Weekly Vulnerabilities Reports > April 18 to 24, 2022

Overview

432 new vulnerabilities reported during this period, including 8 critical vulnerabilities and 84 high severity vulnerabilities. This weekly summary report vulnerabilities in 553 products from 160 vendors including Oracle, Netapp, Cgal, Baby Care System Project, and IBM. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Improper Validation of Array Index", "Out-of-bounds Write", and "Cross-Site Request Forgery (CSRF)".

  • 373 reported vulnerabilities are remotely exploitables.
  • 155 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 300 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 85 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

8 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-22 CVE-2022-1440 GIT Interface Project OS Command Injection vulnerability in Git-Interface Project Git-Interface

Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2.

10.0
2022-04-20 CVE-2022-1039 Redlion Weak Password Requirements vulnerability in Redlion Da50N Firmware

The weak password on the web user interface can be exploited via HTTP or HTTPS.

10.0
2022-04-18 CVE-2022-29464 Wso2 Unrestricted Upload of File with Dangerous Type vulnerability in Wso2 products

Certain WSO2 products allow unrestricted file upload with resultant remote code execution.

10.0
2022-04-19 CVE-2022-29315 Invicti Improper Neutralization of Formula Elements in a CSV File vulnerability in Invicti Acunetix

Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

9.3
2022-04-19 CVE-2022-28108 Selenium Cross-Site Request Forgery (CSRF) vulnerability in Selenium Grid

Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

9.3
2022-04-18 CVE-2021-3624 Dcraw Project
Debian
Integer Overflow or Wraparound vulnerability in multiple products

There is an integer overflow vulnerability in dcraw.

9.3
2022-04-19 CVE-2022-1065 Abacus Improper Authentication vulnerability in Abacus products

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor.

9.0
2022-04-18 CVE-2021-46122 TP Link Classic Buffer Overflow vulnerability in Tp-Link Tl-Wr840N Firmware 0.9.14.17V0001.0

Tp-Link TL-WR840N (EU) v6.20 Firmware (0.9.1 4.17 v0001.0 Build 201124 Rel.64328n) is vulnerable to Buffer Overflow via the Password reset feature.

9.0

84 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-21 CVE-2022-20789 Cisco Externally Controlled Reference to a Resource in Another Sphere vulnerability in Cisco Unified Communications Manager 12.5(1)/14.0

A vulnerability in the software upgrade process of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to write arbitrary files on the affected system.

8.5
2022-04-21 CVE-2022-28743 Foscam Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Foscam R2C Application Firmware and R2C System Firmware

Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Foscam R2C IP camera running System FW <= 1.13.1.6, and Application FW <= 2.91.2.66, allows an authenticated remote attacker with administrator permissions to execute arbitrary remote code via a malicious firmware patch.

8.5
2022-04-18 CVE-2021-23286 Eaton Improper Neutralization of Formula Elements in a CSV File vulnerability in Eaton Intelligent Power Manager

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection.

7.9
2022-04-21 CVE-2022-20783 Cisco Improper Input Validation vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint

A vulnerability in the packet processing functionality of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.8
2022-04-21 CVE-2022-24867 Glpi Project Insufficiently Protected Credentials vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.

7.8
2022-04-20 CVE-2021-37740 MDT Unspecified vulnerability in MDT Scn-Ip000.03 Firmware and Scn-Ip100.03 Firmware

A denial of service vulnerability exists in MDT's firmware for the KNXnet/IP Secure router SCN-IP100.03 and KNX IP interface SCN-IP000.03 before v3.0.4, that allows a remote attacker to turn the device unresponsive to all requests on the KNXnet/IP Secure layer, until the device is rebooted, via a SESSION_REQUEST frame with a modified total length field.

7.8
2022-04-20 CVE-2022-25343 Olivetti Unspecified vulnerability in Olivetti D-Color Mf3555 Firmware 2Xds000.002.271

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices.

7.8
2022-04-18 CVE-2022-24863 Http Swagger Project Improper Handling of Exceptional Conditions vulnerability in Http-Swagger Project Http-Swagger

http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0.

7.8
2022-04-22 CVE-2021-3849 Lenovo
IBM
Improper Authentication vulnerability in multiple products

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2.

7.5
2022-04-22 CVE-2021-3897 Lenovo
IBM
An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2.
7.5
2022-04-22 CVE-2022-27341 Jfinalcms Project SQL Injection vulnerability in Jfinalcms Project Jfinalcms 2.0

JFinalCMS v2.0 was discovered to contain a SQL injection vulnerability via the Article Management function.

7.5
2022-04-22 CVE-2022-27342 Link Admin Project SQL Injection vulnerability in Link-Admin Project Link-Admin 0.0.1

Link-Admin v0.0.1 was discovered to contain a SQL injection vulnerability via DictRest.ResponseResult().

7.5
2022-04-22 CVE-2022-27404 Freetype
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

7.5
2022-04-22 CVE-2022-26672 Asus Use of Hard-coded Credentials vulnerability in Asus Webstorage

ASUS WebStorage has a hardcoded API Token in the APP source code.

7.5
2022-04-22 CVE-2022-26674 Asus Use of Externally-Controlled Format String vulnerability in Asus Rt-Ax88U Firmware

ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitrary code execution, arbitrary system operation or disrupt service.

7.5
2022-04-21 CVE-2022-28021 Purchase Order Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.

7.5
2022-04-21 CVE-2022-28022 Purchase Order Management System Project SQL Injection vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.

7.5
2022-04-21 CVE-2022-28023 Purchase Order Management System Project SQL Injection vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier.

7.5
2022-04-21 CVE-2022-28024 Student Grading System Project SQL Injection vulnerability in Student Grading System Project Student Grading System 1.0

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.

7.5
2022-04-21 CVE-2022-28025 Student Grading System Project SQL Injection vulnerability in Student Grading System Project Student Grading System 1.0

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.

7.5
2022-04-21 CVE-2022-28026 Student Grading System Project SQL Injection vulnerability in Student Grading System Project Student Grading System 1.0

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.

7.5
2022-04-21 CVE-2022-28028 Simple Real Estate Portal System Project SQL Injection vulnerability in Simple Real Estate Portal System Project Simple Real Estate Portal System 1.0

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity.

7.5
2022-04-21 CVE-2022-28029 Simple Real Estate Portal System Project SQL Injection vulnerability in Simple Real Estate Portal System Project Simple Real Estate Portal System 1.0

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type.

7.5
2022-04-21 CVE-2022-28030 Simple Real Estate Portal System Project SQL Injection vulnerability in Simple Real Estate Portal System Project Simple Real Estate Portal System 1.0

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate.

7.5
2022-04-21 CVE-2022-28410 Simple Real Estate Portal System Project SQL Injection vulnerability in Simple Real Estate Portal System Project Simple Real Estate Portal System 1.0

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Users.php?f=delete_agent.

7.5
2022-04-21 CVE-2022-28411 Simple Real Estate Portal System Portal SQL Injection vulnerability in Simple Real Estate Portal System Portal Simple Real Estate Portal System 1.0

Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.

7.5
2022-04-21 CVE-2022-28412 CAR Driving School Management System Project SQL Injection vulnerability in CAR Driving School Management System Project CAR Driving School Management System 1.0

Car Driving School Managment System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_package.

7.5
2022-04-21 CVE-2022-28413 CAR Driving School Management System Project SQL Injection vulnerability in CAR Driving School Management System Project CAR Driving School Management System 1.0

Car Driving School Management System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_enrollment.

7.5
2022-04-21 CVE-2022-28414 Home Owners Collection Management System Project SQL Injection vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_member.

7.5
2022-04-21 CVE-2022-28415 Home Owners Collection Management System Project SQL Injection vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_collection.

7.5
2022-04-21 CVE-2022-28416 Home Owners Collection Management System Project SQL Injection vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

7.5
2022-04-21 CVE-2022-28417 Home Owners Collection Management System Project SQL Injection vulnerability in Home Owners Collection Management System Project Home Owners Collection Management System 1.0

Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase.

7.5
2022-04-21 CVE-2022-28420 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.

7.5
2022-04-21 CVE-2022-28421 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.

7.5
2022-04-21 CVE-2022-28422 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.

7.5
2022-04-21 CVE-2022-28423 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.

7.5
2022-04-21 CVE-2022-28424 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.

7.5
2022-04-21 CVE-2022-28425 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.

7.5
2022-04-21 CVE-2022-28426 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.

7.5
2022-04-21 CVE-2022-28427 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.

7.5
2022-04-21 CVE-2022-28429 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.

7.5
2022-04-21 CVE-2022-28431 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.

7.5
2022-04-21 CVE-2022-28432 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.

7.5
2022-04-21 CVE-2022-28433 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.

7.5
2022-04-21 CVE-2022-28434 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=edit&sid=2.

7.5
2022-04-21 CVE-2022-28435 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.

7.5
2022-04-21 CVE-2022-28436 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=.

7.5
2022-04-21 CVE-2022-28437 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.

7.5
2022-04-21 CVE-2022-28438 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.

7.5
2022-04-21 CVE-2022-28439 Baby Care System Project SQL Injection vulnerability in Baby Care System Project Baby Care System 1.0

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4.

7.5
2022-04-21 CVE-2022-0272 Detekt XXE vulnerability in Detekt

Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.

7.5
2022-04-21 CVE-2016-20014 PAM Tacplus Project Unspecified vulnerability in PAM Tacplus Project PAM Tacplus 1.3.8/1.3.9

In pam_tacplus.c in pam_tacplus before 1.4.1, pam_sm_acct_mgmt does not zero out the arep data structure.

7.5
2022-04-20 CVE-2022-29528 Misp Deserialization of Untrusted Data vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

7.5
2022-04-20 CVE-2021-43481 Webtareas Project SQL Injection vulnerability in Webtareas Project Webtareas 2.0/2.1/2.4

An SQL Injection vulnerability exists in Webtareas 2.4p3 and earlier via the $uq HTTP POST parameter in editapprovalstage.php.

7.5
2022-04-20 CVE-2022-26133 Atlassian Deserialization of Untrusted Data vulnerability in Atlassian Bitbucket Data Center 7.20.0

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

7.5
2022-04-20 CVE-2022-24860 Databasir Project Use of Hard-coded Credentials vulnerability in Databasir Project Databasir 1.0.1

Databasir is a team-oriented relational database model document management platform.

7.5
2022-04-19 CVE-2022-0992 Siteground Improper Authentication vulnerability in Siteground Security

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts.

7.5
2022-04-19 CVE-2022-0993 Siteground Improper Authentication vulnerability in Siteground Security

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success.

7.5
2022-04-19 CVE-2022-21420 Oracle Unspecified vulnerability in Oracle Coherence 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core).

7.5
2022-04-19 CVE-2022-21431 Oracle Unspecified vulnerability in Oracle Communications Billing and Revenue Management 12.0.0.4/12.0.0.5

Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager).

7.5
2022-04-19 CVE-2022-21445 Oracle Unspecified vulnerability in Oracle Jdeveloper 12.2.1.3.0/12.2.1.4.0

Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces).

7.5
2022-04-19 CVE-2022-27862 Vikwp Unrestricted Upload of File with Dangerous Type vulnerability in Vikwp Vikbooking Hotel Booking Engine & Property Management System Plugin

Arbitrary File Upload leading to RCE in E4J s.r.l.

7.5
2022-04-19 CVE-2022-25648 GIT Argument Injection or Modification vulnerability in GIT

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection.

7.5
2022-04-19 CVE-2022-27104 Formalms SQL Injection vulnerability in Formalms

An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3.

7.5
2022-04-19 CVE-2022-27927 Microfinance Management System Project SQL Injection vulnerability in Microfinance Management System Project Microfinance Management System 1.0

A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database.

7.5
2022-04-18 CVE-2022-0785 Daily Prayer Time Project SQL Injection vulnerability in Daily Prayer Time Project Daily Prayer Time

The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

7.5
2022-04-18 CVE-2022-1020 Codeastrology Missing Authorization vulnerability in Codeastrology WOO Product Table

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument

7.5
2022-04-18 CVE-2020-13567 Open EMR
Phpgacl Project
SQL Injection vulnerability in multiple products

Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7.

7.5
2022-04-18 CVE-2021-3652 Port389 Improper Authentication vulnerability in Port389 389-Ds-Base

A flaw was found in 389-ds-base.

7.5
2022-04-18 CVE-2022-25226 Cybelsoft Improper Authentication vulnerability in Cybelsoft Thinvnc 1.0

ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication.

7.5
2022-04-18 CVE-2022-26631 Automatic Question Paper Generator Project SQL Injection vulnerability in Automatic Question Paper Generator Project Automatic Question Paper Generator 1.0

Automatic Question Paper Generator v1.0 contains a Time-Based Blind SQL injection vulnerability via the id GET parameter.

7.5
2022-04-22 CVE-2021-3970 Lenovo Improper Input Validation vulnerability in Lenovo products

A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models BIOS may allow an attacker with local access and elevated privileges to execute arbitrary code.

7.2
2022-04-22 CVE-2021-4210 Lenovo Unspecified vulnerability in Lenovo products

A potential vulnerability in the SMI callback function used in the NVME driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

7.2
2022-04-22 CVE-2021-4211 Lenovo Improper Input Validation vulnerability in Lenovo products

A potential vulnerability in the SMI callback function used in the SMBIOS event log driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

7.2
2022-04-22 CVE-2021-4212 Lenovo Improper Input Validation vulnerability in Lenovo products

A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

7.2
2022-04-22 CVE-2022-0354 Lenovo Code Injection vulnerability in Lenovo System Update

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.

7.2
2022-04-22 CVE-2022-1107 Lenovo Improper Privilege Management vulnerability in Lenovo products

During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some ThinkPad models could be exploited by an attacker with elevated privileges that could allow for execution of code.

7.2
2022-04-22 CVE-2022-1108 Lenovo Improper Privilege Management vulnerability in Lenovo Thinkpad X1 Fold GEN 1 Firmware

A potential vulnerability due to improper buffer validation in the SMI handler LenovoFlashDeviceInterface in Thinkpad X1 Fold Gen 1 could be exploited by an attacker with local access and elevated privileges to execute arbitrary code.

7.2
2022-04-19 CVE-2021-3100 Amazon Improper Privilege Management vulnerability in Amazon Log4Jhotpatch

The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.

7.2
2022-04-19 CVE-2021-3101 Hotdog Project Improper Privilege Management vulnerability in Hotdog Project Hotdog

Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process.

7.2
2022-04-19 CVE-2022-0070 Amazon Improper Privilege Management vulnerability in Amazon Hotpatch

Incomplete fix for CVE-2021-3100.

7.2
2022-04-19 CVE-2022-0071 Hotdog Project Improper Privilege Management vulnerability in Hotdog Project Hotdog

Incomplete fix for CVE-2021-3101.

7.2
2022-04-18 CVE-2022-28810 Zohocorp OS Command Injection vulnerability in Zohocorp Manageengine Adselfservice Plus

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature.

7.1
2022-04-18 CVE-2022-1382 Radare NULL Pointer Dereference vulnerability in Radare Radare2

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.8.

7.1

281 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-22 CVE-2022-29582 Linux
Debian
Use After Free vulnerability in multiple products

In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts.

6.9
2022-04-20 CVE-2022-29527 Amazon Unspecified vulnerability in Amazon SSM Agent

Amazon AWS amazon-ssm-agent before 3.1.1208.0 creates a world-writable sudoers file, which allows local attackers to inject Sudo rules and escalate privileges to root.

6.9
2022-04-22 CVE-2022-27340 Mingsoft Cross-Site Request Forgery (CSRF) vulnerability in Mingsoft Mcms 5.2.7

MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do.

6.8
2022-04-22 CVE-2021-38886 IBM
Netapp
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2022-04-22 CVE-2021-32929 Uffizio Cross-Site Request Forgery (CSRF) vulnerability in Uffizio GPS Tracker

All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.

6.8
2022-04-21 CVE-2022-20773 Cisco Use of Hard-coded Credentials vulnerability in Cisco Umbrella 2.0.3

A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA.

6.8
2022-04-21 CVE-2022-29566 Bulletproofs Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Bulletproofs Project Bulletproofs

The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue.

6.8
2022-04-21 CVE-2020-14120 MI Improper Validation of Integrity Check Value vulnerability in MI Miui 12.5

Some Xiaomi models have a vulnerability in a certain application.

6.8
2022-04-20 CVE-2022-0540 Atlassian Improper Authentication vulnerability in Atlassian Jira Data Center and Jira Service Management

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request.

6.8
2022-04-20 CVE-2022-26516 Redlion Insufficient Verification of Data Authenticity vulnerability in Redlion Da50N Firmware

Authorized users may install a maliciously modified package file when updating the device via the web user interface.

6.8
2022-04-20 CVE-2022-27629 Videowhisper Cross-Site Request Forgery (CSRF) vulnerability in Videowhisper Micropayments

Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.

6.8
2022-04-19 CVE-2021-26625 Tobesoft Insufficient Verification of Data Authenticity vulnerability in Tobesoft Nexacro 17.1.2.500/17.1.2.600/17.1.3.301

Insufficient Verification of input Data leading to arbitrary file download and execute was discovered in Nexacro platform.

6.8
2022-04-19 CVE-2021-4096 Radykal Cross-Site Request Forgery (CSRF) vulnerability in Radykal Fancy Product Designer

The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.

6.8
2022-04-19 CVE-2022-21404 Oracle Unspecified vulnerability in Oracle Helidon 1.4.10/2.0.0

Vulnerability in the Helidon product of Oracle Fusion Middleware (component: Reactive WebServer).

6.8
2022-04-19 CVE-2022-25788 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted JT file in Autodesk AutoCAD 2022 may be used to write beyond the allocated buffer while parsing JT files.

6.8
2022-04-18 CVE-2020-28602 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28603 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28604 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28605 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28606 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28607 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28608 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28609 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28610 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28611 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28612 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28613 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28614 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28615 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28616 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28617 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28618 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28619 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28620 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28621 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28622 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28623 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28624 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28625 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28626 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28627 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28628 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28629 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28630 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28631 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28632 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28633 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28634 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-28635 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-35629 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-35630 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-35631 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-35632 Cgal Improper Validation of Array Index vulnerability in Cgal Computational Geometry Algorithms Library 5.1.1

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1.

6.8
2022-04-18 CVE-2020-6099 Graphisoft Integer Overflow or Wraparound vulnerability in Graphisoft Bimx Desktop Viewer 2019.2.2328

An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328.

6.8
2022-04-18 CVE-2022-27525 Autodesk Out-of-bounds Write vulnerability in Autodesk Design Review

A malicious crafted .dwf file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation.

6.8
2022-04-18 CVE-2022-27526 Autodesk Out-of-bounds Write vulnerability in Autodesk Design Review

A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability.

6.8
2022-04-18 CVE-2022-27529 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted PICT, BMP, PSD or TIF file in Autodesk AutoCAD 2022, 2021, 2020, 2019 may be used to write beyond the allocated buffer while parsing PICT, BMP, PSD or TIF file.

6.8
2022-04-18 CVE-2022-27530 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted TIF or PICT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to write beyond the allocated buffer through Buffer overflow vulnerability.

6.8
2022-04-18 CVE-2022-1381 VIM
Fedoraproject
Heap-based Buffer Overflow vulnerability in multiple products

global heap buffer overflow in skip_range in GitHub repository vim/vim prior to 8.2.4763.

6.8
2022-04-21 CVE-2022-27478 Victor CMS Project Unrestricted Upload of File with Dangerous Type vulnerability in Victor CMS Project Victor CMS 1.0

Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin.

6.5
2022-04-21 CVE-2022-28006 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\employee_delete.php.

6.5
2022-04-21 CVE-2022-28007 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\cashadvance_delete.php.

6.5
2022-04-21 CVE-2022-28008 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_delete.php.

6.5
2022-04-21 CVE-2022-28009 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_delete.php.

6.5
2022-04-21 CVE-2022-28010 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\overtime_delete.php.

6.5
2022-04-21 CVE-2022-28011 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_delete.php.

6.5
2022-04-21 CVE-2022-28012 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\position_delete.php.

6.5
2022-04-21 CVE-2022-28013 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_employee_edit.php.

6.5
2022-04-21 CVE-2022-28014 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\attendance_edit.php.

6.5
2022-04-21 CVE-2022-28015 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\cashadvance_edit.php.

6.5
2022-04-21 CVE-2022-28016 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\deduction_edit.php.

6.5
2022-04-21 CVE-2022-28017 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\overtime_edit.php.

6.5
2022-04-21 CVE-2022-28018 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\schedule_edit.php.

6.5
2022-04-21 CVE-2022-28019 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\employee_edit.php.

6.5
2022-04-21 CVE-2022-28020 Attendance AND Payroll System Project SQL Injection vulnerability in Attendance and Payroll System Project Attendance and Payroll System 1.0

Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \admin\position_edit.php.

6.5
2022-04-21 CVE-2022-28440 Ucms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ucms Project Ucms 1.6

An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file.

6.5
2022-04-21 CVE-2022-27925 Zimbra Unrestricted Upload of File with Dangerous Type vulnerability in Zimbra Collaboration 8.8.15/9.0.0

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it.

6.5
2022-04-20 CVE-2022-24861 Databasir Improper Input Validation vulnerability in Databasir 1.0.1

Databasir is a team-oriented relational database model document management platform.

6.5
2022-04-20 CVE-2022-0567 OVN Unspecified vulnerability in OVN Ovn-Kubernetes

A flaw was found in ovn-kubernetes.

6.5
2022-04-19 CVE-2022-1329 Elementor Missing Authorization vulnerability in Elementor Website Builder

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.

6.5
2022-04-19 CVE-2022-21410 Oracle Unspecified vulnerability in Oracle Database 19C

Vulnerability in the Oracle Database - Enterprise Edition Sharding component of Oracle Database Server.

6.5
2022-04-19 CVE-2022-21424 Oracle Unspecified vulnerability in Oracle Communications Billing and Revenue Management 12.0.0.4

Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager).

6.5
2022-04-18 CVE-2022-29457 Zohocorp Insufficiently Protected Credentials vulnerability in Zohocorp products

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

6.5
2022-04-18 CVE-2022-0661 AD Injection Project Code Injection vulnerability in AD Injection Project AD Injection 1.2.0.19

The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability.

6.5
2022-04-18 CVE-2022-1037 Villatheme Server-Side Request Forgery (SSRF) vulnerability in Villatheme Exmage

The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs

6.5
2022-04-18 CVE-2020-13590 Rukovoditel SQL Injection vulnerability in Rukovoditel 2.7.2

Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2.

6.5
2022-04-18 CVE-2022-27908 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Opmanager

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

6.5
2022-04-22 CVE-2021-36203 Johnsoncontrols Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols Metasys System Configuration Tool

The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.

6.4
2022-04-21 CVE-2022-28443 Ucms Project Unspecified vulnerability in Ucms Project Ucms 1.6

UCMS v1.6 was discovered to contain an arbitrary file deletion vulnerability.

6.4
2022-04-19 CVE-2022-21446 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Utility).

6.4
2022-04-19 CVE-2022-21464 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infra SEC).

6.4
2022-04-21 CVE-2022-20804 Cisco Improper Check for Unusual or Exceptional Conditions vulnerability in Cisco Unified Communications Manager

A vulnerability in the Cisco Discovery Protocol of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, adjacent attacker to cause a kernel panic on an affected system, resulting in a denial of service (DoS) condition.

6.1
2022-04-21 CVE-2022-20787 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device.

6.0
2022-04-19 CVE-2022-1384 Mattermost Missing Authorization vulnerability in Mattermost Server

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

6.0
2022-04-19 CVE-2022-21422 Oracle Unspecified vulnerability in Oracle Communications Billing and Revenue Management 12.0.0.4/12.0.0.5

Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager).

6.0
2022-04-19 CVE-2022-21430 Oracle Unspecified vulnerability in Oracle Communications Billing and Revenue Management 12.0.0.4/12.0.0.5

Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager).

6.0
2022-04-19 CVE-2021-44519 Citrix Path Traversal vulnerability in Citrix Xenmobile Server 10.13.0/10.14.0

In Citrix XenMobile Server through 10.12 RP9, there is an Authenticated Directory Traversal vulnerability, leading to remote code execution.

6.0
2022-04-24 CVE-2022-1451 Radare Out-of-bounds Read vulnerability in Radare Radare2

Out-of-bounds Read in r_bin_java_constant_value_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0.

5.8
2022-04-24 CVE-2022-1452 Radare Out-of-bounds Read vulnerability in Radare Radare2

Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0.

5.8
2022-04-22 CVE-2022-1437 Radare Out-of-bounds Write vulnerability in Radare Radare2

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.7.0.

5.8
2022-04-21 CVE-2020-14118 MI Open Redirect vulnerability in MI APP Store

An intent redirection vulnerability in the Mi App Store product.

5.8
2022-04-20 CVE-2022-1254 Mcafee Open Redirect vulnerability in Mcafee web Gateway

A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker.

5.8
2022-04-19 CVE-2022-24858 Nextauth JS Open Redirect vulnerability in Nextauth.Js Next-Auth

next-auth v3 users before version 3.29.2 are impacted.

5.8
2022-04-19 CVE-2022-1019 Automatedlogic Open Redirect vulnerability in Automatedlogic Webctrl Server

Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are vulnerable to open redirection.

5.8
2022-04-19 CVE-2022-1385 Mattermost Exposure of Resource to Wrong Sphere vulnerability in Mattermost Server

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels.

5.8
2022-04-19 CVE-2022-21409 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime).

5.8
2022-04-19 CVE-2022-21419 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.5.0.0.0/5.9.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer).

5.8
2022-04-19 CVE-2022-21448 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.9.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Visual Analyzer).

5.8
2022-04-19 CVE-2022-21453 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console).

5.8
2022-04-19 CVE-2022-21456 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.58/8.59

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Navigation Pages, Portal, Query).

5.8
2022-04-19 CVE-2022-21458 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.58/8.59

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Navigation Pages, Portal, Query).

5.8
2022-04-19 CVE-2022-21468 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Popups).

5.8
2022-04-19 CVE-2022-21470 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.58/8.59

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Process Scheduler).

5.8
2022-04-19 CVE-2022-21480 Oracle Unspecified vulnerability in Oracle Transportation Management 6.4.3/6.5.1

Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: User Interface).

5.8
2022-04-19 CVE-2022-21492 Oracle Unspecified vulnerability in Oracle Business Intelligence 5.9.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Server).

5.8
2022-04-19 CVE-2022-21497 Oracle Unspecified vulnerability in Oracle web Services Manager 12.2.1.3.0/12.2.1.4.0

Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: Web Services Security).

5.8
2022-04-19 CVE-2021-43129 D2L Exposure of Resource to Wrong Sphere vulnerability in D2L Brightspace 20.21.7

A bypass exists for Desire2Learn/D2L Brightspace’s “Disable Right Click” option in the quizzing feature, which allows a quiz-taker to access print and copy functionality via the browser’s right click menu even when “Disable Right Click” is enabled on the quiz.

5.8
2022-04-19 CVE-2022-0645 Posthog Open Redirect vulnerability in Posthog

Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.

5.8
2022-04-18 CVE-2022-29458 GNU Out-of-bounds Read vulnerability in GNU Ncurses

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

5.8
2022-04-18 CVE-2021-20324 Redhat Session Fixation vulnerability in Redhat products

A flaw was found in WildFly Elytron.

5.8
2022-04-18 CVE-2022-23976 Accesspressthemes Cross-Site Request Forgery (CSRF) vulnerability in Accesspressthemes Access Demo Importer

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media).

5.8
2022-04-18 CVE-2022-1383 Radare Out-of-bounds Write vulnerability in Radare Radare2

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.8.

5.8
2022-04-21 CVE-2022-20786 Cisco SQL Injection vulnerability in Cisco Unified Communications Manager IM and Presence Service

A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.

5.5
2022-04-20 CVE-2022-24872 Shopware Incorrect Permission Assignment for Critical Resource vulnerability in Shopware

Shopware is an open commerce platform based on Symfony Framework and Vue.

5.5
2022-04-20 CVE-2022-24871 Shopware Server-Side Request Forgery (SSRF) vulnerability in Shopware

Shopware is an open commerce platform based on Symfony Framework and Vue.

5.5
2022-04-20 CVE-2022-25342 Olivetti Incorrect Authorization vulnerability in Olivetti D-Color Mf3555 Firmware 2Xds000.002.271

An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices.

5.5
2022-04-19 CVE-2022-21411 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/19C/21C

Vulnerability in the RDBMS Gateway / Generic ODBC Connectivity component of Oracle Database Server.

5.5
2022-04-19 CVE-2022-21425 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
5.5
2022-04-19 CVE-2022-21440 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
5.5
2022-04-19 CVE-2022-21459 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
5.5
2022-04-19 CVE-2022-21478 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
5.5
2022-04-19 CVE-2022-21479 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
5.5
2022-04-18 CVE-2022-24841 Fleetdm Incorrect Authorization vulnerability in Fleetdm Fleet

fleetdm/fleet is an open source device management, built on osquery.

5.5
2022-04-19 CVE-2021-26626 Tobesoft Improper Input Validation vulnerability in Tobesoft Xplatform

Improper input validation vulnerability in XPLATFORM's execBrowser method can cause execute arbitrary commands.

5.1
2022-04-22 CVE-2020-14123 MI Double Free vulnerability in MI Miui 12.5.2

There is a pointer double free vulnerability in Some MIUI Services.

5.0
2022-04-22 CVE-2022-27405 Freetype
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

5.0
2022-04-22 CVE-2022-27406 Freetype
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

5.0
2022-04-22 CVE-2022-1429 Pimcore SQL Injection vulnerability in Pimcore

SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6.

5.0
2022-04-21 CVE-2022-28366 Htmlunit Project
Cyberneko Html Project
Antisamy Project
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption.
5.0
2022-04-21 CVE-2022-24423 Dell Improper Input Validation vulnerability in Dell Integrated Dell Remote Access Controller 8 Firmware 2.82.82.82

Dell iDRAC8 versions prior to 2.83.83.83 contain a denial of service vulnerability.

5.0
2022-04-21 CVE-2022-24424 Dell Path Traversal vulnerability in Dell EMC Appsync 3.9.0.0/4.3.0.0

Dell EMC AppSync versions from 3.9 to 4.3 contain a path traversal vulnerability in AppSync server.

5.0
2022-04-21 CVE-2022-28444 Ucms Project Path Traversal vulnerability in Ucms Project Ucms 1.6

UCMS v1.6 was discovered to contain an arbitrary file read vulnerability.

5.0
2022-04-21 CVE-2022-20795 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco Adaptive Security Appliance

A vulnerability in the implementation of the Datagram TLS (DTLS) protocol in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause high CPU utilization, resulting in a denial of service (DoS) condition.

5.0
2022-04-21 CVE-2022-23711 Elastic Unspecified vulnerability in Elastic Kibana

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source.

5.0
2022-04-21 CVE-2020-14116 MI Insufficient Verification of Data Authenticity vulnerability in MI Browser

An intent redirection vulnerability in the Mi Browser product.

5.0
2022-04-21 CVE-2020-14117 MI Unspecified vulnerability in MI Content Center

A improper permission configuration vulnerability in Xiaomi Content Center APP.

5.0
2022-04-21 CVE-2022-24875 CVE Information Exposure Through Log Files vulnerability in CVE Cve-Services

The CVEProject/cve-services is an open source project used to operate the CVE services api.

5.0
2022-04-21 CVE-2022-29547 Mediawiki Incorrect Default Permissions vulnerability in Mediawiki Createredirect

The CreateRedirect extension before 2022-04-14 for MediaWiki does not properly check whether the user has permissions to edit the target page.

5.0
2022-04-21 CVE-2022-27924 Zimbra Injection vulnerability in Zimbra Collaboration 8.8.15/9.0.0

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance.

5.0
2022-04-20 CVE-2022-29534 Misp Improper Authentication vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

5.0
2022-04-20 CVE-2022-29536 Gnome
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title.

5.0
2022-04-20 CVE-2021-43933 Fanuc Resource Exhaustion vulnerability in Fanuc Roboguide 9.40083.00.05

The affected product is vulnerable to a network-based attack by threat actors sending unimpeded requests to the receiving server, which could cause a denial-of-service condition due to lack of heap memory resources.

5.0
2022-04-20 CVE-2021-43988 Fanuc Unspecified vulnerability in Fanuc Roboguide 9.40083.00.05

The affected product is vulnerable to a network-based attack by threat actors utilizing crafted naming conventions of files to gain unauthorized access rights.

5.0
2022-04-20 CVE-2022-24675 Golang Allocation of Resources Without Limits or Throttling vulnerability in Golang GO

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

5.0
2022-04-20 CVE-2022-27536 Golang Improper Certificate Validation vulnerability in Golang GO 1.18.0

Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates.

5.0
2022-04-20 CVE-2022-28327 Golang Unspecified vulnerability in Golang GO

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

5.0
2022-04-20 CVE-2022-29266 Apache Information Exposure Through an Error Message vulnerability in Apache Apisix

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

5.0
2022-04-19 CVE-2021-26627 QCP Improper Authentication vulnerability in QCP Qcp200W Firmware

Real-time image information exposure is caused by insufficient authentication for activated RTSP port.

5.0
2022-04-19 CVE-2022-1119 Simplefilelist Path Traversal vulnerability in Simplefilelist Simple-File-List

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.

5.0
2022-04-19 CVE-2022-1186 WEB X CO Information Exposure vulnerability in Web-X.Co BE Popia Compliant

The WordPress plugin Be POPIA Compliant exposed sensitive information to unauthenticated users consisting of site visitors emails and usernames via an API route, in versions up to an including 1.1.5.

5.0
2022-04-19 CVE-2022-21421 Oracle Unspecified vulnerability in Oracle Business Intelligence

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General).

5.0
2022-04-19 CVE-2022-21426 Oracle
Debian
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).
5.0
2022-04-19 CVE-2022-21434 Oracle
Debian
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
5.0
2022-04-19 CVE-2022-21441 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0/12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

5.0
2022-04-19 CVE-2022-21449 Oracle
Debian
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
5.0
2022-04-19 CVE-2022-21466 Oracle Unspecified vulnerability in Oracle Commerce Guided Search 11.3.2

Vulnerability in the Oracle Commerce Guided Search product of Oracle Commerce (component: Tools and Frameworks).

5.0
2022-04-19 CVE-2022-21476 Oracle
Netapp
Debian
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
5.0
2022-04-19 CVE-2022-21496 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI).
5.0
2022-04-19 CVE-2022-27863 Vikwp Information Exposure vulnerability in Vikwp Vikbooking Hotel Booking Engine & Property Management System Plugin

Sensitive Information Exposure in E4J s.r.l.

5.0
2022-04-19 CVE-2022-24825 Stripe Server-Side Request Forgery (SSRF) vulnerability in Stripe Smokescreen

Smokescreen is a simple HTTP proxy that fogs over naughty URLs.

5.0
2022-04-19 CVE-2021-39076 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Guardium 10.5/11.3

IBM Security Guardium 10.5 and 11.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information.

5.0
2022-04-19 CVE-2022-27055 Ecjia Incorrect Authorization vulnerability in Ecjia Daojia 1.38.120210202629

** DISPUTED ** ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php.

5.0
2022-04-19 CVE-2022-29153 Hashicorp Server-Side Request Forgery (SSRF) vulnerability in Hashicorp Consul

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints.

5.0
2022-04-18 CVE-2022-1054 Wpchill Missing Authorization vulnerability in Wpchill Rsvp and Event Management

The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action.

5.0
2022-04-18 CVE-2021-3503 Redhat Unspecified vulnerability in Redhat Wildfly

A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data.

5.0
2022-04-18 CVE-2021-42778 Opensc Project
Fedoraproject
Redhat
Double Free vulnerability in multiple products

A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.

5.0
2022-04-18 CVE-2021-42779 Opensc Project
Fedoraproject
Redhat
Use After Free vulnerability in multiple products

A heap use after free issue was found in Opensc before version 0.22.0 in sc_file_valid.

5.0
2022-04-18 CVE-2021-42780 Opensc Project
Fedoraproject
Redhat
Unchecked Return Value vulnerability in multiple products

A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.

5.0
2022-04-18 CVE-2021-42781 Opensc Project
Fedoraproject
Redhat
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.

5.0
2022-04-18 CVE-2021-42782 Opensc Project
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.

5.0
2022-04-18 CVE-2022-1341 BWM NG Project NULL Pointer Dereference vulnerability in Bwm-Ng Project Bwm-Ng 0.6.2

An issue was discovered in in bwm-ng v0.6.2.

5.0
2022-04-18 CVE-2022-26665 Tylertech Authorization Bypass Through User-Controlled Key vulnerability in Tylertech Odyssey Portal

An Insecure Direct Object Reference issue exists in the Tyler Odyssey Portal platform before 17.1.20.

5.0
2022-04-22 CVE-2021-3721 Lenovo Out-of-bounds Write vulnerability in Lenovo Pcmanager

A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.20.10282 that could allow an attacker with local access to trigger a blue screen error.

4.9
2022-04-22 CVE-2022-0636 Lenovo Classic Buffer Overflow vulnerability in Lenovo Thin Installer

A denial of service vulnerability was reported in Lenovo Thin Installer prior to version 1.3.0039 that could trigger a system crash.

4.9
2022-04-19 CVE-2022-21418 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2022-04-19 CVE-2022-21450 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Prtl Interaction HUB 9.1

Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub product of Oracle PeopleSoft (component: My Links).

4.9
2022-04-19 CVE-2022-21477 Oracle Unspecified vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments, File Upload).

4.9
2022-04-19 CVE-2022-21481 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise 9.2

Vulnerability in the PeopleSoft Enterprise FIN Cash Management product of Oracle PeopleSoft (component: Financial Gateway).

4.9
2022-04-18 CVE-2020-25163 Osisoft Cross-site Scripting vulnerability in Osisoft PI Vision 2017/2019

A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0.

4.9
2022-04-22 CVE-2021-3722 Lenovo Incorrect Default Permissions vulnerability in Lenovo Pcmanager

A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.

4.7
2022-04-23 CVE-2022-1427 Brew Out-of-bounds Read vulnerability in Brew Mruby

Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository mruby/mruby prior to 3.2.

4.6
2022-04-22 CVE-2021-3971 Lenovo Unspecified vulnerability in Lenovo products

A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.

4.6
2022-04-22 CVE-2021-3972 Lenovo Unspecified vulnerability in Lenovo products

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

4.6
2022-04-22 CVE-2022-29583 Service Project Untrusted Search Path vulnerability in Service Project Service

service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory.

4.6
2022-04-21 CVE-2022-20732 Cisco Incorrect Default Permissions vulnerability in Cisco Virtualized Infrastructure Manager

A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device.

4.6
2022-04-20 CVE-2021-43986 Fanuc Incorrect Default Permissions vulnerability in Fanuc Roboguide 9.40083.00.05

The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation.

4.6
2022-04-19 CVE-2022-21442 Oracle Unspecified vulnerability in Oracle Goldengate

Vulnerability in Oracle GoldenGate (component: OGG Core Library).

4.6
2022-04-19 CVE-2022-21472 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure).

4.6
2022-04-19 CVE-2022-21473 Oracle Unspecified vulnerability in Oracle Banking Treasury Management 14.5

Vulnerability in the Oracle Banking Treasury Management product of Oracle Financial Services Applications (component: Infrastructure).

4.6
2022-04-19 CVE-2022-21474 Oracle Unspecified vulnerability in Oracle Banking Trade Finance Process Management 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

4.6
2022-04-19 CVE-2022-21475 Oracle Incorrect Permission Assignment for Critical Resource vulnerability in Oracle Banking Payments 14.5

Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Infrastructure).

4.6
2022-04-19 CVE-2022-21491 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

4.6
2022-04-18 CVE-2022-27652 Kubernetes
Fedoraproject
Mobyproject
Redhat
Incorrect Default Permissions vulnerability in multiple products

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions.

4.6
2022-04-22 CVE-2022-0192 Lenovo Uncontrolled Search Path Element vulnerability in Lenovo Pcmanager

A DLL search path vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow privilege escalation.

4.4
2022-04-20 CVE-2022-24826 GIT Large File Storage Project Untrusted Search Path vulnerability in GIT Large File Storage Project GIT Large File Storage

On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code.

4.4
2022-04-19 CVE-2022-27527 Autodesk Out-of-bounds Write vulnerability in Autodesk Navisworks

A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files.

4.4
2022-04-23 CVE-2022-1444 Radare Use After Free vulnerability in Radare Radare2

heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.7.0.

4.3
2022-04-22 CVE-2021-3898 Motorola Improper Certificate Validation vulnerability in Motorola Device Help and Ready for

Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker.

4.3
2022-04-22 CVE-2021-38904 IBM
Netapp
Exposure of Resource to Wrong Sphere vulnerability in multiple products

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote attacker to obtain credentials from a user's browser via incorrect autocomplete settings.

4.3
2022-04-22 CVE-2022-1439 Microweber Cross-site Scripting vulnerability in Microweber

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15.

4.3
2022-04-22 CVE-2022-29589 Crypt Server Project Cross-site Scripting vulnerability in Crypt-Server Project Crypt-Server

Crypt Server before 3.3.0 allows XSS in the index view.

4.3
2022-04-22 CVE-2021-32927 Uffizio Cross-site Scripting vulnerability in Uffizio GPS Tracker

An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker.

4.3
2022-04-21 CVE-2022-28367 Antisamy Project Cross-site Scripting vulnerability in Antisamy Project Antisamy

OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input.

4.3
2022-04-21 CVE-2022-29577 Antisamy Project Cross-site Scripting vulnerability in Antisamy Project Antisamy

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input.

4.3
2022-04-21 CVE-2021-35229 Solarwinds Cross-site Scripting vulnerability in Solarwinds products

Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query

4.3
2022-04-21 CVE-2022-20778 Cisco Cross-site Scripting vulnerability in Cisco Webex Meetings

A vulnerability in the authentication component of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface.

4.3
2022-04-21 CVE-2022-20788 Cisco Cross-site Scripting vulnerability in Cisco Unified Communications Manager and Unity Connection

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

4.3
2022-04-21 CVE-2022-28820 Adobe Cross-site Scripting vulnerability in Adobe ACS AEM Commons

ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters.

4.3
2022-04-21 CVE-2021-41161 Combodo Cross-site Scripting vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

4.3
2022-04-21 CVE-2021-41162 Combodo Cross-site Scripting vulnerability in Combodo Itop

Combodo iTop is a web based IT Service Management tool.

4.3
2022-04-21 CVE-2022-1420 VIM
Fedoraproject
Use of Out-of-range Pointer Offset vulnerability in multiple products

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.

4.3
2022-04-21 CVE-2022-27237 NI Cross-site Scripting vulnerability in NI products

There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products.

4.3
2022-04-21 CVE-2022-29498 Blazer Project SQL Injection vulnerability in Blazer Project Blazer

Blazer before 2.6.0 allows SQL Injection.

4.3
2022-04-21 CVE-2022-29548 Wso2 Cross-site Scripting vulnerability in Wso2 products

A reflected XSS issue exists in the Management Console of several WSO2 products.

4.3
2022-04-21 CVE-2022-27926 Zimbra Cross-site Scripting vulnerability in Zimbra Collaboration 9.0.0

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

4.3
2022-04-20 CVE-2022-29533 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

4.3
2022-04-20 CVE-2022-29537 Gpac Out-of-bounds Read vulnerability in Gpac 2.0.0

gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a heap-based buffer over-read, as demonstrated by MP4Box.

4.3
2022-04-20 CVE-2022-24799 Wire Cross-site Scripting vulnerability in Wire Wire-Webapp

wire-webapp is the web application interface for the wire messaging service.

4.3
2022-04-20 CVE-2021-43990 Fanuc XXE vulnerability in Fanuc Roboguide 9.40083.00.05

The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.

4.3
2022-04-20 CVE-2022-25344 Olivetti Cross-site Scripting vulnerability in Olivetti D-Color Mf3555 Firmware 2Xds000.002.271

An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices.

4.3
2022-04-19 CVE-2022-1187 WP Youtube Live Project Cross-site Scripting vulnerability in WP Youtube Live Project WP Youtube Live

The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.

4.3
2022-04-19 CVE-2022-21443 Oracle
Netapp
Debian
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).
4.3
2022-04-19 CVE-2022-21457 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin).
4.3
2022-04-19 CVE-2022-21469 Oracle Unspecified vulnerability in Oracle Enterprise Manager Base Platform 13.4.0.0/13.5.0.0

Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: UI Framework).

4.3
2022-04-19 CVE-2022-28221 Cleantalk Cross-site Scripting vulnerability in Cleantalk Antispam

The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Comments.php`

4.3
2022-04-19 CVE-2022-28222 Cleantalk Cross-site Scripting vulnerability in Cleantalk Antispam

The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php`

4.3
2022-04-19 CVE-2021-39072 IBM Unspecified vulnerability in IBM Security Guardium 11.3

IBM Security Guardium 11.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

4.3
2022-04-18 CVE-2022-24859 Pypdf2 Project
Debian
Infinite Loop vulnerability in multiple products

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files.

4.3
2022-04-18 CVE-2021-25120 Easysocialfeed Cross-site Scripting vulnerability in Easysocialfeed Easy Social Feed

The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues

4.3
2022-04-18 CVE-2022-0707 Sandhillsdev Cross-Site Request Forgery (CSRF) vulnerability in Sandhillsdev Easy Digital Downloads

The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack

4.3
2022-04-18 CVE-2022-0780 Searchiq Cross-site Scripting vulnerability in Searchiq

The SearchIQ WordPress plugin before 3.9 contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter

4.3
2022-04-18 CVE-2022-0879 Calderaforms Cross-site Scripting vulnerability in Calderaforms Caldera Forms

The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting

4.3
2022-04-18 CVE-2022-1091 10Up Cross-site Scripting vulnerability in 10Up Safe SVG

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file.

4.3
2022-04-18 CVE-2020-13495 Pixar Out-of-bounds Write vulnerability in Pixar Openusd 20.05

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files.

4.3
2022-04-18 CVE-2022-23975 Accesspressthemes Cross-Site Request Forgery (CSRF) vulnerability in Accesspressthemes Access Demo Importer

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin.

4.3
2022-04-22 CVE-2021-20464 IBM
Netapp
XML Entity Expansion vulnerability in multiple products

IBM Cognos Analytics PowerPlay (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7) could be vulnerable to an XML Bomb attack by a malicious authenticated user.

4.0
2022-04-22 CVE-2021-29824 IBM
Netapp
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to priviledge escalation where a lower level user could have read access to to the 'Data Connections' page to which they don't have access.
4.0
2022-04-22 CVE-2021-38905 IBM
Netapp
Exposure of Resource to Wrong Sphere vulnerability in multiple products

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authenticated user to view report pages that they should not have access to.

4.0
2022-04-21 CVE-2022-28445 Kitesky Files or Directories Accessible to External Parties vulnerability in Kitesky Kitecms 1.1.1

KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module.

4.0
2022-04-21 CVE-2021-23055 F5 Unspecified vulnerability in F5 Nginx Ingress Controller

On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects.

4.0
2022-04-21 CVE-2022-20790 Cisco Path Traversal vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system.

4.0
2022-04-21 CVE-2022-22969 Pivotal Resource Exhaustion vulnerability in Pivotal Spring Security Oauth

<Issue Description> Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application.

4.0
2022-04-21 CVE-2022-24272 Mongodb Reachable Assertion vulnerability in Mongodb

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database.

4.0
2022-04-20 CVE-2022-24865 Humhub Incorrect Authorization vulnerability in Humhub

HumHub is an Open Source Enterprise Social Network.

4.0
2022-04-20 CVE-2022-24862 Databasir Project Server-Side Request Forgery (SSRF) vulnerability in Databasir Project Databasir 1.0.1

Databasir is a team-oriented relational database model document management platform.

4.0
2022-04-20 CVE-2022-27179 Redlion Insufficiently Protected Credentials vulnerability in Redlion Da50N Firmware

A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource.

4.0
2022-04-19 CVE-2022-21412 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21413 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
4.0
2022-04-19 CVE-2022-21414 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21415 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).
4.0
2022-04-19 CVE-2022-21417 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.0
2022-04-19 CVE-2022-21423 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.0
2022-04-19 CVE-2022-21427 Oracle
Netapp
Mariadb
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS).
4.0
2022-04-19 CVE-2022-21435 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21436 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21437 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21438 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21447 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise CS Academic Advisement 9.2

Vulnerability in the PeopleSoft Enterprise CS Academic Advisement product of Oracle PeopleSoft (component: Advising Notes).

4.0
2022-04-19 CVE-2022-21452 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21454 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin).
4.0
2022-04-19 CVE-2022-21462 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.0
2022-04-19 CVE-2022-21467 Oracle Unspecified vulnerability in Oracle Agile PLM 9.3.6

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Attachments).

4.0
2022-04-19 CVE-2022-21482 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
4.0
2022-04-19 CVE-2022-21483 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
4.0
2022-04-19 CVE-2022-21489 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
4.0
2022-04-19 CVE-2022-21490 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
4.0
2022-04-19 CVE-2022-21498 Oracle Unspecified vulnerability in Oracle Database 12.1.0.2/19C/21C

Vulnerability in the Java VM component of Oracle Database Server.

4.0
2022-04-19 CVE-2021-39033 IBM Information Exposure Through an Error Message vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

4.0
2022-04-19 CVE-2022-26595 Liferay Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

4.0
2022-04-18 CVE-2011-1762 Wordpress Incorrect Default Permissions vulnerability in Wordpress

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts.

4.0
2022-04-18 CVE-2020-25167 Osisoft Incorrect Authorization vulnerability in Osisoft PI Vision

OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.

4.0

59 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-04-21 CVE-2022-22558 Dell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dell products

Dell PowerEdge Server BIOS and Dell Precision Workstation 7910 and 7920 Rack BIOS contain an Improper SMM communication buffer verification vulnerability.

3.6
2022-04-20 CVE-2021-38483 Fanuc Incorrect Permission Assignment for Critical Resource vulnerability in Fanuc Roboguide 9.40083.00.05

The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation.

3.6
2022-04-19 CVE-2022-21465 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

3.6
2022-04-24 CVE-2022-1445 Snipeitapp Cross-site Scripting vulnerability in Snipeitapp Snipe-It

Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3.

3.5
2022-04-22 CVE-2021-38903 IBM
Netapp
Cross-site Scripting vulnerability in multiple products

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input.

3.5
2022-04-22 CVE-2021-38946 IBM Cross-site Scripting vulnerability in IBM Cognos Analytics 11.1.7/11.2.0/11.2.1

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting.

3.5
2022-04-22 CVE-2022-28074 Fit2Cloud Cross-site Scripting vulnerability in Fit2Cloud Halo 1.5.0

Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.

3.5
2022-04-22 CVE-2022-26673 Asus Cross-site Scripting vulnerability in Asus Rt-Ax88U Firmware

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter.

3.5
2022-04-21 CVE-2022-22435 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.6.1.2

IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting.

3.5
2022-04-21 CVE-2022-22436 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.6.1.2

IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting.

3.5
2022-04-21 CVE-2022-24868 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.

3.5
2022-04-21 CVE-2022-24869 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.

3.5
2022-04-21 CVE-2022-24870 Combodo Cross-site Scripting vulnerability in Combodo Itop 3.0.0

Combodo iTop is a web based IT Service Management tool.

3.5
2022-04-21 CVE-2022-1022 Chatwoot Cross-site Scripting vulnerability in Chatwoot

Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.

3.5
2022-04-20 CVE-2022-29529 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

3.5
2022-04-20 CVE-2022-29530 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

3.5
2022-04-20 CVE-2022-29531 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

3.5
2022-04-20 CVE-2022-29532 Misp Cross-site Scripting vulnerability in Misp

An issue was discovered in MISP before 2.4.158.

3.5
2022-04-20 CVE-2022-24864 Originprotocol Cross-site Scripting vulnerability in Originprotocol Origin Website

Origin Protocol is a blockchain based project.

3.5
2022-04-19 CVE-2021-23283 Eaton Cross-site Scripting vulnerability in Eaton Intelligent Power Protector

Eaton Intelligent Power Protector (IPP) prior to version 1.69 is vulnerable to stored Cross Site Scripting.

3.5
2022-04-19 CVE-2021-41570 Veritas Cross-site Scripting vulnerability in Veritas Netbackup 8.3.0.1/9.1

Veritas NetBackup OpsCenter Analytics 9.1 allows XSS via the NetBackup Master Server Name, Display Name, NetBackup User Name, or NetBackup Password field during a Settings/Configuration Add operation.

3.5
2022-04-19 CVE-2022-26593 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Cross-site scripting (XSS) vulnerability in the Asset module's asset categories selector in Liferay Portal 7.3.3 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the name of a asset category.

3.5
2022-04-18 CVE-2022-0737 Text Hover Project Cross-site Scripting vulnerability in Text Hover Project Text Hover

The Text Hover WordPress plugin before 4.2 does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2022-04-18 CVE-2022-0765 Loco Translate Project Cross-site Scripting vulnerability in Loco Translate Project Loco Translate

The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.

3.5
2022-04-18 CVE-2022-0994 Incsub Cross-site Scripting vulnerability in Incsub Hummingbird

The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-04-18 CVE-2022-1001 WP Downgrade Project Cross-site Scripting vulnerability in WP Downgrade Project WP Downgrade

The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed

3.5
2022-04-18 CVE-2022-1063 Thank ME Later Project Cross-site Scripting vulnerability in Thank ME Later Project Thank ME Later 3.3.4

The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-04-18 CVE-2022-1088 Contextureintl Cross-site Scripting vulnerability in Contextureintl Page Security & Membership

The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-04-18 CVE-2022-1090 Good BAD Comments Project Cross-site Scripting vulnerability in Good-Bad-Comments Project Good-Bad-Comments

The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-04-18 CVE-2022-1112 Autolinks Project Cross-site Scripting vulnerability in Autolinks Project Autolinks 1.0.1

The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack

3.5
2022-04-18 CVE-2021-23284 Eaton Cross-site Scripting vulnerability in Eaton Intelligent Power Manager Infrastructure

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to Stored Cross-site Scripting vulnerability.

3.5
2022-04-18 CVE-2021-23285 Eaton Cross-site Scripting vulnerability in Eaton Intelligent Power Manager

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to reflected Cross-site Scripting vulnerability.

3.5
2022-04-18 CVE-2022-27853 Contest Gallery Cross-site Scripting vulnerability in Contest-Gallery Contest Gallery

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9

3.5
2022-04-19 CVE-2022-21484 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
2.9
2022-04-19 CVE-2022-21485 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
2.9
2022-04-19 CVE-2022-21486 Oracle
Netapp
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General).
2.9
2022-04-21 CVE-2022-20805 Cisco Unspecified vulnerability in Cisco Umbrella Secure web Gateway

A vulnerability in the automatic decryption process in Cisco Umbrella Secure Web Gateway (SWG) could allow an authenticated, adjacent attacker to bypass the SSL decryption and content filtering policies on an affected system.

2.7
2022-04-21 CVE-2022-26856 Dell Insufficiently Protected Credentials vulnerability in Dell EMC Repository Manager 3.4.0

Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability.

2.1
2022-04-21 CVE-2021-43708 Helpsystems Improper Preservation of Permissions vulnerability in Helpsystems Titus Data Classification 18.8.1910.140

The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode.

2.1
2022-04-21 CVE-2020-14121 MI Incorrect Authorization vulnerability in MI APP Store 4.12.2

A business logic vulnerability exists in Mi App Store.

2.1
2022-04-21 CVE-2020-14122 MI Insufficient Verification of Data Authenticity vulnerability in MI Miui 12.5.2

Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage.

2.1
2022-04-20 CVE-2022-1318 Carrier Inadequate Encryption Strength vulnerability in Carrier Hills Comnav Firmware 300219

Hills ComNav version 3002-19 suffers from a weak communication channel.

2.1
2022-04-20 CVE-2022-26519 Carrier Improper Restriction of Excessive Authentication Attempts vulnerability in Carrier Hills Comnav Firmware 300219

There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.

2.1
2022-04-19 CVE-2022-21444 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
2.1
2022-04-19 CVE-2022-21451 Oracle
Netapp
Mariadb
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
2.1
2022-04-19 CVE-2022-21460 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging).
2.1
2022-04-19 CVE-2022-21461 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

2.1
2022-04-19 CVE-2022-21463 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

2.1
2022-04-19 CVE-2022-21471 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

2.1
2022-04-19 CVE-2022-21487 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

2.1
2022-04-19 CVE-2022-21488 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

2.1
2022-04-19 CVE-2021-39078 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Security Guardium 10.5

IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user.

2.1
2022-04-18 CVE-2022-0706 Sandhillsdev Cross-site Scripting vulnerability in Sandhillsdev Easy Digital Downloads

The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

2.1
2022-04-18 CVE-2011-4917 Linux Unspecified vulnerability in Linux Kernel

In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat.

2.1
2022-04-18 CVE-2021-3681 Redhat Insufficiently Protected Credentials vulnerability in Redhat Ansible Automation Platform and Ansible Galaxy

A flaw was found in Ansible Galaxy Collections.

2.1
2022-04-19 CVE-2022-21416 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Utility).

1.9
2022-04-19 CVE-2022-21493 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

1.9
2022-04-19 CVE-2022-21405 Oracle Unspecified vulnerability in Oracle OSS Support Tools 18.3

Vulnerability in the OSS Support Tools product of Oracle Support Tools (component: Oracle Explorer).

1.2
2022-04-19 CVE-2022-21494 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

1.2