Weekly Vulnerabilities Reports > March 28 to April 3, 2022
Overview
516 new vulnerabilities reported during this period, including 109 critical vulnerabilities and 184 high severity vulnerabilities. This weekly summary report vulnerabilities in 779 products from 233 vendors including Google, Jenkins, Gitlab, Deltaww, and Qualcomm. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Missing Authorization", "Out-of-bounds Write", and "Path Traversal".
- 376 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 172 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 288 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 58 reported vulnerabilities.
- Deltaww has the most reported critical vulnerabilities, with 15 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
109 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-04-01 | CVE-2022-22570 | UI | Classic Buffer Overflow vulnerability in UI UA Lite Firmware 3.8.28.20/3.8.28.24 A buffer overflow vulnerability found in the UniFi Door Access Reader Lite’s (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control all connected UA devices. | 10.0 |
2022-03-28 | CVE-2021-46433 | Fenom Project | Unspecified vulnerability in Fenom Project Fenom In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCode()to bypass sandbox to execute arbitrary PHP code when disable_native_funcs is true. | 10.0 |
2022-04-03 | CVE-2021-30064 | Belden Schneider Electric | Use of Hard-coded Credentials vulnerability in multiple products On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an SSH login can succeed with hardcoded default credentials (if the device is in the uncommissioned state). | 9.8 |
2022-04-03 | CVE-2022-28381 | Allmediaserver | Out-of-bounds Write vulnerability in Allmediaserver 1.6 Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932. | 9.8 |
2022-04-03 | CVE-2022-28368 | Dompdf Project | Cross-site Scripting vulnerability in Dompdf Project Dompdf Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file). | 9.8 |
2022-04-01 | CVE-2021-23247 | Oppo | Command Injection vulnerability in Oppo Quick APP 4.5.0 A command injection vulerability found in quick game engine allows arbitrary remote code in quick app. | 9.8 |
2022-04-01 | CVE-2021-26623 | Bandisoft | Out-of-bounds Write vulnerability in Bandisoft Bandizip A remote code execution vulnerability due to incomplete check for 'xheader_decode_path_record' function's parameter length value in the ark library. | 9.8 |
2022-04-01 | CVE-2021-27497 | Philips | Unspecified vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. | 9.8 |
2022-04-01 | CVE-2021-27501 | Philips | Unspecified vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. | 9.8 |
2022-04-01 | CVE-2021-32933 | Auvesy MDT | OS Command Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform An attacker could leverage an API to pass along a malicious file that could then manipulate the process creation command line in MDT AutoSave versions prior to v6.02.06 and run a command line argument. | 9.8 |
2022-04-01 | CVE-2021-32953 | Auvesy MDT | SQL Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user’s permissions, granting the attacker the ability to login. | 9.8 |
2022-04-01 | CVE-2021-32974 | Moxa | OS Command Injection vulnerability in Moxa products Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands. | 9.8 |
2022-04-01 | CVE-2021-32976 | Moxa | Out-of-bounds Write vulnerability in Moxa products Five buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to initiate a denial-of-service attack and execute arbitrary code. | 9.8 |
2022-04-01 | CVE-2022-22963 | Vmware Oracle | Expression Language Injection vulnerability in multiple products In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | 9.8 |
2022-04-01 | CVE-2022-22965 | Vmware Cisco Oracle Siemens Veritas | Code Injection vulnerability in multiple products A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | 9.8 |
2022-04-01 | CVE-2022-27177 | Netflix | Use of Externally-Controlled Format String vulnerability in Netflix Consoleme A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2 | 9.8 |
2022-04-01 | CVE-2022-27534 | Kaspersky | Unspecified vulnerability in Kaspersky products Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March 2022 had a bug in a data parsing module that potentially allowed an attacker to execute arbitrary code. | 9.8 |
2022-04-01 | CVE-2022-24066 | Simple GIT Project | Argument Injection or Modification vulnerability in Simple-Git Project Simple-Git The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. | 9.8 |
2022-04-01 | CVE-2022-26562 | Kopano | Improper Authentication vulnerability in Kopano Groupware Core 11.0.2.51 An issue in provider/libserver/ECKrbAuth.cpp of Kopano Core <= v11.0.2.51 contains an issue which allows attackers to authenticate even if the user account or password is expired. | 9.8 |
2022-04-01 | CVE-2022-21223 | Cocoapods | Argument Injection or Modification vulnerability in Cocoapods Cocoapods-Downloader The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. | 9.8 |
2022-04-01 | CVE-2022-24440 | Cocoapods | Argument Injection or Modification vulnerability in Cocoapods Cocoapods-Downloader The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. | 9.8 |
2022-04-01 | CVE-2022-21235 | VCS Project | Argument Injection or Modification vulnerability in VCS Project VCS The package github.com/masterminds/vcs before 1.13.3 are vulnerable to Command Injection via argument injection. | 9.8 |
2022-04-01 | CVE-2021-44135 | Pagekit | SQL Injection vulnerability in Pagekit pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing. | 9.8 |
2022-04-01 | CVE-2022-24802 | Deepmerge TS Project | Unspecified vulnerability in Deepmerge-Ts Project Deepmerge-Ts deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. | 9.8 |
2022-04-01 | CVE-2022-24803 | Asciidoctor Include EXT Project | Unspecified vulnerability in Asciidoctor-Include-Ext Project Asciidoctor-Include-Ext Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. | 9.8 |
2022-03-31 | CVE-2022-24791 | Bytecodealliance | Unspecified vulnerability in Bytecodealliance Wasmtime Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. | 9.8 |
2022-03-31 | CVE-2022-24796 | Raspberrymatic | Unspecified vulnerability in Raspberrymatic RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. | 9.8 |
2022-03-31 | CVE-2021-43722 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-645 Firmware 1.03 D-Link DIR-645 1.03 A1 is vulnerable to Buffer Overflow. | 9.8 |
2022-03-31 | CVE-2021-43479 | Secretarycms | Unspecified vulnerability in Secretarycms the Secretary 2.5 A Remote Code Execution (RCE) vulnerability exists in The-Secretary 2.5 via install.php. | 9.8 |
2022-03-31 | CVE-2021-43484 | Simple Client Management System Project | SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0 A Remote Code Execution (RCE) vulnerability exists in Simple Client Management System 1.0 in create.php due to the failure to validate the extension of the file being sent in a request. | 9.8 |
2022-03-31 | CVE-2021-43506 | Simple Client Management System Project | SQL Injection vulnerability in Simple Client Management System Project Simple Client Management System 1.0 An SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the password parameter in Login.php. | 9.8 |
2022-03-31 | CVE-2022-24136 | Hospital Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. | 9.8 |
2022-03-30 | CVE-2021-46007 | Totolink | OS Command Injection vulnerability in Totolink Ar3100R Firmware 5.9C.4577 totolink a3100r V5.9c.4577 is vulnerable to os command injection. | 9.8 |
2022-03-30 | CVE-2021-46009 | Totolink | Missing Authentication for Critical Function vulnerability in Totolink A3100R Firmware 5.9C.4577 In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. | 9.8 |
2022-03-30 | CVE-2022-26645 | Banking System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Banking System Project Banking System 1.0 A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function. | 9.8 |
2022-03-30 | CVE-2022-26646 | Banking System Project | Unspecified vulnerability in Banking System Project Banking System 1.0 Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter. | 9.8 |
2022-03-30 | CVE-2021-43142 | JOX Project | XXE vulnerability in JOX Project JOX 1.16 An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput. | 9.8 |
2022-03-30 | CVE-2019-12266 | Wyze | Out-of-bounds Write vulnerability in Wyze products Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device. | 9.8 |
2022-03-30 | CVE-2019-9564 | Wyze | Improper Authentication vulnerability in Wyze products A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. | 9.8 |
2022-03-30 | CVE-2022-23795 | Joomla | Improper Authentication vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. | 9.8 |
2022-03-30 | CVE-2022-23797 | Joomla | SQL Injection vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. | 9.8 |
2022-03-30 | CVE-2022-23799 | Joomla | Unspecified vulnerability in Joomla Joomla! 4.0.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. | 9.8 |
2022-03-30 | CVE-2022-28205 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in MediaWiki through 1.37.1. | 9.8 |
2022-03-30 | CVE-2022-28206 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in MediaWiki through 1.37.1. | 9.8 |
2022-03-30 | CVE-2022-28209 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in Mediawiki through 1.37.1. | 9.8 |
2022-03-30 | CVE-2020-24769 | Nexusphp | SQL Injection vulnerability in Nexusphp 1.5 SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter. | 9.8 |
2022-03-30 | CVE-2020-24770 | Nexusphp | SQL Injection vulnerability in Nexusphp 1.5 SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 9.8 |
2022-03-30 | CVE-2022-24693 | Baicells | Use of Hard-coded Credentials vulnerability in Baicells Neutrino 430 Firmware and Nova436Q Firmware Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. | 9.8 |
2022-03-29 | CVE-2022-26871 | Trendmicro | Insufficient Verification of Data Authenticity vulnerability in Trendmicro Apex Central and Apex ONE An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution. | 9.8 |
2022-03-29 | CVE-2021-42911 | Draytek | Use of Externally-Controlled Format String vulnerability in Draytek products A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code. | 9.8 |
2022-03-29 | CVE-2021-43118 | Draytek | Command Injection vulnerability in Draytek products A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING in mainfunction.cgi, which could let a remote malicious user execute arbitrary code. | 9.8 |
2022-03-29 | CVE-2021-43110 | Puneethreddyhc Online Shopping System Project | Unspecified vulnerability in Puneethreddyhc Online-Shopping-System Project Puneethreddyhc Online-Shopping-System An Access Conrol vulnerability exists in PuneethReddyHC online-shopping-system as of 11/01/2021 in add_products. | 9.8 |
2022-03-29 | CVE-2022-0923 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. | 9.8 |
2022-03-29 | CVE-2022-25880 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. | 9.8 |
2022-03-29 | CVE-2022-25980 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx. | 9.8 |
2022-03-29 | CVE-2022-26013 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. | 9.8 |
2022-03-29 | CVE-2022-26059 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. | 9.8 |
2022-03-29 | CVE-2022-26065 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. | 9.8 |
2022-03-29 | CVE-2022-26069 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx. | 9.8 |
2022-03-29 | CVE-2022-26338 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx. | 9.8 |
2022-03-29 | CVE-2022-26349 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. | 9.8 |
2022-03-29 | CVE-2022-26514 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx. | 9.8 |
2022-03-29 | CVE-2022-26666 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx. | 9.8 |
2022-03-29 | CVE-2022-26667 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData. | 9.8 |
2022-03-29 | CVE-2022-26836 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. | 9.8 |
2022-03-29 | CVE-2022-26887 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx. | 9.8 |
2022-03-29 | CVE-2022-27175 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetCalcTagList. | 9.8 |
2022-03-29 | CVE-2022-23901 | Re2C | Out-of-bounds Write vulnerability in Re2C 2.2 A stack overflow re2c 2.2 exists due to infinite recursion issues in src/dfa/dead_rules.cc. | 9.8 |
2022-03-29 | CVE-2022-1073 | Automatic Question Paper Generator System Project | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0 A vulnerability was found in Automatic Question Paper Generator 1.0. | 9.8 |
2022-03-29 | CVE-2022-1078 | College Website Management System Project | SQL Injection vulnerability in College Website Management System Project College Website Management System 1.0 A vulnerability was found in SourceCodester College Website Management System 1.0. | 9.8 |
2022-03-29 | CVE-2022-1080 | ONE Church Management System Project | SQL Injection vulnerability in ONE Church Management System Project ONE Church Management System 1.0 A vulnerability was found in SourceCodester One Church Management System 1.0. | 9.8 |
2022-03-29 | CVE-2022-1082 | Microfinance Management System Project | SQL Injection vulnerability in Microfinance Management System Project Microfinance Management System 1.0 A vulnerability was found in SourceCodester Microfinance Management System 1.0. | 9.8 |
2022-03-29 | CVE-2022-1083 | Microfinance Management System Project | SQL Injection vulnerability in Microfinance Management System Project Microfinance Management System A vulnerability classified as critical has been found in Microfinance Management System. | 9.8 |
2022-03-29 | CVE-2022-1084 | ONE Church Management System Project | Improper Authentication vulnerability in ONE Church Management System Project ONE Church Management System 1.0 A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. | 9.8 |
2022-03-29 | CVE-2022-25420 | Nttr | Injection vulnerability in Nttr GOO Blog 1.0 NTT Resonant Incorporated goo blog App Web Application 1.0 is vulnerable to CLRF injection. | 9.8 |
2022-03-29 | CVE-2021-45865 | Student Attendance Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Student Attendance Management System Project Student Attendance Management System 1.0 A File Upload vulnerability exists in Sourcecodester Student Attendance Manageent System 1.0 via the file upload functionality. | 9.8 |
2022-03-29 | CVE-2022-25521 | Nuuo | Use of Hard-coded Credentials vulnerability in Nuuo Network Video Recorder Firmware NUUO v03.11.00 was discovered to contain access control issue. | 9.8 |
2022-03-28 | CVE-2003-5001 | IBM | Unspecified vulnerability in IBM ISS Blackice PC Protection A vulnerability was found in ISS BlackICE PC Protection and classified as critical. | 9.8 |
2022-03-28 | CVE-2022-26278 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21Cn Tenda AC9 v15.03.2.21_cn was discovered to contain a stack overflow via the time parameter in the PowerSaveSet function. | 9.8 |
2022-03-28 | CVE-2022-0735 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. | 9.8 |
2022-03-28 | CVE-2021-25070 | Stopbadbots | Unspecified vulnerability in Stopbadbots Block and Stop BAD Bots The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue | 9.8 |
2022-03-28 | CVE-2022-0479 | Sygnoos | Unspecified vulnerability in Sygnoos Popup Builder The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link | 9.8 |
2022-03-28 | CVE-2022-0679 | Narnoo Distributor Project | Unspecified vulnerability in Narnoo Distributor Project Narnoo Distributor The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. | 9.8 |
2022-03-28 | CVE-2022-0784 | Title Experiments Free Project | Unspecified vulnerability in Title Experiments Free Project Title Experiments Free The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection | 9.8 |
2022-03-28 | CVE-2022-0787 | Limit Login Attempts Project | Unspecified vulnerability in Limit Login Attempts Project Limit Login Attempts The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections | 9.8 |
2022-03-28 | CVE-2022-0846 | Speakout Email Petitions Project | Unspecified vulnerability in Speakout! Email Petitions Project Speakout! Email Petitions The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users | 9.8 |
2022-03-28 | CVE-2022-0342 | Zyxel | Improper Authentication vulnerability in Zyxel products An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. | 9.8 |
2022-03-28 | CVE-2022-23884 | Minecraft | Integer Overflow or Wraparound vulnerability in Minecraft Bedrock Server 1.18.2 Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). | 9.8 |
2022-03-28 | CVE-2022-23882 | Tuzicms | SQL Injection vulnerability in Tuzicms 2.0.6 TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php. | 9.8 |
2022-03-28 | CVE-2022-25757 | Apache | Improper Input Validation vulnerability in Apache Apisix In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. | 9.8 |
2022-03-28 | CVE-2021-44617 | Glpi Project | SQL Injection vulnerability in Glpi-Project Glpi 9.4.6 A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated. | 9.8 |
2022-03-28 | CVE-2022-26273 | Eyoucms | Unspecified vulnerability in Eyoucms 1.5.4 EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment logic vulnerabilities. | 9.8 |
2022-03-28 | CVE-2021-26599 | Impresscms | SQL Injection vulnerability in Impresscms ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection. | 9.8 |
2022-03-28 | CVE-2021-26600 | Impresscms | Type Confusion vulnerability in Impresscms ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==). | 9.8 |
2022-03-28 | CVE-2022-26268 | Xiaohuanxiong Project | SQL Injection vulnerability in Xiaohuanxiong Project Xiaohuanxiong 1.0 Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php. | 9.8 |
2022-03-28 | CVE-2022-26255 | Clash Project | Cross-site Scripting vulnerability in Clash Project Clash 0.19.8 Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. | 9.8 |
2022-03-28 | CVE-2022-26258 | Dlink | OS Command Injection vulnerability in Dlink Dir-820L Firmware 1.05 D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. | 9.8 |
2022-04-03 | CVE-2022-26530 | Swaywm | Unspecified vulnerability in Swaywm Swaylock swaylock before 1.6 allows attackers to trigger a crash and achieve unlocked access to a Wayland compositor. | 9.1 |
2022-04-01 | CVE-2022-25157 | Mitsubishielectric | Improper Authentication vulnerability in Mitsubishielectric products Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to disclose or tamper with the information in the product by using an eavesdropped password hash. | 9.1 |
2022-04-01 | CVE-2022-25158 | Mitsubishielectric | Cleartext Storage of Sensitive Information vulnerability in Mitsubishielectric products Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext. | 9.1 |
2022-04-01 | CVE-2021-35088 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible out of bound read due to improper validation of IE length during SSID IE parse when channel is DFS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 9.1 |
2022-04-01 | CVE-2021-35117 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 9.1 |
2022-03-31 | CVE-2022-24797 | Pomerium | Unspecified vulnerability in Pomerium Pomerium is an identity-aware access proxy. | 9.1 |
2022-03-31 | CVE-2022-26546 | Hospital Management System Project | Missing Authorization vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to lack an authorization component, allowing attackers to access sensitive information and obtain the admin password. | 9.1 |
2022-03-29 | CVE-2021-46743 | Type Confusion vulnerability in Google Firebase PHP-Jwt In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. | 9.1 | |
2022-03-28 | CVE-2022-0249 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab A vulnerability was discovered in GitLab starting with version 12. | 9.1 |
2022-03-28 | CVE-2021-45490 | 3CX | Improper Certificate Validation vulnerability in 3CX The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. | 9.1 |
2022-03-28 | CVE-2022-24303 | Python Fedoraproject | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | 9.1 |
2022-03-30 | CVE-2022-25620 | Profelis | Cross-site Scripting vulnerability in Profelis Sambabox Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. | 9.0 |
184 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-04-03 | CVE-2022-27249 | Idearespa | Unrestricted Upload of File with Dangerous Type vulnerability in Idearespa Reftree An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource. | 8.8 |
2022-04-03 | CVE-2022-28391 | Busybox | Unspecified vulnerability in Busybox BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. | 8.8 |
2022-04-01 | CVE-2021-26624 | Escanav | Improper Input Validation vulnerability in Escanav Escan Anti-Virus An local privilege escalation vulnerability due to a "runasroot" command in eScan Anti-Virus. | 8.8 |
2022-04-01 | CVE-2021-32960 | Rockwellautomation | Incorrect Authorization vulnerability in Rockwellautomation Factorytalk Services Platform Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. | 8.8 |
2022-04-01 | CVE-2021-33657 | Libsdl | Out-of-bounds Write vulnerability in Libsdl Simple Directmedia Layer There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. | 8.8 |
2022-04-01 | CVE-2022-21947 | Suse | Unspecified vulnerability in Suse Rancher Desktop A Exposure of Resource to Wrong Sphere vulnerability in Rancher Desktop of SUSE allows attackers in the local network to connect to the Dashboard API (steve) to carry out arbitrary actions. | 8.8 |
2022-04-01 | CVE-2022-25017 | Hitrontech | OS Command Injection vulnerability in Hitrontech Chita Firmware 7.2.2.0.3B6Cd Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field. | 8.8 |
2022-04-01 | CVE-2021-1942 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Improper handling of permissions of a shared memory region can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 8.8 |
2022-04-01 | CVE-2021-35110 | Qualcomm | Incorrect Type Conversion or Cast vulnerability in Qualcomm products Possible buffer overflow to improper validation of hash segment of file while allocating memory in Snapdragon Connectivity, Snapdragon Mobile | 8.8 |
2022-03-31 | CVE-2021-36625 | Dolibarr | SQL Injection vulnerability in Dolibarr Erp/Crm 13.0.2 An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement. | 8.8 |
2022-03-31 | CVE-2021-34257 | Wpanel CMS Project | Unrestricted Upload of File with Dangerous Type vulnerability in Wpanel CMS Project Wpanel CMS Multiple Remote Code Execution (RCE) vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to (1) Dashboard's Avatar image, (2) Posts Folder image, (3) Pages Folder image and (4) Gallery Folder image. | 8.8 |
2022-03-31 | CVE-2022-25915 | Elecom | Unspecified vulnerability in Elecom products Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors. | 8.8 |
2022-03-31 | CVE-2022-22986 | NTT East | OS Command Injection vulnerability in Ntt-East products Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file. | 8.8 |
2022-03-31 | CVE-2022-24299 | Netgate | Improper Input Validation vulnerability in Netgate Pfsense and Pfsense Plus Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. | 8.8 |
2022-03-31 | CVE-2022-26019 | Netgate | Path Traversal vulnerability in Netgate Pfsense and Pfsense Plus Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. | 8.8 |
2022-03-30 | CVE-2021-46008 | Totolink | Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 5.9C.4577 In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. | 8.8 |
2022-03-30 | CVE-2021-46010 | Totolink | Use of Insufficiently Random Values vulnerability in Totolink A3100R Firmware 5.9C.4577 Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. | 8.8 |
2022-03-30 | CVE-2022-25008 | Totolink | Missing Authentication for Critical Function vulnerability in Totolink Ex1200T Firmware and Ex300 V2 Firmware totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism. | 8.8 |
2022-03-30 | CVE-2021-44312 | Firmware Analysis AND Comparison Tool Project | Cross-Site Request Forgery (CSRF) vulnerability in Firmware Analysis and Comparison Tool Project Firmware Analysis and Comparison Tool 3.2 An issue was discovered in Firmware Analysis and Comparison Tool v3.2. | 8.8 |
2022-03-30 | CVE-2021-39772 | Improper Privilege Management vulnerability in Google Android 12.0 In Bluetooth, there is a possible way to access the a2dp audio control switch due to a missing permission check. | 8.8 | |
2022-03-30 | CVE-2015-3298 | Yubico | Improper Verification of Cryptographic Signature vulnerability in Yubico Ykneo-Openpgp 1.0.9 Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. | 8.8 |
2022-03-30 | CVE-2022-27432 | Pluck CMS | Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7.15 A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover. | 8.8 |
2022-03-29 | CVE-2022-1050 | Qemu | Use After Free vulnerability in Qemu A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. | 8.8 |
2022-03-29 | CVE-2022-22934 | Saltstack | Unspecified vulnerability in Saltstack Salt An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. | 8.8 |
2022-03-29 | CVE-2022-22936 | Saltstack | Authentication Bypass by Capture-replay vulnerability in Saltstack Salt An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. | 8.8 |
2022-03-29 | CVE-2022-22941 | Saltstack | Incorrect Permission Assignment for Critical Resource vulnerability in Saltstack Salt An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. | 8.8 |
2022-03-29 | CVE-2022-28136 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jiratestresultreporter A cross-site request forgery (CSRF) vulnerability in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. | 8.8 |
2022-03-29 | CVE-2022-28150 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins JOB and Node Ownership A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to change the owners and item-specific permissions of a job. | 8.8 |
2022-03-28 | CVE-2022-0427 | Gitlab | Cross-Site Request Forgery (CSRF) vulnerability in Gitlab Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover | 8.8 |
2022-03-28 | CVE-2022-0751 | Gitlab | Unspecified vulnerability in Gitlab Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commands | 8.8 |
2022-03-28 | CVE-2021-24962 | Iptanus | Path Traversal vulnerability in Iptanus Wordpress File Upload and Wordpress File Upload PRO The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. | 8.8 |
2022-03-28 | CVE-2022-0499 | Sermon Browser Project | Unspecified vulnerability in Sermon Browser Project Sermon Browser The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. | 8.8 |
2022-03-28 | CVE-2022-0770 | Gtranslate | Unspecified vulnerability in Gtranslate Translate Wordpress With Gtranslate The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. | 8.8 |
2022-03-29 | CVE-2021-44082 | Textpattern | Cross-site Scripting vulnerability in Textpattern 4.8.7 textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. | 8.3 |
2022-04-03 | CVE-2022-28376 | Verizon | Improper Authentication vulnerability in Verizon Lvskihp Firmware 20220215 Verizon 5G Home LVSKIHP outside devices through 2022-02-15 allow anyone (knowing the device's serial number) to access a CPE admin website, e.g., at the 10.0.0.1 IP address. | 8.1 |
2022-04-01 | CVE-2022-25155 | Mitsubishielectric | Improper Authentication vulnerability in Mitsubishielectric products Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by replaying an eavesdropped password hash. | 8.1 |
2022-04-01 | CVE-2022-25156 | Mitsubishielectric | Inadequate Encryption Strength vulnerability in Mitsubishielectric products Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by using a password reversed from a previously eavesdropped password hash. | 8.1 |
2022-04-01 | CVE-2022-25159 | Mitsubishielectric | Authentication Bypass by Capture-replay vulnerability in Mitsubishielectric products Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to login to the product by replay attack. | 8.1 |
2022-03-31 | CVE-2022-1191 | Livehelperchat | Unspecified vulnerability in Livehelperchat Live Helper Chat SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96. | 8.1 |
2022-03-30 | CVE-2021-43664 | Totolink | Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429 totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo. | 8.1 |
2022-03-29 | CVE-2022-28140 | Jenkins | XXE vulnerability in Jenkins Flaky Test Handler Jenkins Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
2022-03-29 | CVE-2022-28154 | Jenkins | XXE vulnerability in Jenkins Coverage/Complexity Scatter Plot Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
2022-03-29 | CVE-2022-28155 | Jenkins | XXE vulnerability in Jenkins Pipeline: Phoenix Autotest Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.1 |
2022-03-28 | CVE-2022-0136 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1. | 8.1 |
2022-03-28 | CVE-2021-26601 | Impresscms | Path Traversal vulnerability in Impresscms ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal. | 8.1 |
2022-04-03 | CVE-2022-28390 | Linux Fedoraproject Debian Netapp | Double Free vulnerability in multiple products ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free. | 7.8 |
2022-04-01 | CVE-2021-3847 | Linux Fedoraproject | Improper Preservation of Permissions vulnerability in multiple products An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. | 7.8 |
2022-04-01 | CVE-2022-1098 | Deltaww | Uncontrolled Search Path Element vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vulnerable to a DLL hijacking condition. | 7.8 |
2022-04-01 | CVE-2022-25959 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Position 2.5.3 Omron CX-Position (versions 2.5.3 and prior) is vulnerable to memory corruption while processing a specific project file, which may allow an attacker to execute arbitrary code. | 7.8 |
2022-04-01 | CVE-2022-26022 | Omron | Unspecified vulnerability in Omron Cx-Position 2.5.3 Omron CX-Position (versions 2.5.3 and prior) is vulnerable to an out-of-bounds write while processing a specific project file, which may allow an attacker to execute arbitrary code. | 7.8 |
2022-04-01 | CVE-2022-26417 | Omron | Unspecified vulnerability in Omron Cx-Position 2.5.3 Omron CX-Position (versions 2.5.3 and prior) is vulnerable to a use after free memory condition while processing a specific project file, which may allow an attacker to execute arbitrary code. | 7.8 |
2022-04-01 | CVE-2022-26419 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Position 2.5.3 Omron CX-Position (versions 2.5.3 and prior) is vulnerable to multiple stack-based buffer overflow conditions while parsing a specific project file, which may allow an attacker to locally execute arbitrary code. | 7.8 |
2022-04-01 | CVE-2022-24426 | Dell | Uncontrolled Search Path Element vulnerability in Dell Alienware Update, Command Update and Update Dell Command | Update, Dell Update, and Alienware Update version 4.4.0 contains a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. | 7.8 |
2022-04-01 | CVE-2021-1950 | Qualcomm | Improper Authentication vulnerability in Qualcomm products Improper cleaning of secure memory between authenticated users can lead to face authentication bypass in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking | 7.8 |
2022-04-01 | CVE-2021-30333 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Improper validation of buffer size input to the EFS file can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-04-01 | CVE-2021-35089 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow due to lack of input IB amount validation while processing the user command in Snapdragon Auto | 7.8 |
2022-04-01 | CVE-2021-35103 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Possible out of bound write due to improper validation of number of timer values received from firmware while syncing timers in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.8 |
2022-04-01 | CVE-2021-35105 | Qualcomm | Incorrect Type Conversion or Cast vulnerability in Qualcomm products Possible out of bounds access due to improper input validation during graphics profiling in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-04-01 | CVE-2021-35106 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible out of bound read due to improper length calculation of WMI message. | 7.8 |
2022-04-01 | CVE-2021-35115 | Qualcomm | Use After Free vulnerability in Qualcomm products Improper handling of multiple session supported by PVM backend can lead to use after free in Snapdragon Auto, Snapdragon Mobile | 7.8 |
2022-03-31 | CVE-2022-27050 | Bitcomet | Unquoted Search Path or Element vulnerability in Bitcomet BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability which allows attackers to escalate privileges to the system level. | 7.8 |
2022-03-31 | CVE-2022-27052 | Freesshd | Unquoted Search Path or Element vulnerability in Freesshd Freeftpd FreeFtpd version 1.0.13 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges. | 7.8 |
2022-03-31 | CVE-2022-25348 | Hibara | Uncontrolled Search Path Element vulnerability in Hibara Attachecase Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory. | 7.8 |
2022-03-31 | CVE-2022-28128 | Hibara | Uncontrolled Search Path Element vulnerability in Hibara Attachecase Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory. | 7.8 |
2022-03-30 | CVE-2022-1160 | VIM Fedoraproject | heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.4647. | 7.8 |
2022-03-30 | CVE-2022-27772 | Vmware | Exposure of Resource to Wrong Sphere vulnerability in VMWare Spring Boot spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. | 7.8 |
2022-03-30 | CVE-2021-1000 | Incorrect Default Permissions vulnerability in Google Android 12.1 In createBluetoothDeviceSlice of ConnectedDevicesSliceProvider.java, there is a possible permission bypass due to an unsafe PendingIntent. | 7.8 | |
2022-03-30 | CVE-2021-1033 | Incorrect Default Permissions vulnerability in Google Android 12.1 In createGeneralSlice of ConnectedDevicesSliceProvider.java.java, there is a possible permission bypass due to an unsafe PendingIntent. | 7.8 | |
2022-03-30 | CVE-2021-39741 | Out-of-bounds Write vulnerability in Google Android 12.1 In Keymaster, there is a possible out of bounds write due to a missing bounds check. | 7.8 | |
2022-03-30 | CVE-2021-39743 | Missing Authorization vulnerability in Google Android 12.1 In PackageManager, there is a possible way to update the last usage time of another package due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39746 | Unspecified vulnerability in Google Android 12.1 In PermissionController, there is a possible way to delete some local files due to an unsafe PendingIntent. | 7.8 | |
2022-03-30 | CVE-2021-39749 | Missing Authorization vulnerability in Google Android 12.1 In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39750 | Missing Authorization vulnerability in Google Android 12.1 In PackageManager, there is a possible way to change the splash screen theme of other apps due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39752 | Unspecified vulnerability in Google Android 12.1 In Bubbles, there is a possible way to interfere with Bubbles due to a permissions bypass. | 7.8 | |
2022-03-30 | CVE-2021-39758 | Missing Authorization vulnerability in Google Android 12.1 In WindowManager, there is a possible way to start a foreground activity from the background due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39759 | Integer Overflow or Wraparound vulnerability in Google Android 12.1 In libstagefright, there is a possible out of bounds write due to an integer overflow. | 7.8 | |
2022-03-30 | CVE-2021-39763 | Improper Input Validation vulnerability in Google Android 12.1 In Settings, there is a possible way to make the user enable WiFi due to improper input validation. | 7.8 | |
2022-03-30 | CVE-2021-39764 | Improper Input Validation vulnerability in Google Android 12.1 In Settings, there is a possible way to display an incorrect app name due to improper input validation. | 7.8 | |
2022-03-30 | CVE-2021-39767 | Insecure Default Initialization of Resource vulnerability in Google Android 12.1 In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value. | 7.8 | |
2022-03-30 | CVE-2021-39768 | Missing Authorization vulnerability in Google Android 12.1 In Settings, there is a possible way to add an auto-connect WiFi network without the user's consent due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39771 | Improper Input Validation vulnerability in Google Android 12.1 In Settings, there is a possible way to misrepresent which app wants to add a wifi network due to improper input validation. | 7.8 | |
2022-03-30 | CVE-2021-39776 | Use After Free vulnerability in Google Android 12.0 In NFC, there is a possible memory corruption due to a use after free. | 7.8 | |
2022-03-30 | CVE-2021-39780 | Incorrect Default Permissions vulnerability in Google Android 12.0 In Traceur, there is a possible bypass of developer settings requirements for capturing system traces due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39781 | Unspecified vulnerability in Google Android 12.0 In SmsController, there is a possible information disclosure due to a permissions bypass. | 7.8 | |
2022-03-30 | CVE-2021-39782 | Improper Privilege Management vulnerability in Google Android 12.0 In Telephony, there is a possible unauthorized modification of the PLMN SIM file due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39783 | Improper Privilege Management vulnerability in Google Android 12.0 In rcsservice, there is a possible way to modify TTY mode due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39784 | Improper Privilege Management vulnerability in Google Android 12.0 In CellBroadcastReceiver, there is a possible path to enable specific cellular features due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39787 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.0 In SystemUI, there is a possible arbitrary Activity launch due to a confused deputy. | 7.8 | |
2022-03-30 | CVE-2021-39789 | Incorrect Authorization vulnerability in Google Android 12.1 In Telecom, there is a possible leak of TTY mode change due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2021-39790 | Incorrect Authorization vulnerability in Google Android 12.1 In Dialer, there is a possible way to manipulate visual voicemail settings due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2022-0998 | Linux Netapp | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. | 7.8 |
2022-03-30 | CVE-2022-20002 | Missing Authorization vulnerability in Google Android 12.1 In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. | 7.8 | |
2022-03-30 | CVE-2022-22996 | Westerndigital | Uncontrolled Search Path Element vulnerability in Westerndigital products The G-RAID 4/8 Software Utility setups for Windows were affected by a DLL hijacking vulnerability. | 7.8 |
2022-03-30 | CVE-2022-1154 | VIM Fedoraproject Debian Oracle | Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646. | 7.8 |
2022-03-30 | CVE-2022-23868 | Ruoyi | Improper Neutralization of Formula Elements in a CSV File vulnerability in Ruoyi 4.7.2 RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file. | 7.8 |
2022-03-30 | CVE-2022-27815 | Waycrate | Link Following vulnerability in Waycrate Swhkd 1.1.5 SWHKD 1.1.5 unsafely uses the /tmp/swhkd.pid pathname. | 7.8 |
2022-03-29 | CVE-2022-26839 | Deltaww | Incorrect Default Permissions vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files. | 7.8 |
2022-03-29 | CVE-2022-0343 | Unspecified vulnerability in Google Perfetto A local attacker, as a different local user, may be able to send a HTTP request to 127.0.0.1:10000 after the user (typically a developer) manually invoked the ./tools/run-dev-server script. | 7.8 | |
2022-03-29 | CVE-2022-1055 | Linux Redhat Fedoraproject Canonical Netapp | Use After Free vulnerability in multiple products A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. | 7.8 |
2022-03-28 | CVE-2022-26259 | Xiongmaitech | Classic Buffer Overflow vulnerability in Xiongmaitech products A buffer over flow in Xiongmai DVR devices NBD80X16S-KL, NBD80X09S-KL, NBD80X08S-KL, NBD80X09RA-KL, AHB80X04R-MH, AHB80X04R-MH-V2, AHB80X04-R-MH-V3, AHB80N16T-GS, AHB80N32F4-LME, and NBD90S0VT-QW allows attackers to cause a Denial of Service (DoS) via a crafted RSTP request. | 7.8 |
2022-04-01 | CVE-2022-0425 | Gitlab | Server-Side Request Forgery (SSRF) vulnerability in Gitlab A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. | 7.6 |
2022-03-28 | CVE-2022-24789 | Orckestra | Unspecified vulnerability in Orckestra C1 CMS C1 CMS is an open-source, .NET based Content Management System (CMS). | 7.6 |
2022-04-03 | CVE-2022-26233 | Barco | Path Traversal vulnerability in Barco Control Room Management Suite Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. | 7.5 |
2022-04-03 | CVE-2021-30062 | Belden Schneider Electric | On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can bypass the OPC enforcer. | 7.5 |
2022-04-03 | CVE-2021-30063 | Belden Schneider Electric | On Schneider Electric ConneXium Tofino OPCLSM TCSEFM0000 before 03.23 and Belden Tofino Xenon Security Appliance, crafted OPC packets can cause an OPC enforcer denial of service. | 7.5 |
2022-04-03 | CVE-2021-30065 | Belden Schneider Electric | On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, crafted ModBus packets can bypass the ModBus enforcer. | 7.5 |
2022-04-03 | CVE-2022-28380 | RC Httpd Project | Path Traversal vulnerability in Rc-Httpd Project Rc-Httpd The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) allows ..%2f directory traversal if serve-static is used. | 7.5 |
2022-04-02 | CVE-2022-28355 | Scala JS | Use of Insufficiently Random Values vulnerability in Scala-Js Scala.Js randomUUID in Scala.js before 1.10.0 generates predictable values. | 7.5 |
2022-04-01 | CVE-2019-14839 | Redhat | Information Exposure vulnerability in Redhat products It was observed that while login into Business-central console, HTTP request discloses sensitive information like username and password when intercepted using some tool like burp suite etc. | 7.5 |
2022-04-01 | CVE-2020-25691 | Unix4Lyfe | Improper Handling of Exceptional Conditions vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131 A flaw was found in darkhttpd. | 7.5 |
2022-04-01 | CVE-2021-22277 | ABB | Improper Input Validation vulnerability in ABB products Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite - Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service. | 7.5 |
2022-04-01 | CVE-2021-28504 | Arista | Incorrect Authorization vulnerability in Arista EOS On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol field as expected. | 7.5 |
2022-04-01 | CVE-2021-32937 | Auvesy MDT | Information Exposure Through an Error Message vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform An attacker can gain knowledge of a session temporary working folder where the getfile and putfile commands are used in MDT AutoSave versions prior to v6.02.06. | 7.5 |
2022-04-01 | CVE-2021-32945 | Auvesy MDT | Inadequate Encryption Strength vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06. | 7.5 |
2022-04-01 | CVE-2021-32949 | Auvesy MDT | Path Traversal vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform An attacker could utilize a function in MDT AutoSave versions prior to v6.02.06 that permits changing a designated path to another path and traversing the directory, allowing the replacement of an existing file with a malicious file. | 7.5 |
2022-04-01 | CVE-2021-32957 | Auvesy MDT | SQL Injection vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform A function in MDT AutoSave versions prior to v6.02.06 is used to retrieve system information for a specific process, and this information collection executes multiple commands and summarizes the information into an XML. | 7.5 |
2022-04-01 | CVE-2021-32961 | Auvesy MDT | Unrestricted Upload of File with Dangerous Type vulnerability in Auvesy-Mdt Autosave and Autosave for System Platform A getfile function in MDT AutoSave versions prior to v6.02.06 enables a user to supply an optional parameter, resulting in the processing of a request in a special manner. | 7.5 |
2022-04-01 | CVE-2021-32968 | Moxa | Classic Buffer Overflow vulnerability in Moxa products Two buffer overflows in the built-in web server in Moxa NPort IAW5000A-I/O Series firmware version 2.2 or earlier may allow a remote attacker to cause a denial-of-service condition. | 7.5 |
2022-04-01 | CVE-2021-32970 | Moxa | Improper Input Validation vulnerability in Moxa products Data can be copied without validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier, which may allow a remote attacker to cause denial-of-service conditions. | 7.5 |
2022-04-01 | CVE-2021-33018 | Philips | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Philips products The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information. | 7.5 |
2022-04-01 | CVE-2021-33020 | Philips | Operation on a Resource after Expiration or Release vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. | 7.5 |
2022-04-01 | CVE-2021-33022 | Philips | Cleartext Transmission of Sensitive Information vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | 7.5 |
2022-04-01 | CVE-2021-33024 | Philips | Insufficiently Protected Credentials vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval. | 7.5 |
2022-04-01 | CVE-2021-39908 | Gitlab | Code Injection vulnerability in Gitlab In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI. | 7.5 |
2022-04-01 | CVE-2022-0741 | Gitlab | Improper Encoding or Escaping of Output vulnerability in Gitlab Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an attacker to steal environment variables via specially crafted email addresses. | 7.5 |
2022-04-01 | CVE-2022-1068 | Modbustools | Out-of-bounds Write vulnerability in Modbustools Modbus Slave Modbus Tools Modbus Slave (versions 7.4.2 and prior) is vulnerable to a stack-based buffer overflow in the registration field. | 7.5 |
2022-04-01 | CVE-2022-22327 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-04-01 | CVE-2022-22332 | IBM | Operation on a Resource after Expiration or Release vulnerability in IBM Partner Engagement Manager 6.2.0 IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. | 7.5 |
2022-04-01 | CVE-2021-30328 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible assertion due to improper validation of invalid NR CSI-IM resource configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.5 |
2022-04-01 | CVE-2021-30329 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible assertion due to improper validation of TCI configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.5 |
2022-04-01 | CVE-2021-30332 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Possible assertion due to improper validation of OTA configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile | 7.5 |
2022-03-31 | CVE-2022-24758 | Jupyter | Unspecified vulnerability in Jupyter Notebook The Jupyter notebook is a web-based notebook environment for interactive computing. | 7.5 |
2022-03-31 | CVE-2022-24798 | Internet Routing Registry Daemon Project | Improper Cross-boundary Removal of Sensitive Data vulnerability in Internet Routing Registry Daemon Project Internet Routing Registry Daemon 4.2.0/4.2.1/4.2.2 Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. | 7.5 |
2022-03-31 | CVE-2021-37517 | Dolibarr | Incorrect Authorization vulnerability in Dolibarr Erp/Crm 13.0.2 An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service. | 7.5 |
2022-03-31 | CVE-2022-1176 | Livehelperchat | Unspecified vulnerability in Livehelperchat Live Helper Chat Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to 3.96. | 7.5 |
2022-03-31 | CVE-2021-43663 | Totolink | Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429 totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check. | 7.5 |
2022-03-30 | CVE-2022-24790 | Puma Debian Fedoraproject | Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. | 7.5 |
2022-03-30 | CVE-2022-24763 | Pjsip Debian | PJSIP is a free and open source multimedia communication library written in the C language. | 7.5 |
2022-03-30 | CVE-2022-24132 | Phpshe | Unspecified vulnerability in PHPshe 1.8 phpshe V1.8 is affected by a denial of service (DoS) attack in the registry's verification code, which can paralyze the target service. | 7.5 |
2022-03-30 | CVE-2022-22772 | Tibco | Unspecified vulnerability in Tibco Managed File Transfer Platform Server The cfsend, cfrecv, and CyberResp components of TIBCO Software Inc.'s TIBCO Managed File Transfer Platform Server for UNIX and TIBCO Managed File Transfer Platform Server for z/Linux contain a difficult to exploit Remote Code Execution (RCE) vulnerability that allows a low privileged attacker with network access to execute arbitrary code on the affected system. | 7.5 |
2022-03-30 | CVE-2021-39762 | Integer Overflow or Wraparound vulnerability in Google Android 12.1 In tremolo, there is a possible out of bounds read due to an integer overflow. | 7.5 | |
2022-03-30 | CVE-2022-23793 | Joomla | Path Traversal vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. | 7.5 |
2022-03-30 | CVE-2022-25598 | Apache | Unspecified vulnerability in Apache Dolphinscheduler Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher. | 7.5 |
2022-03-30 | CVE-2020-24771 | Nexusphp | Incorrect Authorization vulnerability in Nexusphp 1.5 Incorrect access control in NexusPHP 1.5.beta5.20120707 allows unauthorized attackers to access published content. | 7.5 |
2022-03-30 | CVE-2022-26948 | RSA | Insufficiently Protected Credentials vulnerability in RSA Archer The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability. | 7.5 |
2022-03-29 | CVE-2021-43109 | Puneethreddyhc Online Shopping System Project | SQL Injection vulnerability in Puneethreddyhc Online-Shopping-System Project Puneethreddyhc Online-Shopping-System An SQL Injection vulnerability exits in PuneethReddyHC online-shopping-system as of 11/01/2021 via the p parameter in product.php. | 7.5 |
2022-03-29 | CVE-2022-25347 | Deltaww | Path Traversal vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system. | 7.5 |
2022-03-29 | CVE-2021-44081 | Open5Gs | Out-of-bounds Write vulnerability in Open5Gs 2.1.4 A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4. | 7.5 |
2022-03-29 | CVE-2022-28142 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Proxmox Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues. | 7.5 |
2022-03-29 | CVE-2022-1077 | TEM | Forced Browsing vulnerability in TEM Flex-1080 Firmware and Flex-1085 Firmware A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0. | 7.5 |
2022-03-29 | CVE-2022-23937 | Windriver | Out-of-bounds Read vulnerability in Windriver Vxworks 6.9/7.0 In Wind River VxWorks 6.9 and 7, a specific crafted packet may lead to an out-of-bounds read during an IKE initial exchange scenario. | 7.5 |
2022-03-29 | CVE-2021-44581 | Kreado | SQL Injection vulnerability in Kreado Kreasfero 1.5 An SQL Injection vulnerabilty exists in Kreado Kreasfero 1.5 via the id parameter. | 7.5 |
2022-03-28 | CVE-2017-20016 | Weka | Allocation of Resources Without Limits or Throttling vulnerability in Weka Interest Security Scanner 1.8 A vulnerability has been found in WEKA INTEREST Security Scanner up to 1.8 and classified as problematic. | 7.5 |
2022-03-28 | CVE-2022-0738 | Gitlab | Insufficiently Protected Credentials vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. | 7.5 |
2022-03-28 | CVE-2022-27658 | SAP | Unspecified vulnerability in SAP Innovation Management 2.0 Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks. | 7.5 |
2022-03-28 | CVE-2021-44124 | Hiby | Path Traversal vulnerability in Hiby R3 PRO Firmware 1.5/1.6 Hiby Music Hiby OS R3 Pro 1.5 and 1.6 is vulnerable to Directory Traversal. | 7.5 |
2022-03-28 | CVE-2022-26271 | 74Cms | Files or Directories Accessible to External Parties vulnerability in 74Cms 3.4.1 74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php. | 7.5 |
2022-04-03 | CVE-2022-0088 | Yourls | Unspecified vulnerability in Yourls Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3. | 7.4 |
2022-03-30 | CVE-2022-1155 | Snipeitapp | Unspecified vulnerability in Snipeitapp Snipe-It Old sessions are not blocked by the login enable function. | 7.4 |
2022-04-01 | CVE-2022-1159 | Rockwellautomation | Code Injection vulnerability in Rockwellautomation products Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user. | 7.2 |
2022-04-01 | CVE-2022-23155 | Dell | Unrestricted Upload of File with Dangerous Type vulnerability in Dell Wyse Management Suite Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. | 7.2 |
2022-03-30 | CVE-2021-33523 | Softwareag | Unspecified vulnerability in Softwareag Mashzone Nextgen 10.7 MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. | 7.2 |
2022-03-30 | CVE-2021-33208 | Softwareag | XXE vulnerability in Softwareag Mashzone Nextgen 10.7 The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file. | 7.2 |
2022-03-30 | CVE-2021-33581 | Softwareag | Server-Side Request Forgery (SSRF) vulnerability in Softwareag Mashzone Nextgen 10.7 MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. | 7.2 |
2022-03-30 | CVE-2022-28223 | Tekon | Unrestricted Upload of File with Dangerous Type vulnerability in Tekon products Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin. | 7.2 |
2022-03-30 | CVE-2021-23850 | Bosch | Classic Buffer Overflow vulnerability in Bosch products A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. | 7.2 |
2022-03-30 | CVE-2021-23851 | Bosch | Classic Buffer Overflow vulnerability in Bosch products A specially crafted TCP/IP packet may cause the camera recovery image web interface to crash. | 7.2 |
2022-03-29 | CVE-2022-1032 | Craterapp | Deserialization of Untrusted Data vulnerability in Craterapp Crater Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. | 7.2 |
2022-03-28 | CVE-2022-26639 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16 TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter. | 7.2 |
2022-03-28 | CVE-2022-26640 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16 TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter. | 7.2 |
2022-03-28 | CVE-2022-26641 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16 TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the httpRemotePort parameter. | 7.2 |
2022-03-28 | CVE-2022-26642 | TP Link | Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.1.4.16 TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the X_TP_ClonedMACAddress parameter. | 7.2 |
2022-03-28 | CVE-2021-43097 | Diyhi | Code Injection vulnerability in Diyhi BBS 5.3 A Server-side Template Injection (SSTI) vulnerability exists in bbs 5.3 in TemplateManageAction.javawhich could let a malicoius user execute arbitrary code. | 7.2 |
2022-03-28 | CVE-2021-43098 | Diyhi | Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3 A File Upload vulnerability exists in bbs v5.3 via QuestionManageAction.java in a getType function. | 7.2 |
2022-03-28 | CVE-2021-43100 | Diyhi | Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3 A File Upload vulnerability exists in bbs 5.3 is via TopicManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | 7.2 |
2022-03-28 | CVE-2021-43101 | Diyhi | Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3 A File Upload vulnerability exists in bbs 5.3 is via MembershipCardManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | 7.2 |
2022-03-28 | CVE-2021-43102 | Diyhi | Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3 A File Upload vulnerability exists in bbs 5.3 is via HelpManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | 7.2 |
2022-03-28 | CVE-2021-43103 | Diyhi | Unrestricted Upload of File with Dangerous Type vulnerability in Diyhi BBS 5.3 A File Upload vulnerability exists in bbs 5.3 is via ForumManageAction.java in a GetType function, which lets a remote malicious user execute arbitrary code. | 7.2 |
2022-03-28 | CVE-2021-25064 | WOW Company | Unspecified vulnerability in Wow-Company WOW Countdowns 3.1.2 The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. | 7.2 |
2022-03-28 | CVE-2021-25068 | DPL | Unspecified vulnerability in DPL Sync Woocommerce Product Feed to Google Shopping 1.2.4 The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard | 7.2 |
2022-04-01 | CVE-2021-3461 | Redhat | Insufficient Session Expiration vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | 7.1 |
2022-04-01 | CVE-2022-22331 | IBM | Authorization Bypass Through User-Controlled Key vulnerability in IBM Partner Engagement Manager 6.2.0 IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). | 7.1 |
2022-03-30 | CVE-2021-3456 | Theforeman | Incorrect Authorization vulnerability in Theforeman Smart Proxy Salt An improper authorization handling flaw was found in Foreman. | 7.1 |
2022-03-30 | CVE-2022-27816 | Waycrate | Link Following vulnerability in Waycrate Swhkd 1.1.5 SWHKD 1.1.5 unsafely uses the /tmp/swhks.pid pathname. | 7.1 |
216 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-04-03 | CVE-2021-30066 | Belden Schneider Electric | Improper Verification of Cryptographic Signature vulnerability in multiple products On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an arbitrary firmware image can be loaded because firmware signature verification (for a USB stick) can be bypassed. | 6.8 |
2022-04-03 | CVE-2021-30061 | Belden Schneider Electric | On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, physically proximate attackers can execute code via a crafted file on a USB stick. | 6.8 |
2022-03-28 | CVE-2022-0123 | Gitlab | Improper Certificate Validation vulnerability in Gitlab An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. | 6.8 |
2022-04-01 | CVE-2022-23156 | Dell | Improper Authentication vulnerability in Dell Wyse Device Agent 14.5.4.1 Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. | 6.7 |
2022-03-30 | CVE-2021-39786 | Out-of-bounds Write vulnerability in Google Android 12.0 In NFC, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-03-30 | CVE-2022-25619 | Profelis | Command Injection vulnerability in Profelis Sambabox Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. | 6.7 |
2022-04-01 | CVE-2022-1207 | Radare | Unspecified vulnerability in Radare Radare2 Out-of-bounds read in GitHub repository radareorg/radare2 prior to 5.6.8. | 6.6 |
2022-04-03 | CVE-2022-27248 | Idearespa | Path Traversal vulnerability in Idearespa Reftree A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. | 6.5 |
2022-04-03 | CVE-2022-1211 | Tildearrow | Out-of-bounds Write vulnerability in Tildearrow Furnace Dev73 A vulnerability classified as critical has been found in tildearrow Furnace dev73. | 6.5 |
2022-04-03 | CVE-2022-1210 | Libtiff Netapp | Improper Resource Shutdown or Release vulnerability in multiple products A vulnerability classified as problematic was found in LibTIFF 4.3.0. | 6.5 |
2022-04-02 | CVE-2022-1201 | Mruby | Unspecified vulnerability in Mruby NULL Pointer Dereference in mrb_vm_exec with super in GitHub repository mruby/mruby prior to 3.2. | 6.5 |
2022-04-01 | CVE-2021-20295 | Qemu | Out-of-bounds Read vulnerability in Qemu It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). | 6.5 |
2022-04-01 | CVE-2021-27493 | Philips | Unspecified vulnerability in Philips products Philips Vue PACS versions 12.2.x.x and prior does not ensure or incorrectly ensures structured messages or data are well formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. | 6.5 |
2022-04-01 | CVE-2022-0922 | Philips | Missing Authentication for Critical Function vulnerability in Philips E-Alert Firmware 2.1 The software does not perform any authentication for critical system functionality. | 6.5 |
2022-04-01 | CVE-2022-22950 | Vmware | Allocation of Resources Without Limits or Throttling vulnerability in VMWare Spring Framework n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | 6.5 |
2022-04-01 | CVE-2022-22404 | IBM | Allocation of Resources Without Limits or Throttling vulnerability in IBM APP Connect Enterprise Certified Container IBM App Connect Enterprise Certified Container Dashboard UI (IBM App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0, and 3.1) may be vulnerable to denial of service due to excessive rate limiting. | 6.5 |
2022-03-31 | CVE-2022-27963 | Netsarang | Unquoted Search Path or Element vulnerability in Netsarang Xftp Xftp 7.0.0088p and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. | 6.5 |
2022-03-31 | CVE-2022-27964 | Netsarang | Unquoted Search Path or Element vulnerability in Netsarang Xmanager 3.0.127/3.0.218/4.0.165 Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. | 6.5 |
2022-03-31 | CVE-2022-27965 | Netsarang | Unquoted Search Path or Element vulnerability in Netsarang Xlpd 7.0.0094 Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. | 6.5 |
2022-03-31 | CVE-2022-27966 | Netsarang | Unquoted Search Path or Element vulnerability in Netsarang Xshell 7 Xshell v7.0.0099 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. | 6.5 |
2022-03-31 | CVE-2022-22311 | IBM | Improper Input Validation vulnerability in IBM Security Verify Access IBM Security Verify Access could allow a user, using man in the middle techniques, to obtain sensitive information or possibly change some information due to improper validiation of JWT tokens. | 6.5 |
2022-03-31 | CVE-2022-23183 | Advancedcustomfields | Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. | 6.5 |
2022-03-31 | CVE-2021-43662 | Totolink | Allocation of Resources Without Limits or Throttling vulnerability in Totolink A720R Firmware and Ex300 V2 Firmware totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption. | 6.5 |
2022-03-30 | CVE-2021-46006 | Totolink | Missing Authentication for Critical Function vulnerability in Totolink A3100R Firmware 5.9C.4577 In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. | 6.5 |
2022-03-30 | CVE-2021-38362 | RSA | Authorization Bypass Through User-Controlled Key vulnerability in RSA Archer In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. | 6.5 |
2022-03-30 | CVE-2021-45900 | Vivoh | Improper Authentication vulnerability in Vivoh Webinar Manager Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. | 6.5 |
2022-03-30 | CVE-2021-40644 | Oasys Project | SQL Injection vulnerability in Oasys Project Oasys 20210907 An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml. | 6.5 |
2022-03-30 | CVE-2021-40645 | Jfinaloa Project | SQL Injection vulnerability in Jfinaloa Project Jfinaloa 20210907 An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController. | 6.5 |
2022-03-30 | CVE-2022-23869 | Ruoyi | Incorrect Permission Assignment for Critical Resource vulnerability in Ruoyi 4.7.2 In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request. | 6.5 |
2022-03-30 | CVE-2021-41594 | RSA | Unspecified vulnerability in RSA Archer In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. | 6.5 |
2022-03-30 | CVE-2022-26949 | RSA | Unspecified vulnerability in RSA Archer Archer 6.x through 6.9 SP2 P1 (6.9.2.1) contains an improper access control vulnerability on attachments. | 6.5 |
2022-03-29 | CVE-2022-22948 | Vmware | Incorrect Default Permissions vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vCenter Server contains an information disclosure vulnerability due to improper permission of files. | 6.5 |
2022-03-29 | CVE-2021-43701 | Cszcms | SQL Injection vulnerability in Cszcms CSZ CMS 1.2.9 CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters. | 6.5 |
2022-03-29 | CVE-2022-28135 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Instant-Messaging Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-03-29 | CVE-2022-28141 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Proxmox Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-03-29 | CVE-2022-28143 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Proxmox A cross-site request forgery (CSRF) vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | 6.5 |
2022-03-29 | CVE-2022-28144 | Jenkins | Missing Authorization vulnerability in Jenkins Proxmox Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable SSL/TLS validation for the entire Jenkins controller JVM as part of the connection test (see CVE-2022-28142), and test a rollback with attacker-specified parameters. | 6.5 |
2022-03-29 | CVE-2022-28146 | Jenkins | Path Traversal vulnerability in Jenkins Continuous Integration With Toad Edge Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. | 6.5 |
2022-03-29 | CVE-2022-28148 | Jenkins | Path Traversal vulnerability in Jenkins Continuous Integration With Toad Edge The file browser in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers. | 6.5 |
2022-03-29 | CVE-2022-28156 | Jenkins | Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to copy arbitrary files and directories from the Jenkins controller to the agent workspace. | 6.5 |
2022-03-29 | CVE-2022-28157 | Jenkins | Path Traversal vulnerability in Jenkins Pipeline: Phoenix Autotest Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server. | 6.5 |
2022-03-29 | CVE-2022-28158 | Jenkins | Missing Authorization vulnerability in Jenkins Pipeline: Phoenix Autotest A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 6.5 |
2022-03-29 | CVE-2022-28160 | Jenkins | Exposure of Resource to Wrong Sphere vulnerability in Jenkins Tests Selector Jenkins Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller. | 6.5 |
2022-03-29 | CVE-2022-24956 | Shopware | SQL Injection vulnerability in Shopware B2B Suite An issue was discovered in Shopware B2B-Suite through 4.4.1. | 6.5 |
2022-03-28 | CVE-2022-26280 | Libarchive Fedoraproject | Out-of-bounds Read vulnerability in multiple products Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init. | 6.5 |
2022-03-28 | CVE-2022-0549 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. | 6.5 |
2022-03-28 | CVE-2021-45491 | 3CX | Cleartext Storage of Sensitive Information vulnerability in 3CX 3CX System through 2022-03-17 stores cleartext passwords in a database. | 6.5 |
2022-04-01 | CVE-2022-22328 | IBM | Unspecified vulnerability in IBM Partner Engagement Manager 6.2.0 IBM SterlingPartner Engagement Manager 6.2.0 could allow a malicious user to elevate their privileges and perform unintended operations to another users data. | 6.2 |
2022-04-03 | CVE-2022-28378 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS Craft CMS before 3.7.29 allows XSS. | 6.1 |
2022-04-01 | CVE-2022-21830 | Rocket Chat | Cross-site Scripting vulnerability in Rocket.Chat Livechat A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance. | 6.1 |
2022-04-01 | CVE-2022-24181 | Public Knowledge Project | Cross-site Scripting vulnerability in Public Knowledge Project Open Journal Systems Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header. | 6.1 |
2022-03-31 | CVE-2022-24794 | Auth0 | Unspecified vulnerability in Auth0 Express Openid Connect Express OpenID Connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect. | 6.1 |
2022-03-31 | CVE-2021-43707 | Maccms | Cross-site Scripting vulnerability in Maccms 10.0 Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link_Name parameter. | 6.1 |
2022-03-31 | CVE-2021-20729 | Netgate Pfsense | Cross-site Scripting vulnerability in multiple products Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. | 6.1 |
2022-03-31 | CVE-2022-27496 | Zero Channel Plus Project | Cross-site Scripting vulnerability in Zero-Channel Plus Project Zero-Channel Plus Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors. | 6.1 |
2022-03-31 | CVE-2021-43661 | Totolink | Cross-site Scripting vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.140B20210429 totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp. | 6.1 |
2022-03-30 | CVE-2022-26644 | Banking System Project | Cross-site Scripting vulnerability in Banking System Project Banking System 1.0 Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management. | 6.1 |
2022-03-30 | CVE-2022-24135 | Qingscan Project | Cross-site Scripting vulnerability in Qingscan Project Qingscan 1.3.0 QingScan 1.3.0 is affected by Cross Site Scripting (XSS) vulnerability in all search functions. | 6.1 |
2022-03-30 | CVE-2022-23796 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.7.0 through 3.10.6. | 6.1 |
2022-03-30 | CVE-2022-23798 | Joomla | Open Redirect vulnerability in Joomla Joomla! An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. | 6.1 |
2022-03-30 | CVE-2022-23800 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! 4.0.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. | 6.1 |
2022-03-30 | CVE-2022-23801 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! 4.0.0 An issue was discovered in Joomla! 4.0.0 through 4.1.0. | 6.1 |
2022-03-30 | CVE-2022-24131 | Douco | Cross-site Scripting vulnerability in Douco Douphp 1.6 DouPHP v1.6 Release 20220121 is affected by Cross Site Scripting (XSS) through /admin/login.php in the background, which will lead to JavaScript code execution. | 6.1 |
2022-03-30 | CVE-2022-28202 | Mediawiki Fedoraproject Debian | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. | 6.1 |
2022-03-30 | CVE-2022-26950 | RSA | Open Redirect vulnerability in RSA Archer Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability. | 6.1 |
2022-03-30 | CVE-2022-26951 | RSA | Cross-site Scripting vulnerability in RSA Archer Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability. | 6.1 |
2022-03-29 | CVE-2021-42970 | Cxuu | Cross-site Scripting vulnerability in Cxuu Cxuucms 3.0 Cross Site Scripting (XSS) vulnerability exists in cxuucms v3 via the imgurl of /feedback/post/ content parameter. | 6.1 |
2022-03-29 | CVE-2022-1076 | Automatic Question Paper Generator System Project | Cross-site Scripting vulnerability in Automatic Question Paper Generator System Project Automatic Question Paper Generator System 1.0 A vulnerability was found in Automatic Question Paper Generator System 1.0. | 6.1 |
2022-03-29 | CVE-2022-1079 | ONE Church Management System Project | Cross-site Scripting vulnerability in ONE Church Management System Project ONE Church Management System 1.0 A vulnerability classified as problematic has been found in SourceCodester One Church Management System. | 6.1 |
2022-03-29 | CVE-2022-1081 | Microfinance Management System Project | Cross-site Scripting vulnerability in Microfinance Management System Project Microfinance Management System 1.0 A vulnerability was found in SourceCodester Microfinance Management System 1.0. | 6.1 |
2022-03-29 | CVE-2022-1085 | Cltphp | Cross-site Scripting vulnerability in Cltphp 6.0 A vulnerability was found in CLTPHP up to 6.0. | 6.1 |
2022-03-28 | CVE-2003-5003 | IBM | Cross-site Scripting vulnerability in IBM ISS Blackice PC Protection A vulnerability was found in ISS BlackICE PC Protection. | 6.1 |
2022-03-28 | CVE-2005-10001 | Broadcom | Open Redirect vulnerability in Broadcom Symantec Siteminder 4.5.0/4.5.1 A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. | 6.1 |
2022-03-28 | CVE-2008-10001 | Pro2Col | Cross-site Scripting vulnerability in Pro2Col Stingray FTS A vulnerability, which was classified as problematic, has been found in Pro2col Stingray FTS. | 6.1 |
2022-03-28 | CVE-2022-0283 | Gitlab | Open Redirect vulnerability in Gitlab An issue has been discovered affecting GitLab versions prior to 13.5. | 6.1 |
2022-03-28 | CVE-2022-26980 | Teampass | Cross-site Scripting vulnerability in Teampass 2.1.26 Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. | 6.1 |
2022-03-28 | CVE-2021-24746 | Heateor | Unspecified vulnerability in Heateor Sassy Social Share The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue. | 6.1 |
2022-03-28 | CVE-2021-25012 | Popozure | Unspecified vulnerability in Popozure Pz-Linkcard The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues | 6.1 |
2022-03-28 | CVE-2021-25071 | Inpsyde | Unspecified vulnerability in Inpsyde Akismet Privacy Policies 2.0.1 The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-03-28 | CVE-2022-0599 | Mapping Multiple Urls Redirect Same Page Project | Unspecified vulnerability in Mapping multiple Urls Redirect Same Page Project Mapping multiple Urls Redirect Same Page The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0600 | Myceliumdesign | Unspecified vulnerability in Myceliumdesign Conference Scheduler The Conference Scheduler WordPress plugin before 2.4.3 does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0619 | Database Peek Project | Cross-site Scripting vulnerability in Database Peek Project Database Peek 1.0/1.1/1.2 The Database Peek WordPress plugin through 1.2 does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0620 | Deleteoldorders Project | Unspecified vulnerability in Deleteoldorders Project Delete OLD Orders 0.2 The Delete Old Orders WordPress plugin through 0.2 does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0621 | Dtabs Project | Unspecified vulnerability in Dtabs Project Dtabs 1.4 The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0641 | AYS PRO | Unspecified vulnerability in Ays-Pro Popup Like BOX The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0643 | Bank Mellat Project | Unspecified vulnerability in Bank Mellat Project Bank Mellat 1.0/1.3.5/1.3.7 The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0647 | Bulk Creator Project | Unspecified vulnerability in Bulk Creator Project Bulk Creator The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-03-28 | CVE-2022-0680 | Plezi | Cross-site Scripting vulnerability in Plezi The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue | 6.1 |
2022-03-28 | CVE-2022-0818 | Yithemes | Unspecified vulnerability in Yithemes Woocommerce Affiliate The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. | 6.1 |
2022-03-28 | CVE-2021-43721 | Leanote | Cross-site Scripting vulnerability in Leanote 2.7.0 Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note. | 6.1 |
2022-03-28 | CVE-2021-43725 | Spotweb Project | Cross-site Scripting vulnerability in Spotweb Project Spotweb There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter. | 6.1 |
2022-03-28 | CVE-2021-44212 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via a trailing control character such as the SCRIPT\t substring. | 6.1 |
2022-03-28 | CVE-2021-44213 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via uuencoding in a multipart/alternative message. | 6.1 |
2022-03-28 | CVE-2021-44208 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via an unknown system message in Chat. | 6.1 |
2022-03-28 | CVE-2021-44209 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via an HTML 5 element such as AUDIO. | 6.1 |
2022-03-28 | CVE-2021-44210 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via NIFF (Notation Interchange File Format) data. | 6.1 |
2022-04-01 | CVE-2022-25160 | Mitsubishielectric | Cleartext Storage of Sensitive Information vulnerability in Mitsubishielectric products Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user’s system. | 5.9 |
2022-04-01 | CVE-2022-0489 | Gitlab | Resource Exhaustion vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . | 5.7 |
2022-04-03 | CVE-2022-28388 | Linux Debian Fedoraproject Netapp | Double Free vulnerability in multiple products usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double free. | 5.5 |
2022-04-03 | CVE-2022-28389 | Linux Fedoraproject Debian Netapp | Double Free vulnerability in multiple products mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free. | 5.5 |
2022-04-02 | CVE-2022-28356 | Linux Debian | In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c. | 5.5 |
2022-04-01 | CVE-2021-27223 | Kaspersky | Unspecified vulnerability in Kaspersky products A denial-of-service issue existed in one of modules that was incorporated in Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security. | 5.5 |
2022-04-01 | CVE-2022-1018 | Rockwellautomation | XXE vulnerability in Rockwellautomation products When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. | 5.5 |
2022-04-01 | CVE-2021-30331 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Possible buffer overflow due to improper data validation of external commands sent via DIAG interface in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 5.5 |
2022-03-30 | CVE-2021-39740 | Improper Input Validation vulnerability in Google Android 12.1 In Messaging, there is a possible way to bypass attachment restrictions due to improper input validation. | 5.5 | |
2022-03-30 | CVE-2021-39742 | Missing Authorization vulnerability in Google Android 12.1 In Voicemail, there is a possible way to retrieve a trackable identifier due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39744 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39745 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In DevicePolicyManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39747 | Incorrect Default Permissions vulnerability in Google Android 12.1 In Settings Provider, there is a possible way to list values of non-readable global settings due to a permissions bypass. | 5.5 | |
2022-03-30 | CVE-2021-39748 | Incorrect Default Permissions vulnerability in Google Android 12.1 In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. | 5.5 | |
2022-03-30 | CVE-2021-39751 | Missing Authorization vulnerability in Google Android 12.1 In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39753 | Missing Authorization vulnerability in Google Android 12.1 In DomainVerificationService, there is a possible way to access app domain verification information due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39754 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In ContextImpl, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39755 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In DevicePolicyManager, there is a possible way to reveal the existence of an installed package without proper query permissions due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39756 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In Framework, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39757 | Unspecified vulnerability in Google Android 12.1 In PermissionController, there is a possible permission bypass due to an unsafe PendingIntent. | 5.5 | |
2022-03-30 | CVE-2021-39760 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In AudioService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39761 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In Media, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39765 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Google Android 12.1 In Gallery, there is a possible permission bypass due to a confused deputy. | 5.5 | |
2022-03-30 | CVE-2021-39766 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39769 | Incorrect Default Permissions vulnerability in Google Android 12.1 In Device Policy, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39770 | Incorrect Default Permissions vulnerability in Google Android 12.1 In Framework, there is a possible disclosure of the device owner package due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39773 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In VpnManagerService, there is a possible disclosure of installed VPN packages due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39774 | Out-of-bounds Read vulnerability in Google Android 12.0 In Bluetooth, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2022-03-30 | CVE-2021-39775 | Information Exposure Through Discrepancy vulnerability in Google Android 12.0 In People, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39777 | Exposure of Resource to Wrong Sphere vulnerability in Google Android 12.0 In Telephony, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39778 | Improper Input Validation vulnerability in Google Android 12.0 In Telecomm, there is a possible way to determine whether an app is installed, without query permissions, due to improper input validation. | 5.5 | |
2022-03-30 | CVE-2021-39779 | Incorrect Default Permissions vulnerability in Google Android 12.0 In getCallStateUsingPackage of Telecom Service, there is a missing permission check. | 5.5 | |
2022-03-30 | CVE-2021-39788 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In TelecomManager, there is a possible way to check if a particular self managed phone account was registered on the device due to side channel information disclosure. | 5.5 | |
2022-03-30 | CVE-2021-39791 | Information Exposure Through Discrepancy vulnerability in Google Android 12.1 In WallpaperManagerService, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. | 5.5 | |
2022-03-29 | CVE-2022-1122 | Uclouvain Fedoraproject Debian | A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. | 5.5 |
2022-03-29 | CVE-2021-22572 | Exposure of Resource to Wrong Sphere vulnerability in Google Data Transfer Project On unix-like systems, the system temporary directory is shared between all users on that system. | 5.5 | |
2022-03-28 | CVE-2022-26296 | Boom Core | Unspecified vulnerability in Boom-Core Risvc-Boom BOOM: The Berkeley Out-of-Order RISC-V Processor commit d77c2c3 was discovered to allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. | 5.5 |
2022-03-28 | CVE-2022-26291 | Long Range ZIP Project Debian | Use After Free vulnerability in multiple products lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). | 5.5 |
2022-03-28 | CVE-2010-10001 | Shemes | Improper Resource Shutdown or Release vulnerability in Shemes Grabit A vulnerability, which was classified as problematic, was found in Shemes GrabIt up to 1.7.2 Beta 4. | 5.5 |
2022-03-28 | CVE-2017-20011 | Weka | Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8 A vulnerability was found in WEKA INTEREST Security Scanner 1.8. | 5.5 |
2022-03-28 | CVE-2017-20012 | Weka | Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8 A vulnerability classified as problematic has been found in WEKA INTEREST Security Scanner up to 1.8. | 5.5 |
2022-03-28 | CVE-2017-20013 | Weka | Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8 A vulnerability classified as problematic was found in WEKA INTEREST Security Scanner up to 1.8. | 5.5 |
2022-03-28 | CVE-2017-20014 | Weka | Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8 A vulnerability, which was classified as problematic, has been found in WEKA INTEREST Security Scanner up to 1.8. | 5.5 |
2022-03-28 | CVE-2017-20015 | Weka | Improper Resource Shutdown or Release vulnerability in Weka Interest Security Scanner 1.8 A vulnerability, which was classified as problematic, was found in WEKA INTEREST Security Scanner up to 1.8. | 5.5 |
2022-03-28 | CVE-2022-1056 | Libtiff Netapp | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 5.5 |
2022-03-28 | CVE-2015-10002 | Kiddoware | Unspecified vulnerability in Kiddoware Kids Place A vulnerability classified as problematic has been found in Kiddoware Kids Place. | 5.5 |
2022-03-28 | CVE-2022-27950 | Linux | Memory Leak vulnerability in Linux Kernel In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. | 5.5 |
2022-04-01 | CVE-2021-23287 | Eaton | Cross-site Scripting vulnerability in Eaton Intelligent Power Manager 1.6/1.67/1.69 The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. | 5.4 |
2022-03-31 | CVE-2021-43478 | Hoosk | Unspecified vulnerability in Hoosk 1.8.0 A vulnerability exists in Hoosk 1.8.0 in /install/index.php, due to a failure to check if config.php already exists in the root directory, which could let a malicious user reinstall the website. | 5.4 |
2022-03-31 | CVE-2021-43505 | Simple Client Management System Project | Cross-site Scripting vulnerability in Simple Client Management System Project Simple Client Management System 1.0 Multiple Cross Site Scripting (XSS) vulnerabilities exist in Ssourcecodester Simple Client Management System v1 via (1) Add new Client and (2) Add new invoice. | 5.4 |
2022-03-31 | CVE-2022-0350 | B3Log | Unspecified vulnerability in B3Log Vditor Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13. | 5.4 |
2022-03-30 | CVE-2022-23136 | ZTE | Cross-site Scripting vulnerability in ZTE Zxhn F680 Firmware 6.0.10P3N20 There is a stored XSS vulnerability in ZTE home gateway product. | 5.4 |
2022-03-30 | CVE-2022-1178 | Open EMR | Unspecified vulnerability in Open-Emr Openemr Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | 5.4 |
2022-03-30 | CVE-2022-1179 | Open EMR | Unspecified vulnerability in Open-Emr Openemr Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | 5.4 |
2022-03-30 | CVE-2022-1181 | Open EMR | Unspecified vulnerability in Open-Emr Openemr Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2. | 5.4 |
2022-03-30 | CVE-2022-26244 | Hospital S Patient Records Management System Project | Cross-site Scripting vulnerability in Hospital'S Patient Records Management System Project Hospital'S Patient Records Management System 1.0 A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "special" field. | 5.4 |
2022-03-30 | CVE-2022-26947 | RSA | Cross-site Scripting vulnerability in RSA Archer Archer 6.x through 6.9 SP3 (6.9.3.0) contains a reflected XSS vulnerability. | 5.4 |
2022-03-29 | CVE-2022-28133 | Jenkins | Cross-site Scripting vulnerability in Jenkins Bitbucket Server Integration Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | 5.4 |
2022-03-29 | CVE-2022-28134 | Jenkins | Missing Authorization vulnerability in Jenkins Bitbucket Server Integration Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. | 5.4 |
2022-03-29 | CVE-2022-28145 | Jenkins | Cross-site Scripting vulnerability in Jenkins Continuous Integration With Toad Edge Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents. | 5.4 |
2022-03-29 | CVE-2022-28149 | Jenkins | Cross-site Scripting vulnerability in Jenkins JOB and Node Ownership Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-03-29 | CVE-2022-28153 | Jenkins | Cross-site Scripting vulnerability in Jenkins Sitemonitor Jenkins SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-03-29 | CVE-2022-28159 | Jenkins | Cross-site Scripting vulnerability in Jenkins Tests Selector Jenkins Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-03-29 | CVE-2022-23903 | Pearadmin | Cross-site Scripting vulnerability in Pearadmin Pear Admin Think 2.1.2 A Cross Site Scripting (XSS) vulnerability exists in pearadmin pear-admin-think <=5.0.6, which allows a login account to access arbitrary functions and cause stored XSS through a fake User-Agent. | 5.4 |
2022-03-29 | CVE-2022-1074 | TEM | Cross-site Scripting vulnerability in TEM Flex-1085 Firmware 1.6.0 A vulnerability has been found in TEM FLEX-1085 1.6.0 and classified as problematic. | 5.4 |
2022-03-29 | CVE-2022-1075 | College Website Management System Project | Cross-site Scripting vulnerability in College Website Management System Project College Website Management System 1.0 A vulnerability was found in College Website Management System 1.0 and classified as problematic. | 5.4 |
2022-03-29 | CVE-2022-1086 | Dolphinphp Project | Cross-site Scripting vulnerability in Dolphinphp Project Dolphinphp A vulnerability was found in DolphinPHP up to 1.5.0 and classified as problematic. | 5.4 |
2022-03-29 | CVE-2022-1087 | Htmly | Cross-site Scripting vulnerability in Htmly A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profile Module. | 5.4 |
2022-03-29 | CVE-2022-24957 | DHC Vision | Cross-site Scripting vulnerability in Dhc-Vision Eqms 5.4.8.322 DHC Vision eQMS through 5.4.8.322 has Persistent XSS due to insufficient encoding of untrusted input/output. | 5.4 |
2022-03-29 | CVE-2021-45866 | Student Attendance Management System Project | Cross-site Scripting vulnerability in Student Attendance Management System Project Student Attendance Management System 1.0 A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Student Attendance Management System 1.0 via the couse filed in index.php. | 5.4 |
2022-03-28 | CVE-2022-0397 | Wpclever | Unspecified vulnerability in Wpclever WPC Smart Wishlist for Woocommerce The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting | 5.4 |
2022-03-28 | CVE-2022-0450 | Freshlightlab | Improper Encoding or Escaping of Output vulnerability in Freshlightlab Menu Image, Icons Made Easy The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. | 5.4 |
2022-03-28 | CVE-2022-0595 | Codedropz | Unspecified vulnerability in Codedropz Drag and Drop multiple File Upload - Contact Form 7 The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue | 5.4 |
2022-03-28 | CVE-2022-0720 | TMS Outsource | Unspecified vulnerability in Tms-Outsource Amelia The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. | 5.4 |
2022-03-28 | CVE-2021-44211 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5 OX App Suite through 7.10.5 allows XSS via the class attribute of an element in an HTML e-mail signature. | 5.4 |
2022-04-01 | CVE-2020-14479 | Inductiveautomation | Missing Authentication for Critical Function vulnerability in Inductiveautomation Ignition Sensitive information can be obtained through the handling of serialized data. | 5.3 |
2022-03-30 | CVE-2022-23794 | Joomla | Information Exposure Through an Error Message vulnerability in Joomla Joomla! An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. | 5.3 |
2022-03-29 | CVE-2022-0331 | Sophos | Unspecified vulnerability in Sophos Sfos An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older. | 5.3 |
2022-03-28 | CVE-2003-5002 | IBM | Cleartext Transmission of Sensitive Information vulnerability in IBM ISS Blackice PC Protection A vulnerability was found in ISS BlackICE PC Protection. | 5.3 |
2022-03-28 | CVE-2021-4191 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. | 5.3 |
2022-03-28 | CVE-2021-24978 | B4After | Missing Authorization vulnerability in B4After Osmapper 2.1.5 The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. | 5.3 |
2022-03-28 | CVE-2021-46434 | Emqx | Unspecified vulnerability in Emqx 3.0.0 EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface. | 5.3 |
2022-03-28 | CVE-2021-26598 | Impresscms | Improper Authentication vulnerability in Impresscms ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token). | 5.3 |
2022-03-30 | CVE-2022-1172 | Gpac | Unspecified vulnerability in Gpac Null Pointer Dereference Caused Segmentation Fault in GitHub repository gpac/gpac prior to 2.1.0-DEV. | 5.0 |
2022-04-01 | CVE-2021-32503 | Sick | Resource Exhaustion vulnerability in Sick Ftmg Firmware 2.8 Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. | 4.9 |
2022-03-28 | CVE-2021-43099 | Diyhi | Path Traversal vulnerability in Diyhi BBS 5.3 An Archive Extraction (AKA "Zip Slip) vulnerability exists in bbs 5.3 in the UpgradeNow function in UpgradeManageAction.java, which unzips the arbitrary upladed zip file without checking filenames. | 4.9 |
2022-03-28 | CVE-2022-0493 | String Locator Project | Unspecified vulnerability in String Locator Project String Locator The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. | 4.9 |
2022-04-03 | CVE-2022-28379 | Nginxproxymanager | Cross-site Scripting vulnerability in Nginxproxymanager Nginx Proxy Manager jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion. | 4.8 |
2022-04-02 | CVE-2022-28352 | Weechat | Improper Certificate Validation vulnerability in Weechat WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-middle attackers to spoof a TLS chat server via an arbitrary certificate. | 4.8 |
2022-04-01 | CVE-2021-23288 | Eaton | Cross-site Scripting vulnerability in Eaton Intelligent Power Protector The vulnerability exists due to insufficient validation of input from certain resources by the IPP software. | 4.8 |
2022-04-01 | CVE-2022-26565 | Totaljs | Cross-site Scripting vulnerability in Totaljs Content Management System A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page. | 4.8 |
2022-03-31 | CVE-2021-42866 | Pixelimity | Cross-site Scripting vulnerability in Pixelimity 1.0 A Cross Site Scripting vulnerabilty exists in Pixelimity 1.0 via the Site Description field in pixelimity/admin/setting.php | 4.8 |
2022-03-31 | CVE-2021-42867 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.1 A Cross Site Scripting (XSS) vulnerability exists in DanPros htmly 2.8.1 via the Description field in (1) admin/config, and (2) index.php pages. | 4.8 |
2022-03-31 | CVE-2021-42868 | Chikitsa | Cross-site Scripting vulnerability in Chikitsa Patient Management Software 2.0.2 A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 in the first_name parameter in (1) patient/insert, (2) patient_report, (3) appointment_report, (4) visit_report, and (5) bill_detail_report pages. | 4.8 |
2022-03-31 | CVE-2021-42869 | Chikitsa | Cross-site Scripting vulnerability in Chikitsa Patient Management Software 2.0.2 A Cross Site Scripting (XSS) vulnerability exists in Chikista Patient Management Software 2.0.2 via the last_name parameter in the (1) patient/insert, (2) patient_report, (3) /appointment_report, (4) visit_report, and (5) /bill_detail_report pages. | 4.8 |
2022-03-31 | CVE-2021-42946 | Htmly | Cross-site Scripting vulnerability in Htmly 2.8.1 A Cross Site Scripting (XSS) vulnerability exists in htmly.2.8.1 via the Copyright field in the /admin/config page. | 4.8 |
2022-03-30 | CVE-2021-44310 | Firmware Analysis AND Comparison Tool Project | Cross-site Scripting vulnerability in Firmware Analysis and Comparison Tool Project Firmware Analysis and Comparison Tool 3.2 An issue was discovered in Firmware Analysis and Comparison Tool v3.2. | 4.8 |
2022-03-30 | CVE-2022-1163 | Mineweb | Unspecified vulnerability in Mineweb Minewebcms Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minewebcms prior to next. | 4.8 |
2022-03-28 | CVE-2022-0388 | Humananatomyillustrations | Unspecified vulnerability in Humananatomyillustrations Interactive Medical Drawing of Human Body 1.0 The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-03-29 | CVE-2022-26269 | Globalsuzuki | Unspecified vulnerability in Globalsuzuki Suzuki Connect 1.0.15 Suzuki Connect v1.0.15 allows attackers to tamper with displayed messages via spoofed CAN messages. | 4.6 |
2022-04-01 | CVE-2022-23157 | Dell | Information Exposure vulnerability in Dell Wyse Device Agent 14.5.4.1 Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. | 4.4 |
2022-04-01 | CVE-2022-23158 | Dell | Information Exposure vulnerability in Dell Wyse Device Agent 14.5.4.1 Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. | 4.4 |
2022-04-03 | CVE-2022-0405 | Janeczku | Unspecified vulnerability in Janeczku Calibre-Web Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16. | 4.3 |
2022-04-03 | CVE-2022-0406 | Janeczku | Incorrect Authorization vulnerability in Janeczku Calibre-Web Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. | 4.3 |
2022-04-01 | CVE-2022-0373 | Gitlab | Unspecified vulnerability in Gitlab Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address | 4.3 |
2022-04-01 | CVE-2022-0390 | Gitlab | Missing Authorization vulnerability in Gitlab Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard. | 4.3 |
2022-03-30 | CVE-2022-27907 | Sonatype | Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository Manager Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF. | 4.3 |
2022-03-30 | CVE-2022-1177 | Open EMR | Incorrect Authorization vulnerability in Open-Emr Openemr Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0. | 4.3 |
2022-03-29 | CVE-2022-28137 | Jenkins | Missing Authorization vulnerability in Jenkins Jiratestresultreporter A missing permission check in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | 4.3 |
2022-03-29 | CVE-2022-28138 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Rocketchat Notifier A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential. | 4.3 |
2022-03-29 | CVE-2022-28139 | Jenkins | Missing Authorization vulnerability in Jenkins Rocketchat Notifier A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | 4.3 |
2022-03-29 | CVE-2022-28147 | Jenkins | Missing Authorization vulnerability in Jenkins Continuous Integration With Toad Edge A missing permission check in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | 4.3 |
2022-03-29 | CVE-2022-28151 | Jenkins | Missing Authorization vulnerability in Jenkins JOB and Node Ownership A missing permission check in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. | 4.3 |
2022-03-29 | CVE-2022-28152 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins JOB and Node Ownership A cross-site request forgery (CSRF) vulnerability in Jenkins Job and Node ownership Plugin 0.13.0 and earlier allows attackers to restore the default ownership of a job. | 4.3 |
2022-03-28 | CVE-2021-43105 | Technitium | Unspecified vulnerability in Technitium DNS Server A vulnerability in the bailiwick checking function in Technitium DNS Server <= v7.0 exists that allows specific malicious users to inject `NS` records of any domain (even TLDs) into the cache and conduct a DNS cache poisoning attack. | 4.3 |
2022-03-28 | CVE-2021-39876 | Gitlab | Incorrect Authorization vulnerability in Gitlab In all versions of GitLab CE/EE since version 11.3, the endpoint for auto-completing Assignee discloses the members of private groups. | 4.3 |
2022-03-28 | CVE-2022-0344 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. | 4.3 |
2022-03-28 | CVE-2022-0371 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 before 14.5.4, all versions starting from 14.6 before 14.6.4, all versions starting from 14.7 before 14.7.1. | 4.3 |
2022-03-28 | CVE-2022-0488 | Gitlab | Resource Exhaustion vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. | 4.3 |
2022-03-28 | CVE-2022-0833 | Church Admin Project | Missing Authorization vulnerability in Church Admin Project Church Admin The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data | 4.3 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-04-01 | CVE-2021-20238 | Redhat | Missing Authentication for Critical Function vulnerability in Redhat products It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. | 3.7 |
2022-03-29 | CVE-2022-22935 | Saltstack | Improper Authentication vulnerability in Saltstack Salt An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. | 3.7 |
2022-03-30 | CVE-2022-1180 | Open EMR | Unspecified vulnerability in Open-Emr Openemr Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4. | 3.5 |
2022-03-30 | CVE-2020-35501 | Linux Redhat | A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem | 3.4 |
2022-03-30 | CVE-2021-39739 | Information Exposure Through Log Files vulnerability in Google Android 12.1 In ArrayMap, there is a possible leak of the content of SMS messages due to log information disclosure. | 3.3 | |
2022-03-28 | CVE-2018-25030 | Mirmay | Race Condition vulnerability in Mirmay File Manager and Secure Private Browser A vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5. | 2.5 |
2022-03-31 | CVE-2022-27049 | Raidrive | Unspecified vulnerability in Raidrive Raidrive before v2021.12.35 allows attackers to arbitrarily move log files by pre-creating a mountpoint and log files before Raidrive is installed. | 2.0 |