Weekly Vulnerabilities Reports > May 2 to 8, 2022
Overview
455 new vulnerabilities reported during this period, including 106 critical vulnerabilities and 177 high severity vulnerabilities. This weekly summary report vulnerabilities in 348 products from 204 vendors including F5, Google, Cisco, Debian, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "OS Command Injection", and "Path Traversal".
- 365 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 138 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 274 reported vulnerabilities are exploitable by an anonymous user.
- F5 has the most reported vulnerabilities, with 42 reported vulnerabilities.
- Deltaww has the most reported critical vulnerabilities, with 11 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
106 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-04 | CVE-2022-30292 | Squirrel Lang Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call. | 10.0 |
2022-05-06 | CVE-2022-24817 | Fluxcd | Code Injection vulnerability in Fluxcd Kustomize-Controller Flux2 is an open and extensible continuous delivery solution for Kubernetes. | 9.9 |
2022-05-04 | CVE-2022-20777 | Cisco | Unspecified vulnerability in Cisco Enterprise NFV Infrastructure Software Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. | 9.9 |
2022-05-08 | CVE-2022-28470 | Python | Unspecified vulnerability in Python Pypi marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor. | 9.8 |
2022-05-07 | CVE-2022-29180 | Charm | Server-Side Request Forgery (SSRF) vulnerability in Charm A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. | 9.8 |
2022-05-06 | CVE-2021-23592 | Thinkphp | Deserialization of Untrusted Data vulnerability in Thinkphp The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class. | 9.8 |
2022-05-06 | CVE-2021-23792 | Twelvemonkeys Project | XXE vulnerability in Twelvemonkeys Project Twelvemonkeys The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. | 9.8 |
2022-05-06 | CVE-2021-27762 | Hcltech | Unspecified vulnerability in Hcltech Bigfix Platform Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web responses | 9.8 |
2022-05-06 | CVE-2022-29423 | Edmonsoft | Unspecified vulnerability in Edmonsoft Countdown Builder Pro Features Lock Bypass vulnerability in Countdown & Clock plugin <= 2.3.2 at WordPress. | 9.8 |
2022-05-06 | CVE-2022-28163 | Broadcom | SQL Injection vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8 In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands. | 9.8 |
2022-05-06 | CVE-2022-28005 | 3CX | Insufficiently Protected Credentials vulnerability in 3CX An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. | 9.8 |
2022-05-06 | CVE-2020-19213 | Piwigo | SQL Injection vulnerability in Piwigo 2.9.5 SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories. | 9.8 |
2022-05-06 | CVE-2022-29161 | Xwiki | Inadequate Encryption Strength vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 9.8 |
2022-05-05 | CVE-2022-29535 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. | 9.8 |
2022-05-05 | CVE-2022-27360 | Bladex | SQL Injection vulnerability in Bladex Springblade 3.2.0 SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment. | 9.8 |
2022-05-05 | CVE-2022-27411 | Totolink | Unspecified vulnerability in Totolink N600R Firmware 5.3C.5507B20171031 TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function. | 9.8 |
2022-05-05 | CVE-2022-28575 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setopenvpnclientcfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows attackers to execute arbitrary commands through a carefully constructed payload | 9.8 |
2022-05-05 | CVE-2022-28577 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the delParentalRules interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28578 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setOpenVpnCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28579 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setParentalRules interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28580 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setL2tpServerCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28581 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setWiFiAdvancedCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28582 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setWiFiSignalCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28583 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2022-28584 | Totolink | OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | 9.8 |
2022-05-05 | CVE-2021-38423 | Gurum | Unspecified vulnerability in Gurum Gurumdds All versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow. | 9.8 |
2022-05-05 | CVE-2021-38435 | RTI | Unspecified vulnerability in RTI Connext DDS Professional and Connext DDS Secure RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 not correctly calculate the size when allocating the buffer, which may result in a buffer overflow. | 9.8 |
2022-05-05 | CVE-2021-38439 | Gurum | Unspecified vulnerability in Gurum Gurumdds All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code. | 9.8 |
2022-05-05 | CVE-2021-38441 | Eclipse | Unspecified vulnerability in Eclipse Cyclonedds Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | 9.8 |
2022-05-05 | CVE-2021-38443 | Eclipse | Unspecified vulnerability in Eclipse Cyclonedds Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | 9.8 |
2022-05-05 | CVE-2021-38445 | Objectcomputing | Unspecified vulnerability in Objectcomputing Opendds OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code. | 9.8 |
2022-05-05 | CVE-2021-44055 | Qnap | Missing Authorization vulnerability in Qnap Video Station An missing authorization vulnerability has been reported to affect QNAP device running Video Station. | 9.8 |
2022-05-05 | CVE-2021-44056 | Qnap | Improper Authentication vulnerability in Qnap Video Station An improper authentication vulnerability has been reported to affect QNAP device running Video Station. | 9.8 |
2022-05-05 | CVE-2021-44057 | Qnap | Improper Authentication vulnerability in Qnap Photo Station An improper authentication vulnerability has been reported to affect QNAP device running Photo Station. | 9.8 |
2022-05-05 | CVE-2022-27588 | Qnap | Command Injection vulnerability in Qnap QVR 5.1.5 We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later | 9.8 |
2022-05-05 | CVE-2022-28120 | Rainier | Unrestricted Upload of File with Dangerous Type vulnerability in Rainier Open Virtual Simulation Experiment Teaching Management Platform 2.0 Beijing Runnier Network Technology Co., Ltd Open virtual simulation experiment teaching management platform software 2.0 has a file upload vulnerability, which can be exploited by an attacker to gain control of the server. | 9.8 |
2022-05-05 | CVE-2022-28530 | Covid 19 Directory ON Vaccination System Project | SQL Injection vulnerability in Covid-19 Directory on Vaccination System Project Covid-19 Directory on Vaccination System 1.0 Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory. | 9.8 |
2022-05-05 | CVE-2022-28533 | Medical HUB Directory Site Project | SQL Injection vulnerability in Medical HUB Directory Site Project Medical HUB Directory Site 1.0 Sourcecodester Medical Hub Directory Site 1.0 is vulnerable to SQL Injection via /mhds/clinic/view_details.php. | 9.8 |
2022-05-05 | CVE-2022-28606 | Bosscms | Unrestricted Upload of File with Dangerous Type vulnerability in Bosscms 1.0.0 An arbitrary file upload vulnerability exists in Wenzhou Huoyin Information Technology Co., Ltd. | 9.8 |
2022-05-05 | CVE-2022-29502 | Schedmd Fedoraproject | SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges. | 9.8 |
2022-05-05 | CVE-2022-29592 | Tenda | OS Command Injection vulnerability in Tenda TX9 PRO Firmware 22.03.02.10 Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_route (called by doSystemCmd_route). | 9.8 |
2022-05-05 | CVE-2021-42242 | Jflyfox | Unspecified vulnerability in Jflyfox Jfinal CMS 5.0.1 A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor. | 9.8 |
2022-05-05 | CVE-2022-28461 | Mingyuefusu Project | SQL Injection vulnerability in Mingyuefusu Project Mingyuefusu 20220327 mingyuefusu Library Management System all versions as of 03-27-2022 is vulnerable to SQL Injection. | 9.8 |
2022-05-05 | CVE-2021-41739 | Artica Proxy | OS Command Injection vulnerability in Artica-Proxy Artica Proxy 4.30.000000 A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000. | 9.8 |
2022-05-05 | CVE-2022-28890 | Apache | XXE vulnerability in Apache Jena 4.4.0 A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. | 9.8 |
2022-05-04 | CVE-2022-30284 | Python Libnmap Project | Argument Injection or Modification vulnerability in Python-Libnmap Project Python-Libnmap In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments). | 9.8 |
2022-05-04 | CVE-2022-29155 | Openldap Debian Netapp | SQL Injection vulnerability in multiple products In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. | 9.8 |
2022-05-04 | CVE-2021-42235 | Enhancesoft | SQL Injection vulnerability in Enhancesoft Osticket SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality. | 9.8 |
2022-05-04 | CVE-2022-28557 | Tenda | OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.20Multitde01 There is a command injection vulnerability at the /goform/setsambacfg interface of Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin device web, which can also cooperate with CVE-2021-44971 to cause unconditional arbitrary command execution | 9.8 |
2022-05-04 | CVE-2022-28512 | Fantastic Blog Project | SQL Injection vulnerability in Fantastic Blog Project Fantastic Blog 1.0 A SQL injection vulnerability exists in Sourcecodester Fantastic Blog CMS 1.0 . | 9.8 |
2022-05-04 | CVE-2022-28568 | Simple Doctor S Appointment System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple Doctor'S Appointment System Project Simple Doctor'S Appointment System 1.0 Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. | 9.8 |
2022-05-04 | CVE-2022-29347 | WEB Rchiv Project | Unrestricted Upload of File with Dangerous Type vulnerability in Web@Rchiv Project Web@Rchiv 1.0 An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file. | 9.8 |
2022-05-04 | CVE-2022-28082 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the list parameter at /goform/SetNetControlList. | 9.8 |
2022-05-04 | CVE-2022-28111 | Pagehelper Project | SQL Injection vulnerability in Pagehelper Project Pagehelper MyBatis PageHelper v1.x.x-v3.7.0 v4.0.0-v5.0.0,v5.1.0-v5.3.0 was discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter. | 9.8 |
2022-05-04 | CVE-2021-42185 | Wdja | SQL Injection vulnerability in Wdja 2.1 wdja v2.1 is affected by a SQL injection vulnerability in the foreground search function. | 9.8 |
2022-05-04 | CVE-2022-27420 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the patient_contact parameter in patientsearch.php. | 9.8 |
2022-05-04 | CVE-2022-27431 | Wuzhicms | SQL Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0 Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php. | 9.8 |
2022-05-04 | CVE-2022-28055 | Fusionpbx | OS Command Injection vulnerability in Fusionpbx Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function. | 9.8 |
2022-05-04 | CVE-2021-43163 | Ruijienetworks | Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the checkNet function in /cgi-bin/luci/api/auth. | 9.8 |
2022-05-03 | CVE-2021-22680 | NXP | Unspecified vulnerability in NXP MQX 5.1 NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. | 9.8 |
2022-05-03 | CVE-2021-27417 | Ecoscentric | Integer Overflow or Wraparound vulnerability in Ecoscentric Ecospro 2.0.1/4.5.3 eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc). | 9.8 |
2022-05-03 | CVE-2021-27419 | Uclibc NG Project | Unspecified vulnerability in Uclibc-Ng Project Uclibc-Ng uClibc-ng versions prior to 1.0.37 are vulnerable to integer wrap-around in functions malloc-simple. | 9.8 |
2022-05-03 | CVE-2021-27421 | NXP | Unspecified vulnerability in NXP Mcuxpresso Software Development KIT NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc. | 9.8 |
2022-05-03 | CVE-2021-27425 | Cesanta | Unspecified vulnerability in Cesanta Mongoose OS 2.17.0 Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc. | 9.8 |
2022-05-03 | CVE-2021-27427 | Riot OS | Unspecified vulnerability in Riot-Os Riot 2020.01.1 RIOT OS version 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. | 9.8 |
2022-05-03 | CVE-2021-27431 | ARM | Unspecified vulnerability in ARM Cmsis-Rtos ARM CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap-around inosRtxMemoryAlloc (local malloc equivalent) function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution. | 9.8 |
2022-05-03 | CVE-2021-27433 | ARM | Integer Overflow or Wraparound vulnerability in ARM Mbed Ualloc 1.3.0 ARM mbed-ualloc memory library version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. | 9.8 |
2022-05-03 | CVE-2021-27435 | ARM | Unspecified vulnerability in ARM Mbed 6.3.0 ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. | 9.8 |
2022-05-03 | CVE-2021-27439 | Tencent | Unspecified vulnerability in Tencent Tencentos-Tiny 3.1.0 TencentOS-tiny version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size. | 9.8 |
2022-05-03 | CVE-2022-27413 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php. | 9.8 |
2022-05-03 | CVE-2022-28585 | Phome | SQL Injection vulnerability in Phome Empirecms 7.5 EmpireCMS 7.5 has a SQL injection vulnerability in AdClass.php | 9.8 |
2022-05-03 | CVE-2022-27962 | Bluecms Project | SQL Injection vulnerability in Bluecms Project Bluecms 1.6 Bluecms 1.6 has a SQL injection vulnerability at cooike. | 9.8 |
2022-05-03 | CVE-2022-1292 | Openssl Debian Netapp Oracle Fedoraproject | OS Command Injection vulnerability in multiple products The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. | 9.8 |
2022-05-03 | CVE-2022-28560 | Tenda | Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21Cn There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router. | 9.8 |
2022-05-03 | CVE-2022-28561 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn There is a stack overflow vulnerability in the /goform/setMacFilterCfg function in the httpd service of Tenda ax12 22.03.01.21_cn router. | 9.8 |
2022-05-03 | CVE-2022-28118 | Sscms | Unspecified vulnerability in Sscms Siteserver CMS SiteServer CMS v7.x allows attackers to execute arbitrary code via a crafted plug-in. | 9.8 |
2022-05-02 | CVE-2020-23620 | Orlansoft | Deserialization of Untrusted Data vulnerability in Orlansoft ERP The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | 9.8 |
2022-05-02 | CVE-2020-23621 | Squire Technologies | Deserialization of Untrusted Data vulnerability in Squire-Technologies SVI MS Management System The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object. | 9.8 |
2022-05-02 | CVE-2022-1367 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx. | 9.8 |
2022-05-02 | CVE-2022-1369 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND. | 9.8 |
2022-05-02 | CVE-2022-1370 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID. | 9.8 |
2022-05-02 | CVE-2022-1371 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf. | 9.8 |
2022-05-02 | CVE-2022-1372 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx. | 9.8 |
2022-05-02 | CVE-2022-1374 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx. | 9.8 |
2022-05-02 | CVE-2022-1375 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. | 9.8 |
2022-05-02 | CVE-2022-1376 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. | 9.8 |
2022-05-02 | CVE-2022-1377 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. | 9.8 |
2022-05-02 | CVE-2022-1378 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. | 9.8 |
2022-05-02 | CVE-2022-1366 | Deltaww | Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. | 9.8 |
2022-05-02 | CVE-2022-0771 | Marketingheroes | Unspecified vulnerability in Marketingheroes Sitesupercharger The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions (available to both unauthenticated and authenticated users), leading to Unauthenticated SQL Injections | 9.8 |
2022-05-02 | CVE-2022-0773 | Documentor Project | SQL Injection vulnerability in Documentor Project Documentor 1.5.3 The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. | 9.8 |
2022-05-02 | CVE-2022-0783 | Themehigh | Unspecified vulnerability in Themehigh multiple Shipping Addresses for Woocommerce The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections | 9.8 |
2022-05-02 | CVE-2022-1281 | 10Web | Unspecified vulnerability in 10Web Photo Gallery The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible. | 9.8 |
2022-05-02 | CVE-2022-27466 | Mingsoft | SQL Injection vulnerability in Mingsoft Mcms 5.2.27 MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. | 9.8 |
2022-05-02 | CVE-2022-27982 | Ruijienetworks | Unspecified vulnerability in Ruijienetworks Rg-Nbr2100G-E Firmware RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php. | 9.8 |
2022-05-02 | CVE-2022-28054 | Vandyke | Unspecified vulnerability in Vandyke Vshell 3.5.0.0/4.6.2 Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value. | 9.8 |
2022-05-02 | CVE-2022-28056 | Shopxo | Unspecified vulnerability in Shopxo 2.2.5 ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php. | 9.8 |
2022-05-02 | CVE-2022-28573 | Dlink | OS Command Injection vulnerability in Dlink Dir-823 PRO Firmware 1.0.2 D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNTPserverSeting. | 9.8 |
2022-05-02 | CVE-2022-28571 | Dlink | OS Command Injection vulnerability in Dlink Dir-882 Firmware 1.30B06 D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli. | 9.8 |
2022-05-05 | CVE-2022-1575 | Diagrams | Cross-site Scripting vulnerability in Diagrams Drawio Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. | 9.6 |
2022-05-06 | CVE-2022-1053 | Keylime Fedoraproject | Improper Input Validation vulnerability in multiple products Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. | 9.1 |
2022-05-05 | CVE-2021-38425 | Eprosima | Unspecified vulnerability in Eprosima Fast DDS eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure. | 9.1 |
2022-05-05 | CVE-2021-38429 | Objectcomputing | Unspecified vulnerability in Objectcomputing Opendds OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure. | 9.1 |
2022-05-05 | CVE-2021-38487 | RTI | Unspecified vulnerability in RTI products RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. | 9.1 |
2022-05-05 | CVE-2022-26415 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. | 9.1 |
2022-05-02 | CVE-2021-3643 | SOX Project | Unspecified vulnerability in SOX Project SOX 14.4.1 A flaw was found in sox 14.4.1. | 9.1 |
177 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-06 | CVE-2022-26889 | Splunk | Path Traversal vulnerability in Splunk 8.1.0/8.1.1 In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal. | 8.8 |
2022-05-06 | CVE-2022-28165 | Broadcom | Unspecified vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8 A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. | 8.8 |
2022-05-06 | CVE-2022-21934 | Johnsoncontrols | Improper Authentication vulnerability in Johnsoncontrols products Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | 8.8 |
2022-05-06 | CVE-2020-19215 | Piwigo | SQL Injection vulnerability in Piwigo 2.9.5 SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm. | 8.8 |
2022-05-06 | CVE-2020-19216 | Piwigo | SQL Injection vulnerability in Piwigo 2.9.5 SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm. | 8.8 |
2022-05-06 | CVE-2020-19217 | Piwigo | SQL Injection vulnerability in Piwigo 2.9.5 SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager. | 8.8 |
2022-05-06 | CVE-2022-24877 | Fluxcd | Path Traversal vulnerability in Fluxcd Flux2 Flux is an open and extensible continuous delivery solution for Kubernetes. | 8.8 |
2022-05-05 | CVE-2022-29166 | Matrix | Injection vulnerability in Matrix IRC Bridge matrix-appservice-irc is a Node.js IRC bridge for Matrix. | 8.8 |
2022-05-05 | CVE-2022-29173 | Theupdateframework | Improper Validation of Integrity Check Value vulnerability in Theupdateframework Go-Tuf 0.2.0 go-tuf is a Go implementation of The Update Framework (TUF). | 8.8 |
2022-05-05 | CVE-2022-25989 | Anker | Authentication Bypass by Spoofing vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. | 8.8 |
2022-05-05 | CVE-2021-44051 | Qnap | Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. | 8.8 |
2022-05-05 | CVE-2022-28079 | College Management System Project | SQL Injection vulnerability in College Management System Project College Management System 1.0 College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter. | 8.8 |
2022-05-05 | CVE-2022-28080 | Event Management System Project | SQL Injection vulnerability in Event Management System Project Event Management System 1.0 Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter. | 8.8 |
2022-05-05 | CVE-2022-28716 | F5 | Unspecified vulnerability in F5 products On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 8.8 |
2022-05-05 | CVE-2022-29500 | Schedmd Fedoraproject Debian | SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Information Disclosure. | 8.8 |
2022-05-05 | CVE-2022-29501 | Schedmd Fedoraproject Debian | SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges and code execution. | 8.8 |
2022-05-05 | CVE-2022-29938 | Librehealth | SQL Injection vulnerability in Librehealth EHR 2.0.0 In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection. | 8.8 |
2022-05-04 | CVE-2022-20779 | Cisco | Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. | 8.8 |
2022-05-04 | CVE-2021-41020 | Fortinet | Unspecified vulnerability in Fortinet Fortiisolator 2.3.0/2.3.1/2.3.2 An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL. | 8.8 |
2022-05-04 | CVE-2022-28552 | Chshcms | SQL Injection vulnerability in Chshcms Cscms 4.1 Cscms 4.1 is vulnerable to SQL Injection. | 8.8 |
2022-05-04 | CVE-2022-25778 | Secomea | Cross-Site Request Forgery (CSRF) vulnerability in Secomea products Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea GateManager allows phishing attacker to issue get request in logged in user session. | 8.8 |
2022-05-04 | CVE-2022-27903 | EVE NG | OS Command Injection vulnerability in Eve-Ng 2.0.3112/4.0.165 An OS Command Injection vulnerability in the configuration parser of Eve-NG Professional through 4.0.1-65 and Eve-NG Community through 2.0.3-112 allows a remote authenticated attacker to execute commands as root by editing virtualization command parameters of imported UNL files. | 8.8 |
2022-05-04 | CVE-2022-28099 | Poultry Farm Management System Project | SQL Injection vulnerability in Poultry Farm Management System Project Poultry Farm Management System 1.0 Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php. | 8.8 |
2022-05-04 | CVE-2021-42192 | Konga Project | Incorrect Authorization vulnerability in Konga Project Konga 0.14.9 Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation. | 8.8 |
2022-05-04 | CVE-2021-43159 | Ruijienetworks | Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the setSessionTime function in /cgi-bin/luci/api/common.. | 8.8 |
2022-05-04 | CVE-2021-43160 | Ruijienetworks | Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the switchFastDhcp function in /cgi-bin/luci/api/diagnose. | 8.8 |
2022-05-04 | CVE-2021-43161 | Ruijienetworks | Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the doSwitchApi function in /cgi-bin/luci/api/switch. | 8.8 |
2022-05-04 | CVE-2021-43162 | Ruijienetworks | Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the runPackDiagnose function in /cgi-bin/luci/api/diagnose. | 8.8 |
2022-05-04 | CVE-2021-43164 | Ruijienetworks | OS Command Injection vulnerability in Ruijienetworks Reyeeos A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless. | 8.8 |
2022-05-03 | CVE-2022-1548 | Mattermost | Unspecified vulnerability in Mattermost Playbooks Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins. | 8.8 |
2022-05-03 | CVE-2022-0916 | Logitech | Cross-Site Request Forgery (CSRF) vulnerability in Logitech Options An issue was discovered in Logitech Options. | 8.8 |
2022-05-03 | CVE-2021-42165 | Mitrastar | OS Command Injection vulnerability in Mitrastar Gpt-2541Gnac-N1 Firmware Brg3.5100Vnz0B33 MitraStar GPT-2541GNAC-N1 (HGU) 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path". | 8.8 |
2022-05-03 | CVE-2022-21949 | Opensuse | Unspecified vulnerability in Opensuse Open Build Service A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. | 8.8 |
2022-05-03 | CVE-2022-20743 | Cisco | Unrestricted Upload of File with Dangerous Type vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system. | 8.8 |
2022-05-03 | CVE-2022-20759 | Cisco | Improper Privilege Management vulnerability in Cisco Firepower Threat Defense A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15. | 8.8 |
2022-05-02 | CVE-2022-0952 | Sitemap Project | Missing Authorization vulnerability in Sitemap Project Sitemap 1.0.0 The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. | 8.8 |
2022-05-02 | CVE-2022-1239 | Hubspot | Unspecified vulnerability in Hubspot The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks | 8.8 |
2022-05-02 | CVE-2022-28572 | Tenda | OS Command Injection vulnerability in Tenda Ax1803 Firmware and Ax1806 Firmware Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function | 8.8 |
2022-05-04 | CVE-2022-28067 | Sandboxie | Unspecified vulnerability in Sandboxie 5.55.13 An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable. | 8.6 |
2022-05-03 | CVE-2022-20715 | Cisco | Improper Input Validation vulnerability in Cisco Firepower Threat Defense A vulnerability in the remote access SSL VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2022-05-05 | CVE-2021-25267 | Sophos | Cross-site Scripting vulnerability in Sophos Firewall Firmware Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA. | 8.4 |
2022-05-05 | CVE-2021-25268 | Sophos | Cross-site Scripting vulnerability in Sophos Firewall Firmware Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from MySophos admin to SFOS admin in Sophos Firewall older than version 19.0 GA. | 8.4 |
2022-05-03 | CVE-2022-20111 | Improper Handling of Exceptional Conditions vulnerability in Google Android In ion, there is a possible use after free due to incorrect error handling. | 8.4 | |
2022-05-05 | CVE-2021-43547 | Twinoakscomputing | Unspecified vulnerability in Twinoakscomputing Coredx DDS TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. | 8.2 |
2022-05-05 | CVE-2022-1592 | Clinical Genomics | Server-Side Request Forgery (SSRF) vulnerability in Clinical-Genomics Scout Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. | 8.2 |
2022-05-02 | CVE-2021-3750 | Qemu Redhat | A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. | 8.2 |
2022-05-08 | CVE-2018-25033 | Admesh Project Debian | Out-of-bounds Read vulnerability in multiple products ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a. | 8.1 |
2022-05-06 | CVE-2021-26253 | Splunk | Unspecified vulnerability in Splunk A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the MFA verification in Splunk Enterprise versions before 8.1.6. | 8.1 |
2022-05-06 | CVE-2021-25745 | Kubernetes | Improper Input Validation vulnerability in Kubernetes Ingress-Nginx A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. | 8.1 |
2022-05-06 | CVE-2022-24903 | Rsyslog Fedoraproject Debian Netapp | Improper Validation of Specified Quantity in Input vulnerability in multiple products Rsyslog is a rocket-fast system for log processing. | 8.1 |
2022-05-05 | CVE-2021-44052 | Qnap | Link Following vulnerability in Qnap Qts, Quts Hero and Qutscloud An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. | 8.1 |
2022-05-04 | CVE-2022-20764 | Cisco | Unspecified vulnerability in Cisco Telepresence Collaboration Endpoint Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination. | 8.1 |
2022-05-04 | CVE-2022-23724 | Pingidentity | Use of Hard-coded Credentials vulnerability in Pingidentity Pingid Integration for Windows Login Use of static encryption key material allows forging an authentication token to other users within a tenant organization. | 8.1 |
2022-05-04 | CVE-2021-32010 | Secomea | Inadequate Encryption Strength vulnerability in Secomea products Inadequate Encryption Strength vulnerability in TLS stack of Secomea SiteManager, LinkManager, GateManager may facilitate man in the middle attacks. | 8.1 |
2022-05-02 | CVE-2022-23904 | Rainworx | Cross-Site Request Forgery (CSRF) vulnerability in Rainworx Auctionworx 3.1 Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. | 8.0 |
2022-05-08 | CVE-2022-28463 | Imagemagick Debian | Classic Buffer Overflow vulnerability in multiple products ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow. | 7.8 |
2022-05-08 | CVE-2022-1619 | VIM Fedoraproject Debian Netapp Apple | Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. | 7.8 |
2022-05-07 | CVE-2022-1616 | VIM Fedoraproject Debian Apple | Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. | 7.8 |
2022-05-06 | CVE-2021-27765 | Hcltech | Improper Privilege Management vulnerability in Hcltech Bigfix Platform The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. | 7.8 |
2022-05-06 | CVE-2021-27766 | Hcltech | Improper Privilege Management vulnerability in Hcltech Bigfix Platform The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. | 7.8 |
2022-05-06 | CVE-2021-27767 | Hcltech | Improper Privilege Management vulnerability in Hcltech Bigfix Platform The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. | 7.8 |
2022-05-06 | CVE-2022-24098 | Adobe | Unspecified vulnerability in Adobe Photoshop Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by an improper input validation vulnerability when parsing a PCX file that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-05-06 | CVE-2022-28278 | Adobe | Unspecified vulnerability in Adobe Photoshop Adobe Photoshop versions 22.5.6 (and earlier) and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-05-06 | CVE-2021-42743 | Splunk | Uncontrolled Search Path Element vulnerability in Splunk A misconfiguration in the node default path allows for local privilege escalation from a lower privileged user to the Splunk user in Splunk Enterprise versions before 8.1.1 on Windows. | 7.8 |
2022-05-05 | CVE-2021-38427 | RTI | Out-of-bounds Write vulnerability in RTI Connext DDS Professional and Connext DDS Secure RTI Connext DDS Professional and Connext DDS Secure Versions 4.2.x to 6.1.0 are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code. | 7.8 |
2022-05-05 | CVE-2021-38433 | RTI | Unspecified vulnerability in RTI Connext DDS Professional and Connext DDS Secure RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code. | 7.8 |
2022-05-05 | CVE-2022-28714 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, a DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. | 7.8 |
2022-05-05 | CVE-2022-29263 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, the BIG-IP Edge Client Component Installer Service does not use best practice while saving temporary files. | 7.8 |
2022-05-04 | CVE-2021-20051 | Sonicwall | Uncontrolled Search Path Element vulnerability in Sonicwall Global VPN Client 4.10.4.0314/4.10.6/4.10.7.1117 SonicWall Global VPN Client 4.10.7.1117 installer (32-bit and 64-bit) and earlier versions have a DLL Search Order Hijacking vulnerability in one of the installer components. | 7.8 |
2022-05-04 | CVE-2022-28806 | Fujitsu | Out-of-bounds Write vulnerability in Fujitsu products An issue was discovered on certain Fujitsu LIEFBOOK devices (A3510, U9310, U7511/U7411/U7311, U9311, E5510/E5410, U7510/U7410/U7310, E459/E449) with BIOS versions before v1.09 (A3510), v2.17 (U9310), v2.30 (U7511/U7411/U7311), v2.33 (U9311), v2.23 (E5510), v2.19 (U7510/U7410), v2.13 (U7310), and v1.09 (E459/E449). | 7.8 |
2022-05-04 | CVE-2022-27470 | Libsdl Fedoraproject | Out-of-bounds Write vulnerability in multiple products SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). | 7.8 |
2022-05-03 | CVE-2022-21743 | Integer Overflow or Wraparound vulnerability in Google Android In ion, there is a possible use after free due to an integer overflow. | 7.8 | |
2022-05-03 | CVE-2022-20084 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In telephony, there is a possible way to disable receiving emergency broadcasts due to a missing permission check. | 7.8 | |
2022-05-03 | CVE-2022-20088 | Improper Handling of Exceptional Conditions vulnerability in Google Android 11.0/12.0 In aee driver, there is a possible reference count mistake due to incorrect error handling. | 7.8 | |
2022-05-03 | CVE-2022-20093 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In telephony, there is a possible way to disable receiving SMS messages due to a missing permission check. | 7.8 | |
2022-05-03 | CVE-2022-20099 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible out of bounds write due to improper input validation. | 7.8 | |
2022-05-03 | CVE-2022-20109 | Unspecified vulnerability in Google Android In ion, there is a possible use after free due to improper update of reference count. | 7.8 | |
2022-05-03 | CVE-2022-28792 | Samsung | Uncontrolled Search Path Element vulnerability in Samsung Gear Iconx PC Manager DLL hijacking vulnerability in Gear IconX PC Manager prior to version 2.1.220405.51 allows attacker to execute arbitrary code. | 7.8 |
2022-05-03 | CVE-2021-22556 | Integer Overflow or Wraparound vulnerability in Google Fuchsia The Security Team discovered an integer overflow bug that allows an attacker with code execution to issue memory cache invalidation operations on pages that they don’t own, allowing them to control kernel memory from userspace. | 7.8 | |
2022-05-03 | CVE-2022-20729 | Cisco | XML Injection (aka Blind XPath Injection) vulnerability in Cisco Firepower Threat Defense A vulnerability in CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject XML into the command parser. | 7.8 |
2022-05-02 | CVE-2021-42529 | Adobe Debian | XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-05-02 | CVE-2021-42531 | Adobe Debian | XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-05-02 | CVE-2021-42532 | Adobe Debian | XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. | 7.8 |
2022-05-02 | CVE-2021-46790 | Tuxera Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2. | 7.8 |
2022-05-02 | CVE-2022-29968 | Linux Fedoraproject Netapp | Missing Initialization of Resource vulnerability in multiple products An issue was discovered in the Linux kernel through 5.17.5. | 7.8 |
2022-05-02 | CVE-2022-29849 | Progress | Unspecified vulnerability in Progress Openedge In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. | 7.8 |
2022-05-02 | CVE-2022-23723 | Pingidentity | Improper Authentication vulnerability in Pingidentity Pingone MFA Integration KIT An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow. | 7.7 |
2022-05-08 | CVE-2022-1620 | VIM Fedoraproject Apple | NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. | 7.5 |
2022-05-06 | CVE-2022-25324 | Bignum Project | Unspecified vulnerability in Bignum Project Bignum All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | 7.5 |
2022-05-06 | CVE-2021-27761 | Hcltech | Inadequate Encryption Strength vulnerability in Hcltech Bigfix Platform Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks | 7.5 |
2022-05-06 | CVE-2022-23802 | Ijoomla | Incorrect Default Permissions vulnerability in Ijoomla Guru 5.2.5 Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. | 7.5 |
2022-05-06 | CVE-2021-31559 | Splunk | Unspecified vulnerability in Splunk A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1. | 7.5 |
2022-05-06 | CVE-2021-39023 | IBM | Information Exposure Through an Error Message vulnerability in IBM Guardium Data Encryption IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 7.5 |
2022-05-06 | CVE-2022-28969 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGusetBasic. | 7.5 |
2022-05-06 | CVE-2022-28970 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow via the mac parameter in the function GetParentControlInfo. | 7.5 |
2022-05-06 | CVE-2022-28971 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function fromSetIpMacBind. | 7.5 |
2022-05-06 | CVE-2022-28972 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the timeZone parameter in the function form_fast_setting_wifi_set. | 7.5 |
2022-05-06 | CVE-2022-28973 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the function fromAdvSetMacMtuWan. | 7.5 |
2022-05-06 | CVE-2022-30293 | Webkitgtk Debian | Out-of-bounds Write vulnerability in multiple products In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp. | 7.5 |
2022-05-06 | CVE-2022-24884 | Ecdsautils Project Fedoraproject Debian | Improper Verification of Cryptographic Signature vulnerability in multiple products ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). | 7.5 |
2022-05-05 | CVE-2022-29167 | Mozilla | Unspecified vulnerability in Mozilla Hawk Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. | 7.5 |
2022-05-05 | CVE-2022-29176 | Rubygems | Unspecified vulnerability in Rubygems Rubygems.Org Rubygems is a package registry used to supply software for the Ruby language ecosystem. | 7.5 |
2022-05-05 | CVE-2021-38447 | Objectcomputing | Unspecified vulnerability in Objectcomputing Opendds OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition. | 7.5 |
2022-05-05 | CVE-2022-26071 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a flaw in the way reply ICMP packets are limited in the Traffic Management Microkernel (TMM) allows an attacker to quickly scan open UDP ports. | 7.5 |
2022-05-05 | CVE-2022-26370 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, and 14.1.x versions prior to 14.1.4.6, when a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |
2022-05-05 | CVE-2022-26372 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.0.2, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when a DNS listener is configured on a virtual server with DNS queueing (default), undisclosed requests can cause an increase in memory resource utilization. | 7.5 |
2022-05-05 | CVE-2022-26517 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when the BIG-IP CGNAT Large Scale NAT (LSN) pool is configured on a virtual server and packet filtering is enabled, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |
2022-05-05 | CVE-2022-26890 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. | 7.5 |
2022-05-05 | CVE-2022-27189 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when an Internet Content Adaptation Protocol (ICAP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) memory resource utilization. | 7.5 |
2022-05-05 | CVE-2022-28691 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when a Real Time Streaming Protocol (RTSP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) resource utilization. | 7.5 |
2022-05-05 | CVE-2022-28701 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, when the stream profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. | 7.5 |
2022-05-05 | CVE-2022-28705 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, on platforms with an ePVA and the pva.fwdaccel BigDB variable enabled, undisclosed requests to a virtual server with a FastL4 profile that has ePVA acceleration enabled can cause the Traffic Management Microkernel (TMM) process to terminate. | 7.5 |
2022-05-05 | CVE-2022-28706 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2 and 15.1.x versions prior to 15.1.5.1, when the DNS resolver configuration is used, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |
2022-05-05 | CVE-2022-29473 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when an IPSec ALG profile is configured on a virtual server, undisclosed responses can cause Traffic Management Microkernel(TMM) to terminate. | 7.5 |
2022-05-05 | CVE-2022-29491 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate. | 7.5 |
2022-05-05 | CVE-2022-22433 | IBM | Improper Input Validation vulnerability in IBM products IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. | 7.5 |
2022-05-05 | CVE-2021-42183 | Masacms | Path Traversal vulnerability in Masacms 7.2.1 MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/. | 7.5 |
2022-05-05 | CVE-2022-28462 | Xxyopen | Files or Directories Accessible to External Parties vulnerability in Xxyopen Novel-Plus 3.6.0 novel-plus 3.6.0 suffers from an Arbitrary file reading vulnerability. | 7.5 |
2022-05-05 | CVE-2022-29339 | Gpac | Reachable Assertion vulnerability in Gpac In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils/bitstream.c has a failed assertion, which causes a Denial of Service. | 7.5 |
2022-05-05 | CVE-2022-29340 | Gpac | NULL Pointer Dereference vulnerability in Gpac GPAC 2.1-DEV-rev87-g053aae8-master. | 7.5 |
2022-05-04 | CVE-2022-30288 | Ohler | Unspecified vulnerability in Ohler Agoo Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. | 7.5 |
2022-05-04 | CVE-2022-20770 | Clamav Cisco Fedoraproject Debian | On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 7.5 |
2022-05-04 | CVE-2022-20771 | Clamav Cisco Fedoraproject Debian | On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 7.5 |
2022-05-04 | CVE-2022-20785 | Clamav Cisco Fedoraproject Debian | Memory Leak vulnerability in multiple products On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. | 7.5 |
2022-05-04 | CVE-2022-23443 | Fortinet | Unspecified vulnerability in Fortinet Fortisoar An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests. | 7.5 |
2022-05-04 | CVE-2022-28556 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.20Multitde01 Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin is vulnerable to Buffer Overflow. | 7.5 |
2022-05-04 | CVE-2022-28940 | H3C | Unspecified vulnerability in H3C Magic R100 Firmware V100R005 In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization. | 7.5 |
2022-05-04 | CVE-2022-28487 | Broadcom Fedoraproject | Memory Leak vulnerability in multiple products Tcpreplay version 4.4.1 contains a memory leakage flaw in fix_ipv6_checksums() function. | 7.5 |
2022-05-04 | CVE-2022-28488 | Libwav Project | Use of Uninitialized Resource vulnerability in Libwav Project Libwav The function wav_format_write in libwav.c in libwav through 2017-04-20 has an Use of Uninitialized Variable vulnerability. | 7.5 |
2022-05-04 | CVE-2022-24901 | Parseplatform | Improper Certificate Validation vulnerability in Parseplatform Parse-Server Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. | 7.5 |
2022-05-03 | CVE-2022-27313 | Gitea | Unspecified vulnerability in Gitea 1.16.3 An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file. | 7.5 |
2022-05-03 | CVE-2022-22368 | IBM | Inadequate Encryption Strength vulnerability in IBM Spectrum Scale IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-05-03 | CVE-2021-46440 | Strapi | Insufficiently Protected Credentials vulnerability in Strapi Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks. | 7.5 |
2022-05-03 | CVE-2022-1473 | Openssl Netapp | Incomplete Cleanup vulnerability in multiple products The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. | 7.5 |
2022-05-03 | CVE-2021-41959 | Jerryscript | Memory Leak vulnerability in Jerryscript JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via jerry-core/ecma/operations/ecma-regexp-object.c after RegExp, which causes a memory leak. | 7.5 |
2022-05-03 | CVE-2021-42218 | Rice | Memory Leak vulnerability in Rice Open Motion Planning Library 1.5.2 OMPL v1.5.2 contains a memory leak in VFRRT.cpp | 7.5 |
2022-05-03 | CVE-2022-1554 | Clinical Genomics | Path Traversal vulnerability in Clinical-Genomics Scout Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52. | 7.5 |
2022-05-03 | CVE-2022-20730 | Cisco | Unspecified vulnerability in Cisco Firepower Threat Defense A vulnerability in the Security Intelligence feed feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the Security Intelligence DNS feed. | 7.5 |
2022-05-03 | CVE-2022-20745 | Cisco | Improper Input Validation vulnerability in Cisco Firepower Threat Defense A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. | 7.5 |
2022-05-03 | CVE-2022-20746 | Cisco | NULL Pointer Dereference vulnerability in Cisco Firepower Threat Defense A vulnerability in the TCP proxy functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. | 7.5 |
2022-05-03 | CVE-2022-20751 | Cisco | Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense A vulnerability in the Snort detection engine integration for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause unlimited memory consumption, which could lead to a denial of service (DoS) condition on an affected device. | 7.5 |
2022-05-03 | CVE-2022-20757 | Cisco | Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense A vulnerability in the connection handling function in Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2022-05-03 | CVE-2022-20760 | Cisco | Resource Exhaustion vulnerability in Cisco Firepower Threat Defense A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. | 7.5 |
2022-05-03 | CVE-2022-20767 | Cisco | Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense A vulnerability in the Snort rule evaluation function of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 7.5 |
2022-05-02 | CVE-2022-24897 | Xwiki | Path Traversal vulnerability in Xwiki APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. | 7.5 |
2022-05-02 | CVE-2022-28613 | ABB Hitachienergy | Improper Validation of Specified Quantity in Input vulnerability in multiple products A vulnerability exists in the HCI Modbus TCP function included in the product versions listed above. | 7.5 |
2022-05-02 | CVE-2021-25002 | Tipsacarrier Project | Unspecified vulnerability in Tipsacarrier Project Tipsacarrier 1.4.4.2 The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL | 7.5 |
2022-05-02 | CVE-2022-27983 | Ruijienetworks | Unspecified vulnerability in Ruijienetworks Rg-Nbr2100G-E Firmware RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php. | 7.5 |
2022-05-02 | CVE-2021-36778 | Suse | Unspecified vulnerability in Suse Rancher A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. | 7.5 |
2022-05-02 | CVE-2022-29970 | Sinatrarb Debian | Path Traversal vulnerability in multiple products Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | 7.5 |
2022-05-02 | CVE-2021-40822 | Osgeo | Server-Side Request Forgery (SSRF) vulnerability in Osgeo Geoserver GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. | 7.5 |
2022-05-02 | CVE-2022-28451 | Nopcommerce | Path Traversal vulnerability in Nopcommerce 4.50.1 nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. | 7.5 |
2022-05-04 | CVE-2022-20780 | Cisco | XXE vulnerability in Cisco Enterprise NFV Infrastructure Software Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. | 7.4 |
2022-05-03 | CVE-2022-20742 | Cisco | Unspecified vulnerability in Cisco Firepower Threat Defense A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. | 7.4 |
2022-05-03 | CVE-2021-22573 | Improper Verification of Cryptographic Signature vulnerability in Google Oauth Client Library for Java The vulnerability is that IDToken verifier does not verify if token is properly signed. | 7.3 | |
2022-05-06 | CVE-2022-29171 | Sourcegraph | Code Injection vulnerability in Sourcegraph Sourcegraph is a fast and featureful code search and navigation engine. | 7.2 |
2022-05-05 | CVE-2022-27634 | F5 | Unspecified vulnerability in F5 Big-Ip Access Policy Manager On 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, BIG-IP APM does not properly validate configurations, allowing an authenticated attacker with high privileges to manipulate the APM policy leading to privilege escalation/remote code execution. | 7.2 |
2022-05-05 | CVE-2022-27806 | F5 | Unspecified vulnerability in F5 products On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. | 7.2 |
2022-05-05 | CVE-2022-28695 | F5 | Unspecified vulnerability in F5 Big-Ip Advanced Firewall Manager On F5 BIG-IP AFM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, an authenticated attacker with high privileges can upload a maliciously crafted file to the BIG-IP AFM Configuration utility, which allows an attacker to run arbitrary commands. | 7.2 |
2022-05-04 | CVE-2022-20753 | Cisco | Out-of-bounds Write vulnerability in Cisco products A vulnerability in web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. | 7.2 |
2022-05-04 | CVE-2022-20799 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. | 7.2 |
2022-05-04 | CVE-2022-20801 | Cisco | OS Command Injection vulnerability in Cisco products Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. | 7.2 |
2022-05-04 | CVE-2022-25785 | Secomea | Out-of-bounds Write vulnerability in Secomea products Stack-based Buffer Overflow vulnerability in SiteManager allows logged-in or local user to cause arbitrary code execution. | 7.2 |
2022-05-04 | CVE-2022-28076 | Seacms | Unspecified vulnerability in Seacms 11.6 Seacms v11.6 was discovered to contain a remote command execution (RCE) vulnerability via the Mail Server Settings. | 7.2 |
2022-05-04 | CVE-2022-28096 | Skycaiji | Unspecified vulnerability in Skycaiji 2.4 Skycaiji v2.4 was discovered to contain a remote code execution (RCE) vulnerability via /SkycaijiApp/admin/controller/Develop.php. | 7.2 |
2022-05-03 | CVE-2021-29854 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Maximo Application Suite and Maximo Asset Management IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 7.2 |
2022-05-03 | CVE-2022-29001 | Springbootmovie Project | Unrestricted Upload of File with Dangerous Type vulnerability in Springbootmovie Project Springbootmovie 1.0/1.1/1.2 In SpringBootMovie <=1.2, the uploaded file suffix parameter is not filtered, resulting in arbitrary file upload vulnerability | 7.2 |
2022-05-03 | CVE-2022-28505 | Jflyfox | SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java. | 7.2 |
2022-05-03 | CVE-2022-28590 | Pixelimity | Unspecified vulnerability in Pixelimity 1.0 A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme. | 7.2 |
2022-05-02 | CVE-2022-1273 | Importwp | Unspecified vulnerability in Importwp Import WP The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE | 7.2 |
2022-05-02 | CVE-2021-36784 | Suse | Improper Privilege Management vulnerability in Suse Rancher A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. | 7.2 |
2022-05-06 | CVE-2021-25746 | Kubernetes | Improper Input Validation vulnerability in Kubernetes Ingress-Nginx A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. | 7.1 |
2022-05-06 | CVE-2022-29164 | Argo Workflows Project | Unspecified vulnerability in Argo Workflows Project Argo Workflows Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. | 7.1 |
2022-05-03 | CVE-2022-28783 | Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0 Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission. | 7.1 | |
2022-05-03 | CVE-2022-23400 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 19.10 A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. | 7.1 |
2022-05-03 | CVE-2022-20737 | Cisco | Out-of-bounds Write vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or to obtain portions of process memory from an affected device. | 7.1 |
2022-05-03 | CVE-2022-20110 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android In ion, there is a possible use after free due to a race condition. | 7.0 |
169 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-05 | CVE-2022-27878 | F5 | Unspecified vulnerability in F5 products On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 6.8 |
2022-05-02 | CVE-2021-29859 | IBM | Unspecified vulnerability in IBM Cloud PAK for Business Automation 21.0.1/21.0.2/21.0.3 IBM ICP4A - User Management System Component (IBM Cloud Pak for Business Automation V21.0.3 through V21.0.3-IF008, V21.0.2 through V21.0.2-IF009, and V21.0.1 through V21.0.1-IF007) could allow a user with physical access to the system to perform unauthorized actions or obtain sensitive information due to insufficient validation and recvocation another user logouting out. | 6.8 |
2022-05-04 | CVE-2022-25787 | Secomea | Information Exposure vulnerability in Secomea products Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection. | 6.7 |
2022-05-03 | CVE-2022-20105 | Google Linux | Out-of-bounds Write vulnerability in multiple products In MM service, there is a possible out of bounds write due to a stack-based buffer overflow. | 6.7 |
2022-05-03 | CVE-2022-20106 | Google Linux | Out-of-bounds Write vulnerability in multiple products In MM service, there is a possible out of bounds write due to a heap-based buffer overflow. | 6.7 |
2022-05-03 | CVE-2022-20108 | Google Linux | Out-of-bounds Write vulnerability in multiple products In voice service, there is a possible out of bounds write due to a stack-based buffer overflow. | 6.7 |
2022-05-03 | CVE-2022-20085 | Link Following vulnerability in Google Android 11.0/12.0 In netdiag, there is a possible symbolic link following due to an improper link resolution. | 6.7 | |
2022-05-03 | CVE-2022-20087 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In ccu, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-05-03 | CVE-2022-20089 | Unspecified vulnerability in Google Android 11.0/12.0 In aee driver, there is a possible memory corruption due to active debug code. | 6.7 | |
2022-05-03 | CVE-2022-20094 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In imgsensor, there is a possible out of bounds write due to an incorrect bounds check. | 6.7 | |
2022-05-03 | CVE-2022-20095 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In imgsensor, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-05-03 | CVE-2022-28781 | Improper Input Validation vulnerability in Google Android 11.0/12.0 Improper input validation in Settings prior to SMR-May-2022 Release 1 allows attackers to launch arbitrary activity with system privilege. | 6.7 | |
2022-05-07 | CVE-2022-30330 | Keepkey | Improper Input Validation vulnerability in Keepkey Firmware In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. | 6.6 |
2022-05-06 | CVE-2021-27758 | Hcltech | Cross-Site Request Forgery (CSRF) vulnerability in Hcltech Bigfix Inventory There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account. | 6.5 |
2022-05-06 | CVE-2021-27759 | Hcltech | Insufficient Verification of Data Authenticity vulnerability in Hcltech Bigfix Inventory This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. | 6.5 |
2022-05-06 | CVE-2021-27764 | Hcltech | Incorrect Permission Assignment for Critical Resource vulnerability in Hcltech Bigfix Webui Cookie without HTTPONLY flag set. | 6.5 |
2022-05-06 | CVE-2022-28164 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8 Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. | 6.5 |
2022-05-06 | CVE-2022-30295 | Uclibc Uclibc NG Project | Use of Insufficiently Random Values vulnerability in multiple products uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. | 6.5 |
2022-05-06 | CVE-2022-24878 | Fluxcd | Path Traversal vulnerability in Fluxcd Flux2 Flux is an open and extensible continuous delivery solution for Kubernetes. | 6.5 |
2022-05-05 | CVE-2022-27337 | Freedesktop Fedoraproject Debian | A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | 6.5 |
2022-05-05 | CVE-2022-26073 | Anker | Integer Overflow or Wraparound vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H A denial of service vulnerability exists in the libxm_av.so DemuxCmdInBuffer functionality of Anker Eufy Homebase 2 2.1.8.5h. | 6.5 |
2022-05-05 | CVE-2022-25946 | F5 | Unspecified vulnerability in F5 products On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker with Administrator role privilege may be able to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration. | 6.5 |
2022-05-05 | CVE-2022-27495 | F5 | Unspecified vulnerability in F5 Nginx Service Mesh 1.3.0/1.3.1 On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. | 6.5 |
2022-05-05 | CVE-2022-28859 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1 and 14.1.x versions prior to 14.1.4.6, when installing Net HSM, the scripts (nethsm-safenet-install.sh and nethsm-thales-install.sh) expose the Net HSM partition password. | 6.5 |
2022-05-05 | CVE-2022-22415 | IBM | Unspecified vulnerability in IBM Robotic Process Automation 21.0.1 A vulnerability exists where an IBM Robotic Process Automation 21.0.1 regular user is able to obtain view-only access to some admin pages in the Control Center IBM X-Force ID: 223029. | 6.5 |
2022-05-05 | CVE-2022-28471 | Rockcarry | Integer Overflow or Wraparound vulnerability in Rockcarry Ffjpeg 20211206 In ffjpeg (commit hash: caade60), the function bmp_load() in bmp.c contains an integer overflow vulnerability, which eventually results in the heap overflow in jfif_encode() in jfif.c. | 6.5 |
2022-05-04 | CVE-2022-29942 | Talend | Server-Side Request Forgery (SSRF) vulnerability in Talend Administration Center 7.2.0/7.3.0/8.0.0 Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. | 6.5 |
2022-05-04 | CVE-2022-29943 | Talend | XXE vulnerability in Talend Administration Center 7.2.0/7.3.0/8.0.0 Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. | 6.5 |
2022-05-04 | CVE-2022-28090 | Ujcms | Server-Side Request Forgery (SSRF) vulnerability in Ujcms Jspxcms 10.2.0 Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=. | 6.5 |
2022-05-03 | CVE-2021-27411 | Silabs | Unspecified vulnerability in Silabs Micrium OS 5.10.0/5.10.1/5.9.0 Micrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate. | 6.5 |
2022-05-03 | CVE-2022-22137 | Accusoft | Incorrect Calculation of Buffer Size vulnerability in Accusoft Imagegear 19.10 A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. | 6.5 |
2022-05-03 | CVE-2022-20744 | Cisco | Unspecified vulnerability in Cisco Secure Firewall Management Center A vulnerability in the input protection mechanisms of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view data without proper authorization. | 6.5 |
2022-05-03 | CVE-2022-29824 | Xmlsoft Fedoraproject Debian Netapp Oracle | Integer Overflow or Wraparound vulnerability in multiple products In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. | 6.5 |
2022-05-02 | CVE-2022-23722 | Pingidentity | Improper Authentication vulnerability in Pingidentity Pingfederate When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | 6.5 |
2022-05-02 | CVE-2022-0191 | Acnam | Unspecified vulnerability in Acnam AD Invalid Click Protector The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans | 6.5 |
2022-05-03 | CVE-2022-20090 | Use After Free vulnerability in Google Android 11.0/12.0 In aee driver, there is a possible use after free due to a race condition. | 6.4 | |
2022-05-03 | CVE-2022-20091 | Use After Free vulnerability in Google Android 11.0/12.0 In aee driver, there is a possible use after free due to a race condition. | 6.4 | |
2022-05-06 | CVE-2022-27183 | Splunk | Cross-site Scripting vulnerability in Splunk 8.1.0/8.1.1/8.1.2 The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. | 6.1 |
2022-05-06 | CVE-2022-29421 | Edmonsoft | Unspecified vulnerability in Edmonsoft Countdown Builder Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin on WordPress via &ycd_type vulnerable parameter. | 6.1 |
2022-05-06 | CVE-2022-24899 | Contao | Cross-site Scripting vulnerability in Contao 4.13.0/4.13.1/4.13.2 Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. | 6.1 |
2022-05-05 | CVE-2022-29172 | Auth0 | Unspecified vulnerability in Auth0 Lock Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. | 6.1 |
2022-05-05 | CVE-2021-44053 | Qnap | Cross-site Scripting vulnerability in Qnap Qts, Quts Hero and Qutscloud A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. | 6.1 |
2022-05-05 | CVE-2021-44054 | Qnap | Open Redirect vulnerability in Qnap Qts, Quts Hero and Qutscloud An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. | 6.1 |
2022-05-05 | CVE-2022-27230 | F5 | Unspecified vulnerability in F5 products On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 6.1 |
2022-05-05 | CVE-2022-1411 | Yetiforce | Unrestricted Upload of File with Dangerous Type vulnerability in Yetiforce Customer Relationship Management Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | 6.1 |
2022-05-04 | CVE-2022-1584 | Microweber | Cross-site Scripting vulnerability in Microweber Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. | 6.1 |
2022-05-04 | CVE-2022-30241 | Jquery Json Viewer Project | Cross-site Scripting vulnerability in Jquery Json-Viewer Project Jquery Json-Viewer The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. | 6.1 |
2022-05-04 | CVE-2022-27461 | Nopcommerce | Open Redirect vulnerability in Nopcommerce In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link. | 6.1 |
2022-05-04 | CVE-2022-25781 | Secomea | Cross-site Scripting vulnerability in Secomea products Cross-site Scripting (XSS) vulnerability in Web UI of Secomea GateManager allows phishing attacker to inject javascript or html into logged in user session. | 6.1 |
2022-05-04 | CVE-2022-28081 | AR PHP | Cross-site Scripting vulnerability in Ar-PHP Arphp 3.6.0 A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts. | 6.1 |
2022-05-04 | CVE-2022-28508 | Mantisbt | Cross-site Scripting vulnerability in Mantisbt An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. | 6.1 |
2022-05-04 | CVE-2022-1571 | Facturascripts | Cross-site Scripting vulnerability in Facturascripts Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. | 6.1 |
2022-05-04 | CVE-2022-1555 | Microweber | Cross-site Scripting vulnerability in Microweber DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. | 6.1 |
2022-05-03 | CVE-2022-20740 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack. | 6.1 |
2022-05-02 | CVE-2020-23617 | Totolink | Cross-site Scripting vulnerability in Totolink N100Re Firmware and N200Re Firmware A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element. | 6.1 |
2022-05-02 | CVE-2020-23618 | Xtendtech | Cross-site Scripting vulnerability in Xtendtech Voice Logger 1.0 A reflected cross site scripting (XSS) vulnerability in Xtend Voice Logger 1.0 allows attackers to execute arbitrary web scripts or HTML, via the path of the error page. | 6.1 |
2022-05-02 | CVE-2022-26325 | Microfocus | Cross-site Scripting vulnerability in Microfocus Netiq Access Manager Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2 | 6.1 |
2022-05-02 | CVE-2022-26326 | Microfocus | Open Redirect vulnerability in Microfocus Netiq Access Manager Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2 | 6.1 |
2022-05-02 | CVE-2021-25086 | Advanced Page Visit Counter Project | Cross-site Scripting vulnerability in Advanced Page Visit Counter Project Advanced Page Visit Counter The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it | 6.1 |
2022-05-02 | CVE-2022-0428 | Keywordrush | Unspecified vulnerability in Keywordrush Content EGG The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-05-02 | CVE-2022-1250 | Lifterlms | Unspecified vulnerability in Lifterlms The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue | 6.1 |
2022-05-02 | CVE-2022-1269 | Fastflow | Unspecified vulnerability in Fastflow The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-05-02 | CVE-2022-1282 | 10Web | Unspecified vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action. | 6.1 |
2022-05-02 | CVE-2022-29969 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki RSS for Mediawiki The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true). | 6.1 |
2022-05-02 | CVE-2021-31673 | Cyclos | Cross-site Scripting vulnerability in Cyclos 4.0.0/4.14.7 A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter. | 6.1 |
2022-05-02 | CVE-2021-31674 | Cyclos | Cross-site Scripting vulnerability in Cyclos 4.0.0/4.14.7 Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant. | 6.1 |
2022-05-05 | CVE-2022-28708 | F5 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP DNS resolver-enabled, HTTP-Explicit or SOCKS profile is configured on a virtual server, an undisclosed DNS response can cause the Traffic Management Microkernel (TMM) process to terminate. | 5.9 |
2022-05-03 | CVE-2022-1434 | Openssl Netapp | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. | 5.9 |
2022-05-06 | CVE-2021-27760 | Hcltech | Unspecified vulnerability in Hcltech HCL Inotes 11.0.0/11.0.1 An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. | 5.5 |
2022-05-06 | CVE-2022-24823 | Netty Oracle Netapp | Netty is an open-source, asynchronous event-driven network application framework. | 5.5 |
2022-05-05 | CVE-2022-27359 | Foxit | NULL Pointer Dereference vulnerability in Foxit PDF Editor and PDF Reader Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a this.maildoc NULL pointer dereference. | 5.5 |
2022-05-05 | CVE-2022-27636 | F5 | Information Exposure Through Log Files vulnerability in F5 products On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. | 5.5 |
2022-05-05 | CVE-2022-27875 | F5 | Unspecified vulnerability in F5 Access for Android On F5 Access for Android 3.x versions prior to 3.0.8, a Task Hijacking vulnerability exists in the F5 Access for Android application, which may allow an attacker to steal sensitive user information. | 5.5 |
2022-05-05 | CVE-2022-1516 | Linux Debian | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. | 5.5 |
2022-05-04 | CVE-2022-20796 | Clamav Cisco Fedoraproject Debian | NULL Pointer Dereference vulnerability in multiple products On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. | 5.5 |
2022-05-03 | CVE-2022-20101 | Path Traversal vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to a path traversal. | 5.5 | |
2022-05-03 | CVE-2022-20104 | Unspecified vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to improper access control. | 5.5 | |
2022-05-03 | CVE-2022-20092 | Out-of-bounds Read vulnerability in Google Android 11.0/12.0 In alac decoder, there is a possible out of bounds read due to a missing bounds check. | 5.5 | |
2022-05-03 | CVE-2022-28780 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission. | 5.5 | |
2022-05-03 | CVE-2022-28785 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. | 5.5 | |
2022-05-03 | CVE-2022-28786 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. | 5.5 | |
2022-05-03 | CVE-2022-28787 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. | 5.5 | |
2022-05-03 | CVE-2022-28788 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service. | 5.5 | |
2022-05-03 | CVE-2022-28789 | Samsung | Missing Authorization vulnerability in Samsung Voice Note Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. | 5.5 |
2022-05-03 | CVE-2022-28791 | Samsung | Improper Input Validation vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4 Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. | 5.5 |
2022-05-03 | CVE-2022-1331 | Deltaww | Unspecified vulnerability in Deltaww Dmars In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure. | 5.5 |
2022-05-03 | CVE-2022-0882 | Unspecified vulnerability in Google Fuchsia 4.1 A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT. | 5.5 | |
2022-05-02 | CVE-2021-42528 | Adobe Debian | XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. | 5.5 |
2022-05-02 | CVE-2022-1475 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file. | 5.5 |
2022-05-02 | CVE-2022-1515 | Matio Project | Memory Leak vulnerability in Matio Project Matio A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarReadNextInfo5() in mat5.c via a crafted file. | 5.5 |
2022-05-06 | CVE-2021-36912 | Google News Sitemap Project | Unspecified vulnerability in Google-News-Sitemap Project Google-News-Sitemap Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role. | 5.4 |
2022-05-06 | CVE-2022-28545 | Fudforum | Cross-site Scripting vulnerability in Fudforum 3.1.1 FUDforum 3.1.1 is vulnerable to Stored XSS. | 5.4 |
2022-05-05 | CVE-2022-28707 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 5.4 |
2022-05-05 | CVE-2022-1464 | Gogs | Cross-site Scripting vulnerability in Gogs Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. | 5.4 |
2022-05-05 | CVE-2022-29939 | Librehealth | Cross-site Scripting vulnerability in Librehealth EHR 2.0.0 In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities. | 5.4 |
2022-05-05 | CVE-2022-29940 | Librehealth | Cross-site Scripting vulnerability in Librehealth EHR 2.0.0 In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities. | 5.4 |
2022-05-05 | CVE-2022-1590 | Bludit | Cross-site Scripting vulnerability in Bludit 3.13.1 A vulnerability was found in Bludit 3.13.1. | 5.4 |
2022-05-04 | CVE-2021-41032 | Fortinet | Unspecified vulnerability in Fortinet Fortios An improper access control vulnerability [CWE-284] in FortiOS versions 6.4.8 and prior and 7.0.3 and prior may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands. | 5.4 |
2022-05-04 | CVE-2022-25782 | Secomea | Improper Privilege Management vulnerability in Secomea products Improper Handling of Insufficient Privileges vulnerability in Web UI of Secomea GateManager allows logged in user to access and update privileged information. | 5.4 |
2022-05-03 | CVE-2022-27330 | E Commerce Website Project | Cross-site Scripting vulnerability in E-Commerce Website Project E-Commerce Website 1.0 A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field. | 5.4 |
2022-05-03 | CVE-2022-28588 | Springbootmovie Project | Cross-site Scripting vulnerability in Springbootmovie Project Springbootmovie 1.0/1.1/1.2 In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS. | 5.4 |
2022-05-03 | CVE-2022-28599 | Thedaylightstudio | Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.5.1 A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. | 5.4 |
2022-05-03 | CVE-2021-39390 | Partkeepr | Cross-site Scripting vulnerability in Partkeepr 1.4.0 Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter. | 5.4 |
2022-05-03 | CVE-2022-20627 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 5.4 |
2022-05-03 | CVE-2022-20628 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 5.4 |
2022-05-03 | CVE-2022-20629 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 5.4 |
2022-05-02 | CVE-2022-29444 | Cloudways | Unspecified vulnerability in Cloudways Breeze Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack. | 5.4 |
2022-05-02 | CVE-2021-4200 | Suse | Unspecified vulnerability in Suse Rancher A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. | 5.4 |
2022-05-07 | CVE-2022-30334 | Brave | Information Exposure vulnerability in Brave Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. | 5.3 |
2022-05-06 | CVE-2021-33845 | Splunk | Information Exposure Through Discrepancy vulnerability in Splunk The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. | 5.3 |
2022-05-05 | CVE-2021-38693 | Qnap | Path Traversal vulnerability in Qnap QTS and Qutscloud A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. | 5.3 |
2022-05-05 | CVE-2022-25990 | F5 | Unspecified vulnerability in F5 F5Os-A 1.0.0 On 1.0.x versions prior to 1.0.1, systems running F5OS-A software may expose certain registry ports externally. | 5.3 |
2022-05-05 | CVE-2022-26130 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when an Active mode-enabled FTP profile is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing active FTP data channel connections. | 5.3 |
2022-05-05 | CVE-2022-27181 | F5 | Unspecified vulnerability in F5 Big-Ip Access Policy Manager On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when APM is configured on a virtual server and the associated access profile is configured with APM AAA NTLM Auth, undisclosed requests can cause an increase in internal resource utilization. | 5.3 |
2022-05-05 | CVE-2022-27182 | F5 | Resource Exhaustion vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, when BIG-IP packet filters are enabled and a virtual server is configured with the type set to Reject, undisclosed requests can cause an increase in memory resource utilization. | 5.3 |
2022-05-05 | CVE-2022-29479 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, when an IPv6 self IP address is configured and the ipv6.strictcompliance database key is enabled (disabled by default) on a BIG-IP system, undisclosed packets may cause decreased performance. | 5.3 |
2022-05-05 | CVE-2022-29480 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when multiple route domains are configured, undisclosed requests to big3d can cause an increase in CPU resource utilization. | 5.3 |
2022-05-05 | CVE-2021-39020 | IBM | Information Exposure vulnerability in IBM Guardium Data Encryption IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower stores sensitive information in URL parameters. | 5.3 |
2022-05-03 | CVE-2022-1343 | Openssl Netapp | Improper Certificate Validation vulnerability in multiple products The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. | 5.3 |
2022-05-03 | CVE-2022-20748 | Cisco | Improper Handling of Exceptional Conditions vulnerability in Cisco Firepower Threat Defense 7.0.0 A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. | 5.3 |
2022-05-02 | CVE-2021-4138 | Mozilla | Unspecified vulnerability in Mozilla Geckodriver Improved Host header checks to reject requests not sent to a well-known local hostname or IP, or the server-specified hostname. | 5.3 |
2022-05-02 | CVE-2022-24974 | Menlosecurity | Unspecified vulnerability in Menlosecurity Email Isolation 2.81.1/2.81.8 Links may not be rewritten according to policy in some specially formatted emails. | 5.3 |
2022-05-06 | CVE-2021-39027 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0 IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. | 5.0 |
2022-05-06 | CVE-2020-19212 | Piwigo | SQL Injection vulnerability in Piwigo 2.9.5 SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete. | 4.9 |
2022-05-05 | CVE-2022-26340 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, an authenticated, high-privileged attacker with no bash access may be able to access Certificate and Key files using Secure Copy (SCP) protocol from a remote system. | 4.9 |
2022-05-05 | CVE-2022-26835 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell (tmsh) commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files. | 4.9 |
2022-05-04 | CVE-2022-25786 | Secomea | Unspecified vulnerability in Secomea Gatemanager 9.6.621421014 Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information. | 4.9 |
2022-05-06 | CVE-2022-29422 | Edmonsoft | Unspecified vulnerability in Edmonsoft Countdown Builder Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters. | 4.8 |
2022-05-06 | CVE-2022-28507 | BDT 121 Project | Cross-site Scripting vulnerability in Bdt-121 Project Bdt-121 Firmware 2.1.1T16 Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121 version 1.0 is vulnerable to Cross Site Scripting (XSS) via Dragon path router admin page. | 4.8 |
2022-05-06 | CVE-2022-29420 | Edmonsoft | Unspecified vulnerability in Edmonsoft Countdown Builder Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Adam Skaat Countdown & Clock (WordPress plugin) countdown-builder allows Stored XSS.This issue affects Countdown & Clock (WordPress plugin): from n/a through 2.3.2. | 4.8 |
2022-05-05 | CVE-2022-27662 | F5 | Unspecified vulnerability in F5 Traffix Signaling Delivery Controller 5.1.0/5.2.0 On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server. | 4.8 |
2022-05-05 | CVE-2022-27880 | F5 | Unspecified vulnerability in F5 Traffix Signaling Delivery Controller 5.1.0/5.2.0 On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. | 4.8 |
2022-05-04 | CVE-2022-25784 | Secomea | Cross-site Scripting vulnerability in Secomea products Cross-site Scripting (XSS) vulnerability in Web GUI of SiteManager allows logged-in user to inject scripting. | 4.8 |
2022-05-03 | CVE-2022-28589 | Pixelimity | Cross-site Scripting vulnerability in Pixelimity 1.0 A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new | 4.8 |
2022-05-02 | CVE-2021-36844 | Mythemeshop | Unspecified vulnerability in Mythemeshop WP Subscribe Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress. | 4.8 |
2022-05-02 | CVE-2021-41810 | M Files | Cross-site Scripting vulnerability in M-Files Server Admin tool allows storing configuration data with script which may then get run by another vault administrator. | 4.8 |
2022-05-02 | CVE-2022-0418 | Event List Project | Unspecified vulnerability in Event List Project Event List The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed | 4.8 |
2022-05-02 | CVE-2022-0649 | Ajdg | Unspecified vulnerability in Ajdg Adrotate The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-05-02 | CVE-2022-0662 | Ajdg | Unspecified vulnerability in Ajdg Adrotate The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-05-02 | CVE-2022-1046 | Vfbpro | Unspecified vulnerability in Vfbpro Visual Form Builder The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
2022-05-02 | CVE-2022-1255 | Codection | Cross-site Scripting vulnerability in Codection Import and Export Users and Customers The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues | 4.8 |
2022-05-04 | CVE-2022-20794 | Cisco | Open Redirect vulnerability in Cisco Telepresence Collaboration Endpoint Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination. | 4.7 |
2022-05-03 | CVE-2022-20097 | Race Condition vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to a race condition. | 4.7 | |
2022-05-02 | CVE-2021-25102 | Tipsandtricks HQ | Unspecified vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. | 4.7 |
2022-05-02 | CVE-2022-29973 | Exfat Project | Allocation of Resources Without Limits or Throttling vulnerability in Exfat Project Exfat 1.3.0 relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength. | 4.7 |
2022-05-05 | CVE-2022-22434 | IBM | Unspecified vulnerability in IBM products IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. | 4.6 |
2022-05-05 | CVE-2021-45783 | Bookeen | Path Traversal vulnerability in Bookeen Notea Firmware Bkr1.0.520210608 Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information. | 4.6 |
2022-05-03 | CVE-2022-28782 | Unspecified vulnerability in Google Android 11.0/12.0 Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard. | 4.6 | |
2022-05-04 | CVE-2022-20734 | Cisco | Information Exposure vulnerability in Cisco Catalyst Sd-Wan Manager A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, local attacker to view sensitive information on an affected system. | 4.4 |
2022-05-03 | CVE-2022-20102 | Missing Authorization vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to a missing permission check. | 4.4 | |
2022-05-03 | CVE-2022-20103 | Link Following vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to symbolic link following. | 4.4 | |
2022-05-03 | CVE-2022-20107 | Google Linux | Integer Overflow or Wraparound vulnerability in multiple products In subtitle service, there is a possible application crash due to an integer overflow. | 4.4 |
2022-05-03 | CVE-2022-20096 | Use of Uninitialized Resource vulnerability in Google Android In camera, there is a possible information disclosure due to uninitialized data. | 4.4 | |
2022-05-03 | CVE-2022-20098 | Missing Authorization vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to a missing permission check. | 4.4 | |
2022-05-03 | CVE-2022-20100 | Missing Authorization vulnerability in Google Android 11.0/12.0 In aee daemon, there is a possible information disclosure due to a missing permission check. | 4.4 | |
2022-05-03 | CVE-2022-28793 | Samsung | Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Galaxy S22 Firmware Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. | 4.4 |
2022-05-06 | CVE-2022-27909 | Jdownloads | Unspecified vulnerability in Jdownloads 3.9.8.2 In Joomla component 'jDownloads 3.9.8.2 Stable' the remote user can change some parameters in the address bar and see the names of other users' files | 4.3 |
2022-05-06 | CVE-2022-26070 | Splunk | Information Exposure Through an Error Message vulnerability in Splunk When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. | 4.3 |
2022-05-06 | CVE-2022-24902 | Python | Resource Exhaustion vulnerability in Python Tkvideoplayer TkVideoplayer is a simple library to play video files in tkinter. | 4.3 |
2022-05-05 | CVE-2022-1389 | F5 | Unspecified vulnerability in F5 products On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP (fixed in 17.0.0), a cross-site request forgery (CSRF) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. | 4.3 |
2022-05-05 | CVE-2022-1468 | F5 | Unspecified vulnerability in F5 products On all versions of 17.0.x, 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x on F5 BIG-IP, an authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests. | 4.3 |
2022-05-05 | CVE-2022-27659 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, an authenticated attacker can modify or delete Dashboards created by other BIG-IP users in the Traffic Management User Interface (TMUI). | 4.3 |
2022-05-05 | CVE-2022-29474 | F5 | Unspecified vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. | 4.3 |
2022-05-04 | CVE-2021-43206 | Fortinet | Information Exposure Through an Error Message vulnerability in Fortinet Fortios and Fortiproxy A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages. | 4.3 |
2022-05-04 | CVE-2022-29950 | Experian | Unspecified vulnerability in Experian Hunter 1.16 Experian Hunter 1.16 allows remote authenticated users to modify assumed-immutable elements via the (1) rule name parameter to the Rules page or the (2) subrule name or (3) categories name parameter to the Subrules page. | 4.3 |
2022-05-04 | CVE-2022-25779 | Secomea | Resource Exhaustion vulnerability in Secomea products Logging of Excessive Data vulnerability in audit log of Secomea GateManager allows logged in user to write text entries in audit log. | 4.3 |
2022-05-04 | CVE-2022-25780 | Secomea | Unspecified vulnerability in Secomea products Information Exposure vulnerability in web UI of Secomea GateManager allows logged in user to query devices outside own scope. | 4.3 |
2022-05-04 | CVE-2022-25783 | Secomea | Unspecified vulnerability in Secomea products Insufficient Logging vulnerability in web server of Secomea GateManager allows logged in user to issue improper queries without logging. | 4.3 |
2022-05-04 | CVE-2022-1502 | Octopus | Unspecified vulnerability in Octopus Server Permissions were not properly verified in the API on projects using version control in Git. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-06 | CVE-2021-27751 | Hcltechsw | Insufficient Session Expiration vulnerability in Hcltechsw HCL Commerce HCL Commerce is affected by an Insufficient Session Expiration vulnerability. | 3.3 |
2022-05-03 | CVE-2022-28784 | Path Traversal vulnerability in Google Android 10.0/11.0/12.0 Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user. | 3.3 | |
2022-05-03 | CVE-2022-28790 | Samsung | Improper Authentication vulnerability in Samsung Link to Windows Service Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device. | 3.3 |