MDT OS Command Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument.

9.8
2022-04-01 CVE-2021-32953 Auvesy MDT SQL Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user’s permissions, granting the attacker the ability to login.

9.8
2022-04-01 CVE-2021-32974 Moxa OS Command Injection vulnerability in Moxa products

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands.

9.8
2022-04-01 CVE-2021-32976 Moxa Out-of-bounds Write vulnerability in Moxa products

Five buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to initiate a denial-of-service attack and execute arbitrary code.

9.8
2022-04-01 CVE-2022-22963 Vmware
Oracle
Expression Language Injection vulnerability in multiple products

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

9.8
2022-04-01 CVE-2022-22965 Vmware
Cisco
Oracle
Siemens
Veritas
Code Injection vulnerability in multiple products

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

9.8
2022-04-01 CVE-2022-27177 Netflix Use of Externally-Controlled Format String vulnerability in Netflix Consoleme

A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2

9.8
2022-04-01 CVE-2022-27534 Kaspersky Unspecified vulnerability in Kaspersky products

Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March 2022 had a bug in a data parsing module that potentially allowed an attacker to execute arbitrary code.

9.8
2022-04-01 CVE-2022-24066 Simple GIT Project Argument Injection or Modification vulnerability in Simple-Git Project Simple-Git

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector.

9.8
2022-04-01 CVE-2022-26562 Kopano Improper Authentication vulnerability in Kopano Groupware Core 11.0.2.51

An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired.

9.8
2022-04-01 CVE-2022-21223 Cocoapods Argument Injection or Modification vulnerability in Cocoapods Cocoapods-Downloader

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection.

9.8
2022-04-01 CVE-2022-24440 Cocoapods Argument Injection or Modification vulnerability in Cocoapods Cocoapods-Downloader

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection.

9.8
2022-04-01 CVE-2022-21235 VCS Project Argument Injection or Modification vulnerability in VCS Project VCS

The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection.

9.8
2022-04-01 CVE-2021-44135 Pagekit SQL Injection vulnerability in Pagekit

pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing.

9.8
2022-04-01 CVE-2022-24802 Deepmerge TS Project Unspecified vulnerability in Deepmerge-Ts Project Deepmerge-Ts

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects.

9.8
2022-04-01 CVE-2022-24803 Asciidoctor Include EXT Project Unspecified vulnerability in Asciidoctor-Include-Ext Project Asciidoctor-Include-Ext

Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension.

9.8
2022-03-31 CVE-2022-24791 Bytecodealliance Unspecified vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift.

9.8
2022-03-31 CVE-2022-24796 Raspberrymatic Unspecified vulnerability in Raspberrymatic

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices.

9.8
2022-03-31 CVE-2021-43722 Dlink Out-of-bounds Write vulnerability in Dlink Dir-645 Firmware 1.03

D-Link DIR-645 1.03 A1 is vulnerable to Buffer Overflow.

9.8
2022-03-31 CVE-2021-43479 Secretarycms Unspecified vulnerability in Secretarycms the Secretary 2.5

A Remote Code Execution (RCE) vulnerability exists in The-Secretary 2.5 via install.php.

9.8
2022-03-31 CVE-2021-43484 Simple Client Management System Project SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0

A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request.

9.8
2022-03-31 CVE-2021-43506 Simple Client Management System Project SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0

An SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the password parameter in Login.php.

9.8
2022-03-31 CVE-2022-24136 Hospital Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php.

9.8
2022-03-30 CVE-2021-46007 Totolink OS Command Injection vulnerability in Totolink Ar3100R Firmware 5.9C.4577

totolink a3100r V5.9c.4577 is vulnerable to os command injection.

9.8
2022-03-30 CVE-2021-46009 Totolink Missing Authentication for Critical Function vulnerability in Totolink A3100R Firmware 5.9C.4577

In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication.

9.8
2022-03-30 CVE-2022-26645 Banking System Project Unrestricted Upload of File with Dangerous Type vulnerability in Banking System Project Banking System 1.0

A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.

9.8
2022-03-30 CVE-2022-26646 Banking System Project Unspecified vulnerability in Banking System Project Banking System 1.0

Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter.

9.8
2022-03-30 CVE-2021-43142 JOX Project XXE vulnerability in JOX Project JOX 1.16

An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

9.8
2022-03-30 CVE-2019-12266 Wyze Out-of-bounds Write vulnerability in Wyze products

Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device.

9.8
2022-03-30 CVE-2019-9564 Wyze Improper Authentication vulnerability in Wyze products

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices.

9.8
2022-03-30 CVE-2022-23795 Joomla Improper Authentication vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0.

9.8
2022-03-30 CVE-2022-23797 Joomla SQL Injection vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0.

9.8
2022-03-30 CVE-2022-23799 Joomla Unspecified vulnerability in Joomla Joomla! 4.0.0

An issue was discovered in Joomla! 4.0.0 through 4.1.0.

9.8
2022-03-30 CVE-2022-28205 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in MediaWiki through 1.37.1.

9.8
2022-03-30 CVE-2022-28206 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in MediaWiki through 1.37.1.

9.8
2022-03-30 CVE-2022-28209 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in Mediawiki through 1.37.1.

9.8
2022-03-30 CVE-2020-24769 Nexusphp SQL Injection vulnerability in Nexusphp 1.5

SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter.

9.8
2022-03-30 CVE-2020-24770 Nexusphp SQL Injection vulnerability in Nexusphp 1.5

SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

9.8
2022-03-30 CVE-2022-24693 Baicells Use of Hard-coded Credentials vulnerability in Baicells Neutrino 430 Firmware and Nova436Q Firmware

Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh.

9.8
2022-03-29 CVE-2022-26871 Trendmicro Insufficient Verification of Data Authenticity vulnerability in Trendmicro Apex Central and Apex ONE

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

9.8
2022-03-29 CVE-2021-42911 Draytek Use of Externally-Controlled Format String vulnerability in Draytek products

A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code.

9.8
2022-03-29 CVE-2021-43118 Draytek Command Injection vulnerability in Draytek products

A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code.

9.8
2022-03-29 CVE-2021-43110 Puneethreddyhc Online Shopping System Project Unspecified vulnerability in Puneethreddyhc Online-Shopping-System Project Puneethreddyhc Online-Shopping-System

An Access Conrol vulnerability exists in PuneethReddyHC online-shopping-system as of 11/01/2021 in add_products.

9.8
2022-03-29 CVE-2022-0923 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx.

9.8
2022-03-29 CVE-2022-25880 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx.

9.8
2022-03-29 CVE-2022-25980 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx.

9.8
2022-03-29 CVE-2022-26013 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx.

9.8
2022-03-29 CVE-2022-26059 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData.

9.8
2022-03-29 CVE-2022-26065 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode.

9.8
2022-03-29 CVE-2022-26069 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx.

9.8
2022-03-29 CVE-2022-26338 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx.

9.8
2022-03-29 CVE-2022-26349 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx.

9.8
2022-03-29 CVE-2022-26514 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx.

9.8
2022-03-29 CVE-2022-26666 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx.

9.8
2022-03-29 CVE-2022-26667 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData.

9.8
2022-03-29 CVE-2022-26836 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar.

9.8
2022-03-29 CVE-2022-26887 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx.

9.8
2022-03-29 CVE-2022-27175 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetCalcTagList.

9.8
2022-03-29 CVE-2022-23901 Re2C Out-of-bounds Write vulnerability in Re2C 2.2

A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc.

9.8
2022-03-29 CVE-2022-1073 Automatic Question Paper Generator System Project Weak Password Recovery Mechanism for Forgotten Password vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0

A vulnerability was found in Automatic Question Paper Generator 1.0.

9.8
2022-03-29 CVE-2022-1078 College Website Management System Project SQL Injection vulnerability in College Website Management System Project College Website Management System 1.0

A vulnerability was found in SourceCodester College Website Management System 1.0.

9.8
2022-03-29 CVE-2022-1080 ONE Church Management System Project SQL Injection vulnerability in ONE Church Management System Project ONE Church Management System 1.0

A vulnerability was found in SourceCodester One Church Management System 1.0.

9.8
2022-03-29 CVE-2022-1082 Microfinance Management System Project SQL Injection vulnerability in Microfinance Management System Project Microfinance Management System 1.0

A vulnerability was found in SourceCodester Microfinance Management System 1.0.

9.8
2022-03-29 CVE-2022-1083 Microfinance Management System Project SQL Injection vulnerability in Microfinance Management System Project Microfinance Management System

A vulnerability classified as critical has been found in Microfinance Management System.

9.8
2022-03-29 CVE-2022-1084 ONE Church Management System Project Improper Authentication vulnerability in ONE Church Management System Project ONE Church Management System 1.0

A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0.

9.8
2022-03-29 CVE-2022-25420 Nttr Injection vulnerability in Nttr GOO Blog 1.0

NTT Resonant Incorporated goo blog App Web Application 1.0 is vulnerable to CLRF injection.

9.8
2022-03-29 CVE-2021-45865 Student Attendance Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Student Attendance Management System Project Student Attendance Management System 1.0

A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality.

9.8
2022-03-29 CVE-2022-25521 Nuuo Use of Hard-coded Credentials vulnerability in Nuuo Network Video Recorder Firmware

NUUO v03.11.00 was discovered to contain access control issue.

9.8
2022-03-28 CVE-2003-5001 IBM Unspecified vulnerability in IBM ISS Blackice PC Protection

A vulnerability was found in ISS BlackICE PC Protection and classified as critical.

9.8
2022-03-28 CVE-2022-26278 Tenda Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21Cn

Tenda AC9 v15.03.2.21_cn was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function.

9.8
2022-03-28 CVE-2022-0735 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2.

9.8
2022-03-28 CVE-2021-25070 Stopbadbots Unspecified vulnerability in Stopbadbots Block and Stop BAD Bots

The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue

9.8
2022-03-28 CVE-2022-0479 Sygnoos Unspecified vulnerability in Sygnoos Popup Builder

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

9.8
2022-03-28 CVE-2022-0679 Narnoo Distributor Project Unspecified vulnerability in Narnoo Distributor Project Narnoo Distributor

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data.

9.8
2022-03-28 CVE-2022-0784 Title Experiments Free Project Unspecified vulnerability in Title Experiments Free Project Title Experiments Free

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

9.8
2022-03-28 CVE-2022-0787 Limit Login Attempts Project Unspecified vulnerability in Limit Login Attempts Project Limit Login Attempts

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections

9.8
2022-03-28 CVE-2022-0846 Speakout Email Petitions Project Unspecified vulnerability in Speakout! Email Petitions Project Speakout! Email Petitions

The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users

9.8
2022-03-28 CVE-2022-0342 Zyxel Improper Authentication vulnerability in Zyxel products

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

9.8
2022-03-28 CVE-2022-23884 Minecraft Integer Overflow or Wraparound vulnerability in Minecraft Bedrock Server 1.18.2

Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer).

9.8
2022-03-28 CVE-2022-23882 Tuzicms SQL Injection vulnerability in Tuzicms 2.0.6

TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php.

9.8
2022-03-28 CVE-2022-25757 Apache Improper Input Validation vulnerability in Apache Apisix

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result.

9.8
2022-03-28 CVE-2021-44617 Glpi Project SQL Injection vulnerability in Glpi-Project Glpi 9.4.6

A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated.

9.8
2022-03-28 CVE-2022-26273 Eyoucms Unspecified vulnerability in Eyoucms 1.5.4

EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities.

9.8
2022-03-28 CVE-2021-26599 Impresscms SQL Injection vulnerability in Impresscms

ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.

9.8
2022-03-28 CVE-2021-26600 Impresscms Type Confusion vulnerability in Impresscms

ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).

9.8
2022-03-28 CVE-2022-26268 Xiaohuanxiong Project SQL Injection vulnerability in Xiaohuanxiong Project Xiaohuanxiong 1.0

Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php.

9.8
2022-03-28 CVE-2022-26255 Clash Project Cross-site Scripting vulnerability in Clash Project Clash 0.19.8

Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column.

9.8
2022-03-28 CVE-2022-26258 Dlink OS Command Injection vulnerability in Dlink Dir-820L Firmware 1.05

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

9.8
2022-04-03 CVE-2022-26530 Swaywm Unspecified vulnerability in Swaywm Swaylock

swaylock before 1.6 allows attackers to trigger a crash and achieve unlocked access to a Wayland compositor.

9.1
2022-04-01 CVE-2022-25157 Mitsubishielectric Improper Authentication vulnerability in Mitsubishielectric products

Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to disclose or tamper with the information in the product by using an eavesdropped password hash.

9.1
2022-04-01 CVE-2022-25158 Mitsubishielectric Cleartext Storage of Sensitive Information vulnerability in Mitsubishielectric products

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext.

9.1
2022-04-01 CVE-2021-35088 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Possible out of bound read due to improper validation of IE length during SSID IE parse when channel is DFS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

9.1
2022-04-01 CVE-2021-35117 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

9.1
2022-03-31 CVE-2022-24797 Pomerium Unspecified vulnerability in Pomerium

Pomerium is an identity-aware access proxy.

9.1
2022-03-31 CVE-2022-26546 Hospital Management System Project Missing Authorization vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to lack an authorization component, allowing attackers to access sensitive information and obtain the admin password.

9.1
2022-03-29 CVE-2021-46743 Google Type Confusion vulnerability in Google Firebase PHP-Jwt

In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring.

9.1
2022-03-28 CVE-2022-0249 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

A vulnerability was discovered in GitLab starting with version 12.

9.1
2022-03-28 CVE-2021-45490 3CX Improper Certificate Validation vulnerability in 3CX

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.

9.1
2022-03-28 CVE-2022-24303 Python
Fedoraproject
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
9.1
2022-03-30 CVE-2022-25620 Profelis Cross-site Scripting vulnerability in Profelis Sambabox

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server.

9.0

184 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-03 CVE-2022-27249 Idearespa Unrestricted Upload of File with Dangerous Type vulnerability in Idearespa Reftree

An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource.

8.8
2022-04-03 CVE-2022-28391 Busybox Unspecified vulnerability in Busybox

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal.

8.8
2022-04-01 CVE-2021-26624 Escanav Improper Input Validation vulnerability in Escanav Escan Anti-Virus

An local privilege escalation vulnerability due to a "runasroot" command in eScan Anti-Virus.

8.8
2022-04-01 CVE-2021-32960 Rockwellautomation Incorrect Authorization vulnerability in Rockwellautomation Factorytalk Services Platform

Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name.

8.8
2022-04-01 CVE-2021-33657 Libsdl Out-of-bounds Write vulnerability in Libsdl Simple Directmedia Layer

There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions.

8.8
2022-04-01 CVE-2022-21947 Suse Unspecified vulnerability in Suse Rancher Desktop

A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions.

8.8
2022-04-01 CVE-2022-25017 Hitrontech OS Command Injection vulnerability in Hitrontech Chita Firmware 7.2.2.0.3B6Cd

Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field.

8.8
2022-04-01 CVE-2021-1942 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Improper handling of permissions of a shared memory region can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

8.8
2022-04-01 CVE-2021-35110 Qualcomm Incorrect Type Conversion or Cast vulnerability in Qualcomm products

Possible buffer overflow to improper validation of hash segment of file while allocating memory in Snapdragon Connectivity, Snapdragon Mobile

8.8
2022-03-31 CVE-2021-36625 Dolibarr SQL Injection vulnerability in Dolibarr Erp/Crm 13.0.2

An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.

8.8
2022-03-31 CVE-2021-34257 Wpanel CMS Project Unrestricted Upload of File with Dangerous Type vulnerability in Wpanel CMS Project Wpanel CMS

Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image.

8.8
2022-03-31 CVE-2022-25915 Elecom Unspecified vulnerability in Elecom products

Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors.

8.8
2022-03-31 CVE-2022-22986 NTT East OS Command Injection vulnerability in Ntt-East products

Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file.

8.8
2022-03-31 CVE-2022-24299 Netgate Improper Input Validation vulnerability in Netgate Pfsense and Pfsense Plus

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.

8.8
2022-03-31 CVE-2022-26019 Netgate Path Traversal vulnerability in Netgate Pfsense and Pfsense Plus

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.

8.8
2022-03-30 CVE-2021-46008 Totolink Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 5.9C.4577

In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware.

8.8
2022-03-30 CVE-2021-46010 Totolink Use of Insufficiently Random Values vulnerability in Totolink A3100R Firmware 5.9C.4577

Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration.

8.8
2022-03-30 CVE-2022-25008 Totolink Missing Authentication for Critical Function vulnerability in Totolink Ex1200T Firmware and Ex300 V2 Firmware

totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.

8.8
2022-03-30 CVE-2021-44312 Firmware Analysis AND Comparison Tool Project Cross-Site Request Forgery (CSRF) vulnerability in Firmware Analysis and Comparison Tool Project Firmware Analysis and Comparison Tool 3.2

An issue was discovered in Firmware Analysis and Comparison Tool v3.2.

8.8
2022-03-30 CVE-2021-39772 Google Improper Privilege Management vulnerability in Google Android 12.0

In Bluetooth, there is a possible way to access the a2dp audio control switch due to a missing permission check.

8.8
2022-03-30 CVE-2015-3298 Yubico Improper Verification of Cryptographic Signature vulnerability in Yubico Ykneo-Openpgp 1.0.9

Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used.

8.8
2022-03-30 CVE-2022-27432 Pluck CMS Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.15

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.

8.8
2022-03-29 CVE-2022-1050 Qemu Use After Free vulnerability in Qemu

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device.

8.8
2022-03-29 CVE-2022-22934 Saltstack Unspecified vulnerability in Saltstack Salt

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1.

8.8
2022-03-29 CVE-2022-22936 Saltstack Authentication Bypass by Capture-replay vulnerability in Saltstack Salt

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1.

8.8
2022-03-29 CVE-2022-22941 Saltstack Incorrect Permission Assignment for Critical Resource vulnerability in Saltstack Salt

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1.

8.8
2022-03-29 CVE-2022-28136 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jiratestresultreporter

A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

8.8
2022-03-29 CVE-2022-28150 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins JOB and Node Ownership

A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job.

8.8
2022-03-28 CVE-2022-0427 Gitlab Cross-Site Request Forgery (CSRF) vulnerability in Gitlab

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover

8.8
2022-03-28 CVE-2022-0751 Gitlab Unspecified vulnerability in Gitlab

Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands

8.8
2022-03-28 CVE-2021-24962 Iptanus Path Traversal vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO

The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.

8.8
2022-03-28 CVE-2022-0499 Sermon Browser Project Unspecified vulnerability in Sermon Browser Project Sermon Browser

The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.

8.8
2022-03-28 CVE-2022-0770 Gtranslate Unspecified vulnerability in Gtranslate Translate Wordpress With Gtranslate

The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them.

8.8
2022-03-29 CVE-2021-44082 Textpattern Cross-site Scripting vulnerability in Textpattern 4.8.7

textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body.

8.3
2022-04-03 CVE-2022-28376 Verizon Improper Authentication vulnerability in Verizon Lvskihp Firmware 20220215

Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address.

8.1
2022-04-01 CVE-2022-25155 Mitsubishielectric Improper Authentication vulnerability in Mitsubishielectric products

Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by replaying an eavesdropped password hash.

8.1
2022-04-01 CVE-2022-25156 Mitsubishielectric Inadequate Encryption Strength vulnerability in Mitsubishielectric products

Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by using a password reversed from a previously eavesdropped password hash.

8.1
2022-04-01 CVE-2022-25159 Mitsubishielectric Authentication Bypass by Capture-replay vulnerability in Mitsubishielectric products

Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to login to the product by replay attack.

8.1
2022-03-31 CVE-2022-1191 Livehelperchat Unspecified vulnerability in Livehelperchat Live Helper Chat

SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96.

8.1
2022-03-30 CVE-2021-43664 Totolink Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429

totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process&nbsp;forceugpo.

8.1
2022-03-29 CVE-2022-28140 Jenkins XXE vulnerability in Jenkins Flaky Test Handler

Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.1
2022-03-29 CVE-2022-28154 Jenkins XXE vulnerability in Jenkins Coverage/Complexity Scatter Plot

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.1
2022-03-29 CVE-2022-28155 Jenkins XXE vulnerability in Jenkins Pipeline: Phoenix Autotest

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.1
2022-03-28 CVE-2022-0136 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1.

8.1
2022-03-28 CVE-2021-26601 Impresscms Path Traversal vulnerability in Impresscms

ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.

8.1
2022-04-03 CVE-2022-28390 Linux
Fedoraproject
Debian
Netapp
Double Free vulnerability in multiple products

ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.

7.8
2022-04-01 CVE-2021-3847 Linux
Fedoraproject
Improper Preservation of Permissions vulnerability in multiple products

An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount.

7.8
2022-04-01 CVE-2022-1098 Deltaww Uncontrolled Search Path Element vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition.

7.8
2022-04-01 CVE-2022-25959 Omron Out-of-bounds Write vulnerability in Omron Cx-Position 2.5.3

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to memory corruption while processing a specific project file, which may allow an attacker to execute arbitrary code.

7.8
2022-04-01 CVE-2022-26022 Omron Unspecified vulnerability in Omron Cx-Position 2.5.3

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to an out-of-bounds write while processing a specific project file, which may allow an attacker to execute arbitrary code.

7.8
2022-04-01 CVE-2022-26417 Omron Unspecified vulnerability in Omron Cx-Position 2.5.3

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to a use after free memory condition while processing a specific project file, which may allow an attacker to execute arbitrary code.

7.8
2022-04-01 CVE-2022-26419 Omron Out-of-bounds Write vulnerability in Omron Cx-Position 2.5.3

Omron CX-Position (versions 2.5.3 and prior) is vulnerable to multiple stack-based buffer overflow conditions while parsing a specific project file, which may allow an attacker to locally execute arbitrary code.

7.8
2022-04-01 CVE-2022-24426 Dell Uncontrolled Search Path Element vulnerability in Dell Alienware Update, Command Update and Update

Dell Command | Update, Dell Update, and Alienware Update version 4.4.0 contains a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component.

7.8
2022-04-01 CVE-2021-1950 Qualcomm Improper Authentication vulnerability in Qualcomm products

Improper cleaning of secure memory between authenticated users can lead to face authentication bypass in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking

7.8
2022-04-01 CVE-2021-30333 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Improper validation of buffer size input to the EFS file can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

7.8
2022-04-01 CVE-2021-35089 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible buffer overflow due to lack of input IB amount validation while processing the user command in Snapdragon Auto

7.8
2022-04-01 CVE-2021-35103 Qualcomm Out-of-bounds Write vulnerability in Qualcomm products

Possible out of bound write due to improper validation of number of timer values received from firmware while syncing timers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

7.8
2022-04-01 CVE-2021-35105 Qualcomm Incorrect Type Conversion or Cast vulnerability in Qualcomm products

Possible out of bounds access due to improper input validation during graphics profiling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

7.8
2022-04-01 CVE-2021-35106 Qualcomm Out-of-bounds Read vulnerability in Qualcomm products

Possible out of bound read due to improper length calculation of WMI message.

7.8
2022-04-01 CVE-2021-35115 Qualcomm Use After Free vulnerability in Qualcomm products

Improper handling of multiple session supported by PVM backend can lead to use after free in Snapdragon Auto, Snapdragon Mobile

7.8
2022-03-31 CVE-2022-27050 Bitcomet Unquoted Search Path or Element vulnerability in Bitcomet

BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability which allows attackers to escalate privileges to the system level.

7.8
2022-03-31 CVE-2022-27052 Freesshd Unquoted Search Path or Element vulnerability in Freesshd Freeftpd

FreeFtpd version 1.0.13 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.

7.8
2022-03-31 CVE-2022-25348 Hibara Uncontrolled Search Path Element vulnerability in Hibara Attachecase

Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.

7.8
2022-03-31 CVE-2022-28128 Hibara Uncontrolled Search Path Element vulnerability in Hibara Attachecase

Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.

7.8
2022-03-30 CVE-2022-1160 VIM
Fedoraproject
heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647.
7.8
2022-03-30 CVE-2022-27772 Vmware Exposure of Resource to Wrong Sphere vulnerability in VMWare Spring Boot

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking.

7.8
2022-03-30 CVE-2021-1000 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In createBluetoothDeviceSlice of ConnectedDevicesSliceProvider.java, there is a possible permission bypass due to an unsafe PendingIntent.

7.8
2022-03-30 CVE-2021-1033 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In createGeneralSlice of ConnectedDevicesSliceProvider.java.java, there is a possible permission bypass due to an unsafe PendingIntent.

7.8
2022-03-30 CVE-2021-39741 Google Out-of-bounds Write vulnerability in Google Android 12.1

In Keymaster, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-03-30 CVE-2021-39743 Google Missing Authorization vulnerability in Google Android 12.1

In PackageManager, there is a possible way to update the last usage time of another package due to a missing permission check.

7.8
2022-03-30 CVE-2021-39746 Google Unspecified vulnerability in Google Android 12.1

In PermissionController, there is a possible way to delete some local files due to an unsafe PendingIntent.

7.8
2022-03-30 CVE-2021-39749 Google Missing Authorization vulnerability in Google Android 12.1

In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check.

7.8
2022-03-30 CVE-2021-39750 Google Missing Authorization vulnerability in Google Android 12.1

In PackageManager, there is a possible way to change the splash screen theme of other apps due to a missing permission check.

7.8
2022-03-30 CVE-2021-39752 Google Unspecified vulnerability in Google Android 12.1

In Bubbles, there is a possible way to interfere with Bubbles due to a permissions bypass.

7.8
2022-03-30 CVE-2021-39758 Google Missing Authorization vulnerability in Google Android 12.1

In WindowManager, there is a possible way to start a foreground activity from the background due to a missing permission check.

7.8
2022-03-30 CVE-2021-39759 Google Integer Overflow or Wraparound vulnerability in Google Android 12.1

In libstagefright, there is a possible out of bounds write due to an integer overflow.

7.8
2022-03-30 CVE-2021-39763 Google Improper Input Validation vulnerability in Google Android 12.1

In Settings, there is a possible way to make the user enable WiFi due to improper input validation.

7.8
2022-03-30 CVE-2021-39764 Google Improper Input Validation vulnerability in Google Android 12.1

In Settings, there is a possible way to display an incorrect app name due to improper input validation.

7.8
2022-03-30 CVE-2021-39767 Google Insecure Default Initialization of Resource vulnerability in Google Android 12.1

In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value.

7.8
2022-03-30 CVE-2021-39768 Google Missing Authorization vulnerability in Google Android 12.1

In Settings, there is a possible way to add an auto-connect WiFi network without the user's consent due to a missing permission check.

7.8
2022-03-30 CVE-2021-39771 Google Improper Input Validation vulnerability in Google Android 12.1

In Settings, there is a possible way to misrepresent which app wants to add a wifi network due to improper input validation.

7.8
2022-03-30 CVE-2021-39776 Google Use After Free vulnerability in Google Android 12.0

In NFC, there is a possible memory corruption due to a use after free.

7.8
2022-03-30 CVE-2021-39780 Google Incorrect Default Permissions vulnerability in Google Android 12.0

In Traceur, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check.

7.8
2022-03-30 CVE-2021-39781 Google Unspecified vulnerability in Google Android 12.0

In SmsController, there is a possible information disclosure due to a permissions bypass.

7.8
2022-03-30 CVE-2021-39782 Google Improper Privilege Management vulnerability in Google Android 12.0

In Telephony, there is a possible unauthorized modification of the PLMN SIM file due to a missing permission check.

7.8
2022-03-30 CVE-2021-39783 Google Improper Privilege Management vulnerability in Google Android 12.0

In rcsservice, there is a possible way to modify TTY mode due to a missing permission check.

7.8
2022-03-30 CVE-2021-39784 Google Improper Privilege Management vulnerability in Google Android 12.0

In CellBroadcastReceiver, there is a possible path to enable specific cellular features due to a missing permission check.

7.8
2022-03-30 CVE-2021-39787 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.0

In SystemUI, there is a possible arbitrary Activity launch due to a confused deputy.

7.8
2022-03-30 CVE-2021-39789 Google Incorrect Authorization vulnerability in Google Android 12.1

In Telecom, there is a possible leak of TTY mode change due to a missing permission check.

7.8
2022-03-30 CVE-2021-39790 Google Incorrect Authorization vulnerability in Google Android 12.1

In Dialer, there is a possible way to manipulate visual voicemail settings due to a missing permission check.

7.8
2022-03-30 CVE-2022-0998 Linux
Netapp
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function.

7.8
2022-03-30 CVE-2022-20002 Google Missing Authorization vulnerability in Google Android 12.1

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check.

7.8
2022-03-30 CVE-2022-22996 Westerndigital Uncontrolled Search Path Element vulnerability in Westerndigital products

The G-RAID 4/8 Software Utility setups for Windows were affected by a DLL hijacking vulnerability.

7.8
2022-03-30 CVE-2022-1154 VIM
Fedoraproject
Debian
Oracle
Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.
7.8
2022-03-30 CVE-2022-23868 Ruoyi Improper Neutralization of Formula Elements in a CSV File vulnerability in Ruoyi 4.7.2

RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.

7.8
2022-03-30 CVE-2022-27815 Waycrate Link Following vulnerability in Waycrate Swhkd 1.1.5

SWHKD 1.1.5 unsafely uses the /tmp/swhkd.pid pathname.

7.8
2022-03-29 CVE-2022-26839 Deltaww Incorrect Default Permissions vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files.

7.8
2022-03-29 CVE-2022-0343 Google Unspecified vulnerability in Google Perfetto

A local attacker, as a different local user, may be able to send a HTTP request to 127.0.0.1:10000 after the user (typically a developer) manually invoked the ./tools/run-dev-server script.

7.8
2022-03-29 CVE-2022-1055 Linux
Redhat
Fedoraproject
Canonical
Netapp
Use After Free vulnerability in multiple products

A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation.

7.8
2022-03-28 CVE-2022-26259 Xiongmaitech Classic Buffer Overflow vulnerability in Xiongmaitech products

A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW allows attackers to cause a Denial of Service (DoS) via a crafted RSTP request.

7.8
2022-04-01 CVE-2022-0425 Gitlab Server-Side Request Forgery (SSRF) vulnerability in Gitlab

A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks.

7.6
2022-03-28 CVE-2022-24789 Orckestra Unspecified vulnerability in Orckestra C1 CMS

C1 CMS is an open-source, .NET based Content Management System (CMS).

7.6
2022-04-03 CVE-2022-26233 Barco Path Traversal vulnerability in Barco Control Room Management Suite

Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components.

7.5
2022-04-03 CVE-2021-30062 Belden
Schneider Electric
On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can bypass the OPC enforcer.
7.5
2022-04-03 CVE-2021-30063 Belden
Schneider Electric
On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can cause an OPC enforcer denial of service.
7.5
2022-04-03 CVE-2021-30065 Belden
Schneider Electric
On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, crafted ModBus packets can bypass the ModBus enforcer.
7.5
2022-04-03 CVE-2022-28380 RC Httpd Project Path Traversal vulnerability in Rc-Httpd Project Rc-Httpd

The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) allows ..%2f directory traversal if serve-static is used.

7.5
2022-04-02 CVE-2022-28355 Scala JS Use of Insufficiently Random Values vulnerability in Scala-Js Scala.Js

randomUUID in Scala.js before 1.10.0 generates predictable values.

7.5
2022-04-01 CVE-2019-14839 Redhat Information Exposure vulnerability in Redhat products

It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc.

7.5
2022-04-01 CVE-2020-25691 Unix4Lyfe Improper Handling of Exceptional Conditions vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131

A flaw was found in darkhttpd.

7.5
2022-04-01 CVE-2021-22277 ABB Improper Input Validation vulnerability in ABB products

Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite - Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service.

7.5
2022-04-01 CVE-2021-28504 Arista Incorrect Authorization vulnerability in Arista EOS

On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected.

7.5
2022-04-01 CVE-2021-32937 Auvesy MDT Information Exposure Through an Error Message vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

An attacker can gain knowledge of a session temporary working folder where the getfile and putfile commands are used in MDT AutoSave versions prior to v6.02.06.

7.5
2022-04-01 CVE-2021-32945 Auvesy MDT Inadequate Encryption Strength vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.

7.5
2022-04-01 CVE-2021-32949 Auvesy MDT Path Traversal vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

An attacker could utilize a function in MDT AutoSave versions prior to v6.02.06 that permits changing a designated path to another path and traversing the directory, allowing the replacement of an existing file with a malicious file.

7.5
2022-04-01 CVE-2021-32957 Auvesy MDT SQL Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

A function in MDT AutoSave versions prior to v6.02.06 is used to retrieve system information for a specific process, and this information collection executes multiple commands and summarizes the information into an XML.

7.5
2022-04-01 CVE-2021-32961 Auvesy MDT Unrestricted Upload of File with Dangerous Type vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform

A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner.

7.5
2022-04-01 CVE-2021-32968 Moxa Classic Buffer Overflow vulnerability in Moxa products

Two buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O Series firmware version 2.2 or earlier may allow a remote attacker to cause a denial-of-service condition.

7.5
2022-04-01 CVE-2021-32970 Moxa Improper Input Validation vulnerability in Moxa products

Data can be copied without validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier, which may allow a remote attacker to cause denial-of-service conditions.

7.5
2022-04-01 CVE-2021-33018 Philips Use of a Broken or Risky Cryptographic Algorithm vulnerability in Philips products

The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information.

7.5
2022-04-01 CVE-2021-33020 Philips Operation on a Resource after Expiration or Release vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

7.5
2022-04-01 CVE-2021-33022 Philips Cleartext Transmission of Sensitive Information vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

7.5
2022-04-01 CVE-2021-33024 Philips Insufficiently Protected Credentials vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval.

7.5
2022-04-01 CVE-2021-39908 Gitlab Code Injection vulnerability in Gitlab

In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.

7.5
2022-04-01 CVE-2022-0741 Gitlab Improper Encoding or Escaping of Output vulnerability in Gitlab

Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses.

7.5
2022-04-01 CVE-2022-1068 Modbustools Out-of-bounds Write vulnerability in Modbustools Modbus Slave

Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to a stack-based buffer overflow in the registration field.

7.5
2022-04-01 CVE-2022-22327 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2022-04-01 CVE-2022-22332 IBM Operation on a Resource after Expiration or Release vulnerability in IBM Partner Engagement Manager 6.2.0

IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token.

7.5
2022-04-01 CVE-2021-30328 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to improper validation of invalid NR CSI-IM resource configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.5
2022-04-01 CVE-2021-30329 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to improper validation of TCI configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.5
2022-04-01 CVE-2021-30332 Qualcomm Reachable Assertion vulnerability in Qualcomm products

Possible assertion due to improper validation of OTA configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

7.5
2022-03-31 CVE-2022-24758 Jupyter Unspecified vulnerability in Jupyter Notebook

The Jupyter notebook is a web-based notebook environment for interactive computing.

7.5
2022-03-31 CVE-2022-24798 Internet Routing Registry Daemon Project Improper Cross-boundary Removal of Sensitive Data vulnerability in Internet Routing Registry Daemon Project Internet Routing Registry Daemon 4.2.0/4.2.1/4.2.2

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format.

7.5
2022-03-31 CVE-2021-37517 Dolibarr Incorrect Authorization vulnerability in Dolibarr Erp/Crm 13.0.2

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.

7.5
2022-03-31 CVE-2022-1176 Livehelperchat Unspecified vulnerability in Livehelperchat Live Helper Chat

Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to 3.96.

7.5
2022-03-31 CVE-2021-43663 Totolink Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429

totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check.

7.5
2022-03-30 CVE-2022-24790 Puma
Debian
Fedoraproject
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications.
7.5
2022-03-30 CVE-2022-24763 Pjsip
Debian
PJSIP is a free and open source multimedia communication library written in the C language.
7.5
2022-03-30 CVE-2022-24132 Phpshe Unspecified vulnerability in PHPshe 1.8

phpshe V1.8 is affected by a denial of service (DoS) attack in the registry's verification code, which can paralyze the target service.

7.5
2022-03-30 CVE-2022-22772 Tibco Unspecified vulnerability in Tibco Managed File Transfer Platform Server

The cfsend, cfrecv, and CyberResp components of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX and TIBCO Managed File Transfer Platform Server for z/Linux contain a difficult to exploit Remote Code Execution (RCE) vulnerability that allows a low privileged attacker with network access to execute arbitrary code on the affected system.

7.5
2022-03-30 CVE-2021-39762 Google Integer Overflow or Wraparound vulnerability in Google Android 12.1

In tremolo, there is a possible out of bounds read due to an integer overflow.

7.5
2022-03-30 CVE-2022-23793 Joomla Path Traversal vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0.

7.5
2022-03-30 CVE-2022-25598 Apache Unspecified vulnerability in Apache Dolphinscheduler

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

7.5
2022-03-30 CVE-2020-24771 Nexusphp Incorrect Authorization vulnerability in Nexusphp 1.5

Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content.

7.5
2022-03-30 CVE-2022-26948 RSA Insufficiently Protected Credentials vulnerability in RSA Archer

The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability.

7.5
2022-03-29 CVE-2021-43109 Puneethreddyhc Online Shopping System Project SQL Injection vulnerability in Puneethreddyhc Online-Shopping-System Project Puneethreddyhc Online-Shopping-System

An SQL Injection vulnerability exits in PuneethReddyHC online-shopping-system as of 11/01/2021 via the p parameter in product.php.

7.5
2022-03-29 CVE-2022-25347 Deltaww Path Traversal vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system.

7.5
2022-03-29 CVE-2021-44081 Open5Gs Out-of-bounds Write vulnerability in Open5Gs 2.1.4

A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4.

7.5
2022-03-29 CVE-2022-28142 Jenkins Improper Certificate Validation vulnerability in Jenkins Proxmox

Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues.

7.5
2022-03-29 CVE-2022-1077 TEM Forced Browsing vulnerability in TEM Flex-1080 Firmware and Flex-1085 Firmware

A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0.

7.5
2022-03-29 CVE-2022-23937 Windriver Out-of-bounds Read vulnerability in Windriver Vxworks 6.9/7.0

In Wind River VxWorks 6.9 and 7, a specific crafted packet may lead to an out-of-bounds read during an IKE initial exchange scenario.

7.5
2022-03-29 CVE-2021-44581 Kreado SQL Injection vulnerability in Kreado Kreasfero 1.5

An SQL Injection vulnerabilty exists in Kreado Kreasfero 1.5 via the id parameter.

7.5
2022-03-28 CVE-2017-20016 Weka Allocation of Resources Without Limits or Throttling vulnerability in Weka Interest Security Scanner 1.8

A vulnerability has been found in WEKA INTEREST Security Scanner up to 1.8 and classified as problematic.

7.5
2022-03-28 CVE-2022-0738 Gitlab Insufficiently Protected Credentials vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2.

7.5
2022-03-28 CVE-2022-27658 SAP Unspecified vulnerability in SAP Innovation Management 2.0

Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks.

7.5
2022-03-28 CVE-2021-44124 Hiby Path Traversal vulnerability in Hiby R3 PRO Firmware 1.5/1.6

Hiby Music Hiby OS R3 Pro 1.5 and 1.6 is vulnerable to Directory Traversal.

7.5
2022-03-28 CVE-2022-26271 74Cms Files or Directories Accessible to External Parties vulnerability in 74Cms 3.4.1

74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php.

7.5
2022-04-03 CVE-2022-0088 Yourls Unspecified vulnerability in Yourls

Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3.

7.4
2022-03-30 CVE-2022-1155 Snipeitapp Unspecified vulnerability in Snipeitapp Snipe-It

Old sessions are not blocked by the login enable function.

7.4
2022-04-01 CVE-2022-1159 Rockwellautomation Code Injection vulnerability in Rockwellautomation products

Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.

7.2
2022-04-01 CVE-2022-23155 Dell Unrestricted Upload of File with Dangerous Type vulnerability in Dell Wyse Management Suite

Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability.

7.2
2022-03-30 CVE-2021-33523 Softwareag Unspecified vulnerability in Softwareag Mashzone Nextgen 10.7

MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host.

7.2
2022-03-30 CVE-2021-33208 Softwareag XXE vulnerability in Softwareag Mashzone Nextgen 10.7

The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.

7.2
2022-03-30 CVE-2021-33581 Softwareag Server-Side Request Forgery (SSRF) vulnerability in Softwareag Mashzone Nextgen 10.7

MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection.

7.2
2022-03-30 CVE-2022-28223 Tekon Unrestricted Upload of File with Dangerous Type vulnerability in Tekon products

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

7.2
2022-03-30 CVE-2021-23850 Bosch Classic Buffer Overflow vulnerability in Bosch products

A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash.

7.2
2022-03-30 CVE-2021-23851 Bosch Classic Buffer Overflow vulnerability in Bosch products

A specially crafted TCP/IP packet may cause the camera recovery image web interface to crash.

7.2
2022-03-29 CVE-2022-1032 Craterapp Deserialization of Untrusted Data vulnerability in Craterapp Crater

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6.

7.2
2022-03-28 CVE-2022-26639 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter.

7.2
2022-03-28 CVE-2022-26640 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter.

7.2
2022-03-28 CVE-2022-26641 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the httpRemotePort parameter.

7.2
2022-03-28 CVE-2022-26642 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16

TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the X_TP_ClonedMACAddress parameter.

7.2
2022-03-28 CVE-2021-43097 Diyhi Code Injection vulnerability in Diyhi BBS 5.3

A Server-side Template Injection (SSTI) vulnerability exists in bbs 5.3 in TemplateManageAction.javawhich could let a malicoius user execute arbitrary code.

7.2
2022-03-28 CVE-2021-43098 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3

A File Upload vulnerability exists in bbs v5.3 via QuestionManageAction.java in a getType function.

7.2
2022-03-28 CVE-2021-43100 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3

A File Upload vulnerability exists in bbs 5.3 is via TopicManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.

7.2
2022-03-28 CVE-2021-43101 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3

A File Upload vulnerability exists in bbs 5.3 is via MembershipCardManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.

7.2
2022-03-28 CVE-2021-43102 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3

A File Upload vulnerability exists in bbs 5.3 is via HelpManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.

7.2
2022-03-28 CVE-2021-43103 Diyhi Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3

A File Upload vulnerability exists in bbs 5.3 is via ForumManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code.

7.2
2022-03-28 CVE-2021-25064 WOW Company Unspecified vulnerability in Wow-Company WOW Countdowns 3.1.2

The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.

7.2
2022-03-28 CVE-2021-25068 DPL Unspecified vulnerability in DPL Sync Woocommerce Product Feed to Google Shopping 1.2.4

The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard

7.2
2022-04-01 CVE-2021-3461 Redhat Insufficient Session Expiration vulnerability in Redhat Keycloak and Single Sign-On

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

7.1
2022-04-01 CVE-2022-22331 IBM Authorization Bypass Through User-Controlled Key vulnerability in IBM Partner Engagement Manager 6.2.0

IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR).

7.1
2022-03-30 CVE-2021-3456 Theforeman Incorrect Authorization vulnerability in Theforeman Smart Proxy Salt

An improper authorization handling flaw was found in Foreman.

7.1
2022-03-30 CVE-2022-27816 Waycrate Link Following vulnerability in Waycrate Swhkd 1.1.5

SWHKD 1.1.5 unsafely uses the /tmp/swhks.pid pathname.

7.1

216 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-03 CVE-2021-30066 Belden
Schneider Electric
Improper Verification of Cryptographic Signature vulnerability in multiple products

On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an arbitrary firmware image can be loaded because firmware signature verification (for a USB stick) can be bypassed.

6.8
2022-04-03 CVE-2021-30061 Belden
Schneider Electric
On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, physically proximate attackers can execute code via a crafted file on a USB stick.
6.8
2022-03-28 CVE-2022-0123 Gitlab Improper Certificate Validation vulnerability in Gitlab

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1.

6.8
2022-04-01 CVE-2022-23156 Dell Improper Authentication vulnerability in Dell Wyse Device Agent 14.5.4.1

Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability.

6.7
2022-03-30 CVE-2021-39786 Google Out-of-bounds Write vulnerability in Google Android 12.0

In NFC, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-03-30 CVE-2022-25619 Profelis Command Injection vulnerability in Profelis Sambabox

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code.

6.7
2022-04-01 CVE-2022-1207 Radare Unspecified vulnerability in Radare Radare2

Out-of-bounds read in GitHub repository radareorg/radare2 prior to 5.6.8.

6.6
2022-04-03 CVE-2022-27248 Idearespa Path Traversal vulnerability in Idearespa Reftree

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint.

6.5
2022-04-03 CVE-2022-1211 Tildearrow Out-of-bounds Write vulnerability in Tildearrow Furnace Dev73

A vulnerability classified as critical has been found in tildearrow Furnace dev73.

6.5
2022-04-03 CVE-2022-1210 Libtiff
Netapp
Improper Resource Shutdown or Release vulnerability in multiple products

A vulnerability classified as problematic was found in LibTIFF 4.3.0.

6.5
2022-04-02 CVE-2022-1201 Mruby Unspecified vulnerability in Mruby

NULL Pointer Dereference in mrb_vm_exec with super in GitHub repository mruby/mruby prior to 3.2.

6.5
2022-04-01 CVE-2021-20295 Qemu Out-of-bounds Read vulnerability in Qemu

It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059).

6.5
2022-04-01 CVE-2021-27493 Philips Unspecified vulnerability in Philips products

Philips Vue PACS versions 12.2.x.x and prior does not ensure or incorrectly ensures structured messages or data are well formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

6.5
2022-04-01 CVE-2022-0922 Philips Missing Authentication for Critical Function vulnerability in Philips E-Alert Firmware 2.1

The software does not perform any authentication for critical system functionality.

6.5
2022-04-01 CVE-2022-22950 Vmware Allocation of Resources Without Limits or Throttling vulnerability in VMWare Spring Framework

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

6.5
2022-04-01 CVE-2022-22404 IBM Allocation of Resources Without Limits or Throttling vulnerability in IBM APP Connect Enterprise Certified Container

IBM App Connect Enterprise Certified Container Dashboard UI (IBM App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0, and 3.1) may be vulnerable to denial of service due to excessive rate limiting.

6.5
2022-03-31 CVE-2022-27963 Netsarang Unquoted Search Path or Element vulnerability in Netsarang Xftp

Xftp 7.0.0088p and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.

6.5
2022-03-31 CVE-2022-27964 Netsarang Unquoted Search Path or Element vulnerability in Netsarang Xmanager 3.0.127/3.0.218/4.0.165

Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.

6.5
2022-03-31 CVE-2022-27965 Netsarang Unquoted Search Path or Element vulnerability in Netsarang Xlpd 7.0.0094

Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.

6.5
2022-03-31 CVE-2022-27966 Netsarang Unquoted Search Path or Element vulnerability in Netsarang Xshell 7

Xshell v7.0.0099 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file.

6.5
2022-03-31 CVE-2022-22311 IBM Improper Input Validation vulnerability in IBM Security Verify Access

IBM Security Verify Access could allow a user, using man in the middle techniques, to obtain sensitive information or possibly change some information due to improper validiation of JWT tokens.

6.5
2022-03-31 CVE-2022-23183 Advancedcustomfields Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.

6.5
2022-03-31 CVE-2021-43662 Totolink Allocation of Resources Without Limits or Throttling vulnerability in Totolink A720R Firmware and Ex300 V2 Firmware

totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption.

6.5
2022-03-30 CVE-2021-46006 Totolink Missing Authentication for Critical Function vulnerability in Totolink A3100R Firmware 5.9C.4577

In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated.

6.5
2022-03-30 CVE-2021-38362 RSA Authorization Bypass Through User-Controlled Key vulnerability in RSA Archer

In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.

6.5
2022-03-30 CVE-2021-45900 Vivoh Improper Authentication vulnerability in Vivoh Webinar Manager

Vivoh Webinar Manager before 3.6.3.0 has improper API authentication.

6.5
2022-03-30 CVE-2021-40644 Oasys Project SQL Injection vulnerability in Oasys Project Oasys 20210907

An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml.

6.5
2022-03-30 CVE-2021-40645 Jfinaloa Project SQL Injection vulnerability in Jfinaloa Project Jfinaloa 20210907

An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.

6.5
2022-03-30 CVE-2022-23869 Ruoyi Incorrect Permission Assignment for Critical Resource vulnerability in Ruoyi 4.7.2

In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.

6.5
2022-03-30 CVE-2021-41594 RSA Unspecified vulnerability in RSA Archer

In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint.

6.5
2022-03-30 CVE-2022-26949 RSA Unspecified vulnerability in RSA Archer

Archer 6.x through 6.9 SP2 P1 (6.9.2.1) contains an improper access control vulnerability on attachments.

6.5
2022-03-29 CVE-2022-22948 Vmware Incorrect Default Permissions vulnerability in VMWare Vcenter Server 6.5/6.7/7.0

The vCenter Server contains an information disclosure vulnerability due to improper permission of files.

6.5
2022-03-29 CVE-2021-43701 Cszcms SQL Injection vulnerability in Cszcms CSZ CMS 1.2.9

CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.

6.5
2022-03-29 CVE-2022-28135 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Instant-Messaging

Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

6.5
2022-03-29 CVE-2022-28141 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Proxmox

Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

6.5
2022-03-29 CVE-2022-28143 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Proxmox

A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.

6.5
2022-03-29 CVE-2022-28144 Jenkins Missing Authorization vulnerability in Jenkins Proxmox

Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters.

6.5
2022-03-29 CVE-2022-28146 Jenkins Path Traversal vulnerability in Jenkins Continuous Integration With Toad Edge

Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps.

6.5
2022-03-29 CVE-2022-28148 Jenkins Path Traversal vulnerability in Jenkins Continuous Integration With Toad Edge

The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers.

6.5
2022-03-29 CVE-2022-28156 Jenkins Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace.

6.5
2022-03-29 CVE-2022-28157 Jenkins Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.

6.5
2022-03-29 CVE-2022-28158 Jenkins Missing Authorization vulnerability in Jenkins Pipeline: Phoenix Autotest

A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

6.5
2022-03-29 CVE-2022-28160 Jenkins Exposure of Resource to Wrong Sphere vulnerability in Jenkins Tests Selector

Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller.

6.5
2022-03-29 CVE-2022-24956 Shopware SQL Injection vulnerability in Shopware B2B Suite

An issue was discovered in Shopware B2B-Suite through 4.4.1.

6.5
2022-03-28 CVE-2022-26280 Libarchive
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

6.5
2022-03-28 CVE-2022-0549 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.

6.5
2022-03-28 CVE-2021-45491 3CX Cleartext Storage of Sensitive Information vulnerability in 3CX

3CX System through 2022-03-17 stores cleartext passwords in a database.

6.5
2022-04-01 CVE-2022-22328 IBM Unspecified vulnerability in IBM Partner Engagement Manager 6.2.0

IBM SterlingPartner Engagement Manager 6.2.0 could allow a malicious user to elevate their privileges and perform unintended operations to another users data.

6.2
2022-04-03 CVE-2022-28378 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

Craft CMS before 3.7.29 allows XSS.

6.1
2022-04-01 CVE-2022-21830 Rocket Chat Cross-site Scripting vulnerability in Rocket.Chat Livechat

A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.

6.1
2022-04-01 CVE-2022-24181 Public Knowledge Project Cross-site Scripting vulnerability in Public Knowledge Project Open Journal Systems

Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.

6.1
2022-03-31 CVE-2022-24794 Auth0 Unspecified vulnerability in Auth0 Express Openid Connect

Express OpenID Connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect.

6.1
2022-03-31 CVE-2021-43707 Maccms Cross-site Scripting vulnerability in Maccms 10.0

Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter.

6.1
2022-03-31 CVE-2021-20729 Netgate
Pfsense
Cross-site Scripting vulnerability in multiple products

Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.

6.1
2022-03-31 CVE-2022-27496 Zero Channel Plus Project Cross-site Scripting vulnerability in Zero-Channel Plus Project Zero-Channel Plus

Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.

6.1
2022-03-31 CVE-2021-43661 Totolink Cross-site Scripting vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429

totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp.

6.1
2022-03-30 CVE-2022-26644 Banking System Project Cross-site Scripting vulnerability in Banking System Project Banking System 1.0

Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.

6.1
2022-03-30 CVE-2022-24135 Qingscan Project Cross-site Scripting vulnerability in Qingscan Project Qingscan 1.3.0

QingScan 1.3.0 is affected by Cross Site Scripting (XSS) vulnerability in all search functions.

6.1
2022-03-30 CVE-2022-23796 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.7.0 through 3.10.6.

6.1
2022-03-30 CVE-2022-23798 Joomla Open Redirect vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0.

6.1
2022-03-30 CVE-2022-23800 Joomla Cross-site Scripting vulnerability in Joomla Joomla! 4.0.0

An issue was discovered in Joomla! 4.0.0 through 4.1.0.

6.1
2022-03-30 CVE-2022-23801 Joomla Cross-site Scripting vulnerability in Joomla Joomla! 4.0.0

An issue was discovered in Joomla! 4.0.0 through 4.1.0.

6.1
2022-03-30 CVE-2022-24131 Douco Cross-site Scripting vulnerability in Douco Douphp 1.6

DouPHP v1.6 Release 20220121 is affected by Cross Site Scripting (XSS) through /admin/login.php in the background, which will lead to JavaScript code execution.

6.1
2022-03-30 CVE-2022-28202 Mediawiki
Fedoraproject
Debian
Cross-site Scripting vulnerability in multiple products

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2.

6.1
2022-03-30 CVE-2022-26950 RSA Open Redirect vulnerability in RSA Archer

Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability.

6.1
2022-03-30 CVE-2022-26951 RSA Cross-site Scripting vulnerability in RSA Archer

Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability.

6.1
2022-03-29 CVE-2021-42970 Cxuu Cross-site Scripting vulnerability in Cxuu Cxuucms 3.0

Cross Site Scripting (XSS) vulnerability exists in cxuucms v3 via the imgurl of /feedback/post/ content parameter.

6.1
2022-03-29 CVE-2022-1076 Automatic Question Paper Generator System Project Cross-site Scripting vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0

A vulnerability was found in Automatic Question Paper Generator System 1.0.

6.1
2022-03-29 CVE-2022-1079 ONE Church Management System Project Cross-site Scripting vulnerability in ONE Church Management System Project ONE Church Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester One Church Management System.

6.1
2022-03-29 CVE-2022-1081 Microfinance Management System Project Cross-site Scripting vulnerability in Microfinance Management System Project Microfinance Management System 1.0

A vulnerability was found in SourceCodester Microfinance Management System 1.0.

6.1
2022-03-29 CVE-2022-1085 Cltphp Cross-site Scripting vulnerability in Cltphp 6.0

A vulnerability was found in CLTPHP up to 6.0.

6.1
2022-03-28 CVE-2003-5003 IBM Cross-site Scripting vulnerability in IBM ISS Blackice PC Protection

A vulnerability was found in ISS BlackICE PC Protection.

6.1
2022-03-28 CVE-2005-10001 Broadcom Open Redirect vulnerability in Broadcom Symantec Siteminder 4.5.0/4.5.1

A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical.

6.1
2022-03-28 CVE-2008-10001 Pro2Col Cross-site Scripting vulnerability in Pro2Col Stingray FTS

A vulnerability, which was classified as problematic, has been found in Pro2col Stingray FTS.

6.1
2022-03-28 CVE-2022-0283 Gitlab Open Redirect vulnerability in Gitlab

An issue has been discovered affecting GitLab versions prior to 13.5.

6.1
2022-03-28 CVE-2022-26980 Teampass Cross-site Scripting vulnerability in Teampass 2.1.26

Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.

6.1
2022-03-28 CVE-2021-24746 Heateor Unspecified vulnerability in Heateor Sassy Social Share

The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue.

6.1
2022-03-28 CVE-2021-25012 Popozure Unspecified vulnerability in Popozure Pz-Linkcard

The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues

6.1
2022-03-28 CVE-2021-25071 Inpsyde Unspecified vulnerability in Inpsyde Akismet Privacy Policies 2.0.1

The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-03-28 CVE-2022-0599 Mapping Multiple Urls Redirect Same Page Project Unspecified vulnerability in Mapping multiple Urls Redirect Same Page Project Mapping multiple Urls Redirect Same Page

The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0600 Myceliumdesign Unspecified vulnerability in Myceliumdesign Conference Scheduler

The Conference Scheduler WordPress plugin before 2.4.3 does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0619 Database Peek Project Cross-site Scripting vulnerability in Database Peek Project Database Peek 1.0/1.1/1.2

The Database Peek WordPress plugin through 1.2 does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0620 Deleteoldorders Project Unspecified vulnerability in Deleteoldorders Project Delete OLD Orders 0.2

The Delete Old Orders WordPress plugin through 0.2 does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0621 Dtabs Project Unspecified vulnerability in Dtabs Project Dtabs 1.4

The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0641 AYS PRO Unspecified vulnerability in Ays-Pro Popup Like BOX

The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0643 Bank Mellat Project Unspecified vulnerability in Bank Mellat Project Bank Mellat 1.0/1.3.5/1.3.7

The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0647 Bulk Creator Project Unspecified vulnerability in Bulk Creator Project Bulk Creator

The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

6.1
2022-03-28 CVE-2022-0680 Plezi Cross-site Scripting vulnerability in Plezi

The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue

6.1
2022-03-28 CVE-2022-0818 Yithemes Unspecified vulnerability in Yithemes Woocommerce Affiliate

The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.

6.1
2022-03-28 CVE-2021-43721 Leanote Cross-site Scripting vulnerability in Leanote 2.7.0

Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note.

6.1
2022-03-28 CVE-2021-43725 Spotweb Project Cross-site Scripting vulnerability in Spotweb Project Spotweb

There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter.

6.1
2022-03-28 CVE-2021-44212 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring.

6.1
2022-03-28 CVE-2021-44213 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message.

6.1
2022-03-28 CVE-2021-44208 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat.

6.1
2022-03-28 CVE-2021-44209 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO.

6.1
2022-03-28 CVE-2021-44210 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data.

6.1
2022-04-01 CVE-2022-25160 Mitsubishielectric Cleartext Storage of Sensitive Information vulnerability in Mitsubishielectric products

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user’s system.

5.9
2022-04-01 CVE-2022-0489 Gitlab Resource Exhaustion vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 .

5.7
2022-04-03 CVE-2022-28388 Linux
Debian
Fedoraproject
Netapp
Double Free vulnerability in multiple products

usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free.

5.5
2022-04-03 CVE-2022-28389 Linux
Fedoraproject
Debian
Netapp
Double Free vulnerability in multiple products

mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.

5.5
2022-04-02 CVE-2022-28356 Linux
Debian
In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.
5.5
2022-04-01 CVE-2021-27223 Kaspersky Unspecified vulnerability in Kaspersky products

A denial-of-service issue existed in one of modules that was incorporated in Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security.

5.5
2022-04-01 CVE-2022-1018 Rockwellautomation XXE vulnerability in Rockwellautomation products

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file.

5.5
2022-04-01 CVE-2021-30331 Qualcomm Classic Buffer Overflow vulnerability in Qualcomm products

Possible buffer overflow due to improper data validation of external commands sent via DIAG interface in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

5.5
2022-03-30 CVE-2021-39740 Google Improper Input Validation vulnerability in Google Android 12.1

In Messaging, there is a possible way to bypass attachment restrictions due to improper input validation.

5.5
2022-03-30 CVE-2021-39742 Google Missing Authorization vulnerability in Google Android 12.1

In Voicemail, there is a possible way to retrieve a trackable identifier due to a missing permission check.

5.5
2022-03-30 CVE-2021-39744 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39745 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39747 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In Settings Provider, there is a possible way to list values of non-readable global settings due to a permissions bypass.

5.5
2022-03-30 CVE-2021-39748 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent.

5.5
2022-03-30 CVE-2021-39751 Google Missing Authorization vulnerability in Google Android 12.1

In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check.

5.5
2022-03-30 CVE-2021-39753 Google Missing Authorization vulnerability in Google Android 12.1

In DomainVerificationService, there is a possible way to access app domain verification information due to a missing permission check.

5.5
2022-03-30 CVE-2021-39754 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In ContextImpl, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39755 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In DevicePolicyManager, there is a possible way to reveal the existence of an installed package without proper query permissions due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39756 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In Framework, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39757 Google Unspecified vulnerability in Google Android 12.1

In PermissionController, there is a possible permission bypass due to an unsafe PendingIntent.

5.5
2022-03-30 CVE-2021-39760 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In AudioService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39761 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In Media, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39765 Google Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.1

In Gallery, there is a possible permission bypass due to a confused deputy.

5.5
2022-03-30 CVE-2021-39766 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39769 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In Device Policy, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check.

5.5
2022-03-30 CVE-2021-39770 Google Incorrect Default Permissions vulnerability in Google Android 12.1

In Framework, there is a possible disclosure of the device owner package due to a missing permission check.

5.5
2022-03-30 CVE-2021-39773 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.0

In VpnManagerService, there is a possible disclosure of installed VPN packages due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39774 Google Out-of-bounds Read vulnerability in Google Android 12.0

In Bluetooth, there is a possible out of bounds read due to a missing bounds check.

5.5
2022-03-30 CVE-2021-39775 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.0

In People, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39777 Google Exposure of Resource to Wrong Sphere vulnerability in Google Android 12.0

In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check.

5.5
2022-03-30 CVE-2021-39778 Google Improper Input Validation vulnerability in Google Android 12.0

In Telecomm, there is a possible way to determine whether an app is installed, without query permissions, due to improper input validation.

5.5
2022-03-30 CVE-2021-39779 Google Incorrect Default Permissions vulnerability in Google Android 12.0

In getCallStateUsingPackage of Telecom Service, there is a missing permission check.

5.5
2022-03-30 CVE-2021-39788 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In TelecomManager, there is a possible way to check if a particular self managed phone account was registered on the device due to side channel information disclosure.

5.5
2022-03-30 CVE-2021-39791 Google Information Exposure Through Discrepancy vulnerability in Google Android 12.1

In WallpaperManagerService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.

5.5
2022-03-29 CVE-2022-1122 Uclouvain
Fedoraproject
Debian
A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files.
5.5
2022-03-29 CVE-2021-22572 Google Exposure of Resource to Wrong Sphere vulnerability in Google Data Transfer Project

On unix-like systems, the system temporary directory is shared between all users on that system.

5.5
2022-03-28 CVE-2022-26296 Boom Core Unspecified vulnerability in Boom-Core Risvc-Boom

BOOM: The Berkeley Out-of-Order RISC-V Processor commit d77c2c3 was discovered to allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

5.5
2022-03-28 CVE-2022-26291 Long Range ZIP Project
Debian
Use After Free vulnerability in multiple products

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist().

5.5
2022-03-28 CVE-2010-10001 Shemes Improper Resource Shutdown or Release vulnerability in Shemes Grabit

A vulnerability, which was classified as problematic, was found in Shemes GrabIt up to 1.7.2 Beta 4.

5.5
2022-03-28 CVE-2017-20011 Weka Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8

A vulnerability was found in WEKA INTEREST Security Scanner 1.8.

5.5
2022-03-28 CVE-2017-20012 Weka Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8

A vulnerability classified as problematic has been found in WEKA INTEREST Security Scanner up to 1.8.

5.5
2022-03-28 CVE-2017-20013 Weka Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8

A vulnerability classified as problematic was found in WEKA INTEREST Security Scanner up to 1.8.

5.5
2022-03-28 CVE-2017-20014 Weka Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8

A vulnerability, which was classified as problematic, has been found in WEKA INTEREST Security Scanner up to 1.8.

5.5
2022-03-28 CVE-2017-20015 Weka Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8

A vulnerability, which was classified as problematic, was found in WEKA INTEREST Security Scanner up to 1.8.

5.5
2022-03-28 CVE-2022-1056 Libtiff
Netapp
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file.

5.5
2022-03-28 CVE-2015-10002 Kiddoware Unspecified vulnerability in Kiddoware Kids Place

A vulnerability classified as problematic has been found in Kiddoware Kids Place.

5.5
2022-03-28 CVE-2022-27950 Linux Memory Leak vulnerability in Linux Kernel

In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition.

5.5
2022-04-01 CVE-2021-23287 Eaton Cross-site Scripting vulnerability in Eaton Intelligent Power Manager 1.6/1.67/1.69

The vulnerability exists due to insufficient validation of input of certain resources within the IPM software.

5.4
2022-03-31 CVE-2021-43478 Hoosk Unspecified vulnerability in Hoosk 1.8.0

A vulnerability exists in Hoosk 1.8.0 in /install/index.php, due to a failure to check if config.php already exists in the root directory, which could let a malicious user reinstall the website.

5.4
2022-03-31 CVE-2021-43505 Simple Client Management System Project Cross-site Scripting vulnerability in Simple Client Management System Project Simple Client Management System 1.0

Multiple Cross Site Scripting (XSS) vulnerabilities exist in Ssourcecodester Simple Client Management System v1 via (1) Add new Client and (2) Add new invoice.

5.4
2022-03-31 CVE-2022-0350 B3Log Unspecified vulnerability in B3Log Vditor

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13.

5.4
2022-03-30 CVE-2022-23136 ZTE Cross-site Scripting vulnerability in ZTE Zxhn F680 Firmware 6.0.10P3N20

There is a stored XSS vulnerability in ZTE home gateway product.

5.4
2022-03-30 CVE-2022-1178 Open EMR Unspecified vulnerability in Open-Emr Openemr

Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

5.4
2022-03-30 CVE-2022-1179 Open EMR Unspecified vulnerability in Open-Emr Openemr

Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

5.4
2022-03-30 CVE-2022-1181 Open EMR Unspecified vulnerability in Open-Emr Openemr

Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.

5.4
2022-03-30 CVE-2022-26244 Hospital S Patient Records Management System Project Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0

A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "special" field.

5.4
2022-03-30 CVE-2022-26947 RSA Cross-site Scripting vulnerability in RSA Archer

Archer 6.x through 6.9 SP3 (6.9.3.0) contains a reflected XSS vulnerability.

5.4
2022-03-29 CVE-2022-28133 Jenkins Cross-site Scripting vulnerability in Jenkins Bitbucket Server Integration

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

5.4
2022-03-29 CVE-2022-28134 Jenkins Missing Authorization vulnerability in Jenkins Bitbucket Server Integration

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.

5.4
2022-03-29 CVE-2022-28145 Jenkins Cross-site Scripting vulnerability in Jenkins Continuous Integration With Toad Edge

Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents.

5.4
2022-03-29 CVE-2022-28149 Jenkins Cross-site Scripting vulnerability in Jenkins JOB and Node Ownership

Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-03-29 CVE-2022-28153 Jenkins Cross-site Scripting vulnerability in Jenkins Sitemonitor

Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-03-29 CVE-2022-28159 Jenkins Cross-site Scripting vulnerability in Jenkins Tests Selector

Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-03-29 CVE-2022-23903 Pearadmin Cross-site Scripting vulnerability in Pearadmin Pear Admin Think 2.1.2

A Cross Site Scripting (XSS) vulnerability exists in pearadmin pear-admin-think <=5.0.6, which allows a login account to access arbitrary functions and cause stored XSS through a fake User-Agent.

5.4
2022-03-29 CVE-2022-1074 TEM Cross-site Scripting vulnerability in TEM Flex-1085 Firmware 1.6.0

A vulnerability has been found in TEM FLEX-1085 1.6.0 and classified as problematic.

5.4
2022-03-29 CVE-2022-1075 College Website Management System Project Cross-site Scripting vulnerability in College Website Management System Project College Website Management System 1.0

A vulnerability was found in College Website Management System 1.0 and classified as problematic.

5.4
2022-03-29 CVE-2022-1086 Dolphinphp Project Cross-site Scripting vulnerability in Dolphinphp Project Dolphinphp

A vulnerability was found in DolphinPHP up to 1.5.0 and classified as problematic.

5.4
2022-03-29 CVE-2022-1087 Htmly Cross-site Scripting vulnerability in Htmly

A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profile Module.

5.4
2022-03-29 CVE-2022-24957 DHC Vision Cross-site Scripting vulnerability in Dhc-Vision Eqms 5.4.8.322

DHC Vision eQMS through 5.4.8.322 has Persistent XSS due to insufficient encoding of untrusted input/output.

5.4
2022-03-29 CVE-2021-45866 Student Attendance Management System Project Cross-site Scripting vulnerability in Student Attendance Management System Project Student Attendance Management System 1.0

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Student Attendance Management System 1.0 via the couse filed in index.php.

5.4
2022-03-28 CVE-2022-0397 Wpclever Unspecified vulnerability in Wpclever WPC Smart Wishlist for Woocommerce

The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting

5.4
2022-03-28 CVE-2022-0450 Freshlightlab Improper Encoding or Escaping of Output vulnerability in Freshlightlab Menu Image, Icons Made Easy

The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them.

5.4
2022-03-28 CVE-2022-0595 Codedropz Unspecified vulnerability in Codedropz Drag and Drop multiple File Upload - Contact Form 7

The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue

5.4
2022-03-28 CVE-2022-0720 TMS Outsource Unspecified vulnerability in Tms-Outsource Amelia

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.

5.4
2022-03-28 CVE-2021-44211 Open Xchange Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5

OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature.

5.4
2022-04-01 CVE-2020-14479 Inductiveautomation Missing Authentication for Critical Function vulnerability in Inductiveautomation Ignition

Sensitive information can be obtained through the handling of serialized data.

5.3
2022-03-30 CVE-2022-23794 Joomla Information Exposure Through an Error Message vulnerability in Joomla Joomla!

An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0.

5.3
2022-03-29 CVE-2022-0331 Sophos Unspecified vulnerability in Sophos Sfos

An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.

5.3
2022-03-28 CVE-2003-5002 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM ISS Blackice PC Protection

A vulnerability was found in ISS BlackICE PC Protection.

5.3
2022-03-28 CVE-2021-4191 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2.

5.3
2022-03-28 CVE-2021-24978 B4After Missing Authorization vulnerability in B4After Osmapper 2.1.5

The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users.

5.3
2022-03-28 CVE-2021-46434 Emqx Unspecified vulnerability in Emqx 3.0.0

EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface.

5.3
2022-03-28 CVE-2021-26598 Impresscms Improper Authentication vulnerability in Impresscms

ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).

5.3
2022-03-30 CVE-2022-1172 Gpac Unspecified vulnerability in Gpac

Null Pointer Dereference Caused Segmentation Fault in GitHub repository gpac/gpac prior to 2.1.0-DEV.

5.0
2022-04-01 CVE-2021-32503 Sick Resource Exhaustion vulnerability in Sick Ftmg Firmware 2.8

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only.

4.9
2022-03-28 CVE-2021-43099 Diyhi Path Traversal vulnerability in Diyhi BBS 5.3

An Archive Extraction (AKA "Zip Slip) vulnerability exists in bbs 5.3 in the UpgradeNow function in UpgradeManageAction.java, which unzips the arbitrary upladed zip file without checking filenames.

4.9
2022-03-28 CVE-2022-0493 String Locator Project Unspecified vulnerability in String Locator Project String Locator

The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector.

4.9
2022-04-03 CVE-2022-28379 Nginxproxymanager Cross-site Scripting vulnerability in Nginxproxymanager Nginx Proxy Manager

jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.

4.8
2022-04-02 CVE-2022-28352 Weechat Improper Certificate Validation vulnerability in Weechat

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate.

4.8
2022-04-01 CVE-2021-23288 Eaton Cross-site Scripting vulnerability in Eaton Intelligent Power Protector

The vulnerability exists due to insufficient validation of input from certain resources by the IPP software.

4.8
2022-04-01 CVE-2022-26565 Totaljs Cross-site Scripting vulnerability in Totaljs Content Management System

A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page.

4.8
2022-03-31 CVE-2021-42866 Pixelimity Cross-site Scripting vulnerability in Pixelimity 1.0

A Cross Site Scripting vulnerabilty exists in Pixelimity 1.0 via the Site Description field in pixelimity/admin/setting.php

4.8
2022-03-31 CVE-2021-42867 Htmly Cross-site Scripting vulnerability in Htmly 2.8.1

A Cross Site Scripting (XSS) vulnerability exists in DanPros htmly 2.8.1 via the Description field in (1) admin/config, and (2) index.php pages.

4.8
2022-03-31 CVE-2021-42868 Chikitsa Cross-site Scripting vulnerability in Chikitsa Patient Management Software 2.0.2

A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 in the first_name parameter in (1) patient/insert, (2) patient_report, (3) appointment_report, (4) visit_report, and (5) bill_detail_report pages.

4.8
2022-03-31 CVE-2021-42869 Chikitsa Cross-site Scripting vulnerability in Chikitsa Patient Management Software 2.0.2

A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 via the last_name parameter in the (1) patient/insert, (2) patient_report, (3) /appointment_report, (4) visit_report, and (5) /bill_detail_report pages.

4.8
2022-03-31 CVE-2021-42946 Htmly Cross-site Scripting vulnerability in Htmly 2.8.1

A Cross Site Scripting (XSS) vulnerability exists in htmly.2.8.1 via the Copyright field in the /admin/config page.

4.8
2022-03-30 CVE-2021-44310 Firmware Analysis AND Comparison Tool Project Cross-site Scripting vulnerability in Firmware Analysis and Comparison Tool Project Firmware Analysis and Comparison Tool 3.2

An issue was discovered in Firmware Analysis and Comparison Tool v3.2.

4.8
2022-03-30 CVE-2022-1163 Mineweb Unspecified vulnerability in Mineweb Minewebcms

Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minewebcms prior to next.

4.8
2022-03-28 CVE-2022-0388 Humananatomyillustrations Unspecified vulnerability in Humananatomyillustrations Interactive Medical Drawing of Human Body 1.0

The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-03-29 CVE-2022-26269 Globalsuzuki Unspecified vulnerability in Globalsuzuki Suzuki Connect 1.0.15

Suzuki Connect v1.0.15 allows attackers to tamper with displayed messages via spoofed CAN messages.

4.6
2022-04-01 CVE-2022-23157 Dell Information Exposure vulnerability in Dell Wyse Device Agent 14.5.4.1

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability.

4.4
2022-04-01 CVE-2022-23158 Dell Information Exposure vulnerability in Dell Wyse Device Agent 14.5.4.1

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability.

4.4
2022-04-03 CVE-2022-0405 Janeczku Unspecified vulnerability in Janeczku Calibre-Web

Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.

4.3
2022-04-03 CVE-2022-0406 Janeczku Incorrect Authorization vulnerability in Janeczku Calibre-Web

Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.

4.3
2022-04-01 CVE-2022-0373 Gitlab Unspecified vulnerability in Gitlab

Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address

4.3
2022-04-01 CVE-2022-0390 Gitlab Missing Authorization vulnerability in Gitlab

Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.

4.3
2022-03-30 CVE-2022-27907 Sonatype Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository Manager

Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF.

4.3
2022-03-30 CVE-2022-1177 Open EMR Incorrect Authorization vulnerability in Open-Emr Openemr

Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.

4.3
2022-03-29 CVE-2022-28137 Jenkins Missing Authorization vulnerability in Jenkins Jiratestresultreporter

A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

4.3
2022-03-29 CVE-2022-28138 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Rocketchat Notifier

A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.

4.3
2022-03-29 CVE-2022-28139 Jenkins Missing Authorization vulnerability in Jenkins Rocketchat Notifier

A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

4.3
2022-03-29 CVE-2022-28147 Jenkins Missing Authorization vulnerability in Jenkins Continuous Integration With Toad Edge

A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

4.3
2022-03-29 CVE-2022-28151 Jenkins Missing Authorization vulnerability in Jenkins JOB and Node Ownership

A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job.

4.3
2022-03-29 CVE-2022-28152 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins JOB and Node Ownership

A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job.

4.3
2022-03-28 CVE-2021-43105 Technitium Unspecified vulnerability in Technitium DNS Server

A vulnerability in the bailiwick checking function in Technitium DNS Server <= v7.0 exists that allows specific malicious users to inject `NS` records of any domain (even TLDs) into the cache and conduct a DNS cache poisoning attack.

4.3
2022-03-28 CVE-2021-39876 Gitlab Incorrect Authorization vulnerability in Gitlab

In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups.

4.3
2022-03-28 CVE-2022-0344 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1.

4.3
2022-03-28 CVE-2022-0371 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 before 14.5.4, all versions starting from 14.6 before 14.6.4, all versions starting from 14.7 before 14.7.1.

4.3
2022-03-28 CVE-2022-0488 Gitlab Resource Exhaustion vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10.

4.3
2022-03-28 CVE-2022-0833 Church Admin Project Missing Authorization vulnerability in Church Admin Project Church Admin

The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-01 CVE-2021-20238 Redhat Missing Authentication for Critical Function vulnerability in Redhat products

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication.

3.7
2022-03-29 CVE-2022-22935 Saltstack Improper Authentication vulnerability in Saltstack Salt

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1.

3.7
2022-03-30 CVE-2022-1180 Open EMR Unspecified vulnerability in Open-Emr Openemr

Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

3.5
2022-03-30 CVE-2020-35501 Linux
Redhat
A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem
3.4
2022-03-30 CVE-2021-39739 Google Information Exposure Through Log Files vulnerability in Google Android 12.1

In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure.

3.3
2022-03-28 CVE-2018-25030 Mirmay Race Condition vulnerability in Mirmay File Manager and Secure Private Browser

A vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5.

2.5
2022-03-31 CVE-2022-27049 Raidrive Unspecified vulnerability in Raidrive

Raidrive before v2021.12.35 allows attackers to arbitrarily move log files by pre-creating a mountpoint and log files before Raidrive is installed.

2.0