Weekly Vulnerabilities Reports > May 2 to 8, 2022

Overview

455 new vulnerabilities reported during this period, including 106 critical vulnerabilities and 177 high severity vulnerabilities. This weekly summary report vulnerabilities in 348 products from 204 vendors including F5, Google, Cisco, Debian, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "OS Command Injection", and "Path Traversal".

  • 365 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 138 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 274 reported vulnerabilities are exploitable by an anonymous user.
  • F5 has the most reported vulnerabilities, with 42 reported vulnerabilities.
  • Deltaww has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

106 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-04 CVE-2022-30292 Squirrel Lang
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call.

10.0
2022-05-06 CVE-2022-24817 Fluxcd Code Injection vulnerability in Fluxcd Kustomize-Controller

Flux2 is an open and extensible continuous delivery solution for Kubernetes.

9.9
2022-05-04 CVE-2022-20777 Cisco Unspecified vulnerability in Cisco Enterprise NFV Infrastructure Software

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.

9.9
2022-05-08 CVE-2022-28470 Python Unspecified vulnerability in Python Pypi

marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.

9.8
2022-05-07 CVE-2022-29180 Charm Server-Side Request Forgery (SSRF) vulnerability in Charm

A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server.

9.8
2022-05-06 CVE-2021-23592 Thinkphp Deserialization of Untrusted Data vulnerability in Thinkphp

The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.

9.8
2022-05-06 CVE-2021-23792 Twelvemonkeys Project XXE vulnerability in Twelvemonkeys Project Twelvemonkeys

The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata.

9.8
2022-05-06 CVE-2021-27762 Hcltech Unspecified vulnerability in Hcltech Bigfix Platform

Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web responses

9.8
2022-05-06 CVE-2022-29423 Edmonsoft Unspecified vulnerability in Edmonsoft Countdown Builder

Pro Features Lock Bypass vulnerability in Countdown & Clock plugin <= 2.3.2 at WordPress.

9.8
2022-05-06 CVE-2022-28163 Broadcom SQL Injection vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8

In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands.

9.8
2022-05-06 CVE-2022-28005 3CX Insufficiently Protected Credentials vulnerability in 3CX

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL.

9.8
2022-05-06 CVE-2020-19213 Piwigo SQL Injection vulnerability in Piwigo 2.9.5

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

9.8
2022-05-06 CVE-2022-29161 Xwiki Inadequate Encryption Strength vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

9.8
2022-05-05 CVE-2022-29535 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Opmanager

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

9.8
2022-05-05 CVE-2022-27360 Bladex SQL Injection vulnerability in Bladex Springblade 3.2.0

SpringBlade v3.2.0 and below was discovered to contain a SQL injection vulnerability via the component customSqlSegment.

9.8
2022-05-05 CVE-2022-27411 Totolink Unspecified vulnerability in Totolink N600R Firmware 5.3C.5507B20171031

TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function.

9.8
2022-05-05 CVE-2022-28575 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setopenvpnclientcfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows attackers to execute arbitrary commands through a carefully constructed payload

9.8
2022-05-05 CVE-2022-28577 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the delParentalRules interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28578 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setOpenVpnCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28579 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setParentalRules interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28580 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setL2tpServerCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28581 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setWiFiAdvancedCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28582 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setWiFiSignalCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28583 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2022-28584 Totolink OS Command Injection vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

9.8
2022-05-05 CVE-2021-38423 Gurum Unspecified vulnerability in Gurum Gurumdds

All versions of GurumDDS improperly calculate the size to be used when allocating the buffer, which may result in a buffer overflow.

9.8
2022-05-05 CVE-2021-38435 RTI Unspecified vulnerability in RTI Connext DDS Professional and Connext DDS Secure

RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 not correctly calculate the size when allocating the buffer, which may result in a buffer overflow.

9.8
2022-05-05 CVE-2021-38439 Gurum Unspecified vulnerability in Gurum Gurumdds

All versions of GurumDDS are vulnerable to heap-based buffer overflow, which may cause a denial-of-service condition or remotely execute arbitrary code.

9.8
2022-05-05 CVE-2021-38441 Eclipse Unspecified vulnerability in Eclipse Cyclonedds

Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.

9.8
2022-05-05 CVE-2021-38443 Eclipse Unspecified vulnerability in Eclipse Cyclonedds

Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.

9.8
2022-05-05 CVE-2021-38445 Objectcomputing Unspecified vulnerability in Objectcomputing Opendds

OCI OpenDDS versions prior to 3.18.1 do not handle a length parameter consistent with the actual length of the associated data, which may allow an attacker to remotely execute arbitrary code.

9.8
2022-05-05 CVE-2021-44055 Qnap Missing Authorization vulnerability in Qnap Video Station

An missing authorization vulnerability has been reported to affect QNAP device running Video Station.

9.8
2022-05-05 CVE-2021-44056 Qnap Improper Authentication vulnerability in Qnap Video Station

An improper authentication vulnerability has been reported to affect QNAP device running Video Station.

9.8
2022-05-05 CVE-2021-44057 Qnap Improper Authentication vulnerability in Qnap Photo Station

An improper authentication vulnerability has been reported to affect QNAP device running Photo Station.

9.8
2022-05-05 CVE-2022-27588 Qnap Command Injection vulnerability in Qnap QVR 5.1.5

We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later

9.8
2022-05-05 CVE-2022-28120 Rainier Unrestricted Upload of File with Dangerous Type vulnerability in Rainier Open Virtual Simulation Experiment Teaching Management Platform 2.0

Beijing Runnier Network Technology Co., Ltd Open virtual simulation experiment teaching management platform software 2.0 has a file upload vulnerability, which can be exploited by an attacker to gain control of the server.

9.8
2022-05-05 CVE-2022-28530 Covid 19 Directory ON Vaccination System Project SQL Injection vulnerability in Covid-19 Directory on Vaccination System Project Covid-19 Directory on Vaccination System 1.0

Sourcecodester Covid-19 Directory on Vaccination System 1.0 is vulnerable to SQL Injection via cmdcategory.

9.8
2022-05-05 CVE-2022-28533 Medical HUB Directory Site Project SQL Injection vulnerability in Medical HUB Directory Site Project Medical HUB Directory Site 1.0

Sourcecodester Medical Hub Directory Site 1.0 is vulnerable to SQL Injection via /mhds/clinic/view_details.php.

9.8
2022-05-05 CVE-2022-28606 Bosscms Unrestricted Upload of File with Dangerous Type vulnerability in Bosscms 1.0.0

An arbitrary file upload vulnerability exists in Wenzhou Huoyin Information Technology Co., Ltd.

9.8
2022-05-05 CVE-2022-29502 Schedmd
Fedoraproject
SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges.
9.8
2022-05-05 CVE-2022-29592 Tenda OS Command Injection vulnerability in Tenda TX9 PRO Firmware 22.03.02.10

Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_route (called by doSystemCmd_route).

9.8
2022-05-05 CVE-2021-42242 Jflyfox Unspecified vulnerability in Jflyfox Jfinal CMS 5.0.1

A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor.

9.8
2022-05-05 CVE-2022-28461 Mingyuefusu Project SQL Injection vulnerability in Mingyuefusu Project Mingyuefusu 20220327

mingyuefusu Library Management System all versions as of 03-27-2022 is vulnerable to SQL Injection.

9.8
2022-05-05 CVE-2021-41739 Artica Proxy OS Command Injection vulnerability in Artica-Proxy Artica Proxy 4.30.000000

A OS Command Injection vulnerability was discovered in Artica Proxy 4.30.000000.

9.8
2022-05-05 CVE-2022-28890 Apache XXE vulnerability in Apache Jena 4.4.0

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved.

9.8
2022-05-04 CVE-2022-30284 Python Libnmap Project Argument Injection or Modification vulnerability in Python-Libnmap Project Python-Libnmap

In the python-libnmap package through 0.7.2 for Python, remote command execution can occur (if used in a client application that does not validate arguments).

9.8
2022-05-04 CVE-2022-29155 Openldap
Debian
Netapp
SQL Injection vulnerability in multiple products

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query.

9.8
2022-05-04 CVE-2021-42235 Enhancesoft SQL Injection vulnerability in Enhancesoft Osticket

SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality.

9.8
2022-05-04 CVE-2022-28557 Tenda OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.20Multitde01

There is a command injection vulnerability at the /goform/setsambacfg interface of Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin device web, which can also cooperate with CVE-2021-44971 to cause unconditional arbitrary command execution

9.8
2022-05-04 CVE-2022-28512 Fantastic Blog Project SQL Injection vulnerability in Fantastic Blog Project Fantastic Blog 1.0

A SQL injection vulnerability exists in Sourcecodester Fantastic Blog CMS 1.0 .

9.8
2022-05-04 CVE-2022-28568 Simple Doctor S Appointment System Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple Doctor'S Appointment System Project Simple Doctor'S Appointment System 1.0

Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel.

9.8
2022-05-04 CVE-2022-29347 WEB Rchiv Project Unrestricted Upload of File with Dangerous Type vulnerability in Web@Rchiv Project Web@Rchiv 1.0

An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.

9.8
2022-05-04 CVE-2022-28082 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the list parameter at /goform/SetNetControlList.

9.8
2022-05-04 CVE-2022-28111 Pagehelper Project SQL Injection vulnerability in Pagehelper Project Pagehelper

MyBatis PageHelper v1.x.x-v3.7.0 v4.0.0-v5.0.0,v5.1.0-v5.3.0 was discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.

9.8
2022-05-04 CVE-2021-42185 Wdja SQL Injection vulnerability in Wdja 2.1

wdja v2.1 is affected by a SQL injection vulnerability in the foreground search function.

9.8
2022-05-04 CVE-2022-27420 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the patient_contact parameter in patientsearch.php.

9.8
2022-05-04 CVE-2022-27431 Wuzhicms SQL Injection vulnerability in Wuzhicms Wuzhi CMS 4.1.0

Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php.

9.8
2022-05-04 CVE-2022-28055 Fusionpbx OS Command Injection vulnerability in Fusionpbx

Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.

9.8
2022-05-04 CVE-2021-43163 Ruijienetworks Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the checkNet function in /cgi-bin/luci/api/auth.

9.8
2022-05-03 CVE-2021-22680 NXP Unspecified vulnerability in NXP MQX 5.1

NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions.

9.8
2022-05-03 CVE-2021-27417 Ecoscentric Integer Overflow or Wraparound vulnerability in Ecoscentric Ecospro 2.0.1/4.5.3

eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable to integer wraparound in function calloc (an implementation of malloc).

9.8
2022-05-03 CVE-2021-27419 Uclibc NG Project Unspecified vulnerability in Uclibc-Ng Project Uclibc-Ng

uClibc-ng versions prior to 1.0.37 are vulnerable to integer wrap-around in functions malloc-simple.

9.8
2022-05-03 CVE-2021-27421 NXP Unspecified vulnerability in NXP Mcuxpresso Software Development KIT

NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc.

9.8
2022-05-03 CVE-2021-27425 Cesanta Unspecified vulnerability in Cesanta Mongoose OS 2.17.0

Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-around in function mm_malloc.

9.8
2022-05-03 CVE-2021-27427 Riot OS Unspecified vulnerability in Riot-Os Riot 2020.01.1

RIOT OS version 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

9.8
2022-05-03 CVE-2021-27431 ARM Unspecified vulnerability in ARM Cmsis-Rtos

ARM CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap-around inosRtxMemoryAlloc (local malloc equivalent) function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or injected code execution.

9.8
2022-05-03 CVE-2021-27433 ARM Integer Overflow or Wraparound vulnerability in ARM Mbed Ualloc 1.3.0

ARM mbed-ualloc memory library version 1.3.0 is vulnerable to integer wrap-around in function mbed_krbs, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

9.8
2022-05-03 CVE-2021-27435 ARM Unspecified vulnerability in ARM Mbed 6.3.0

ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

9.8
2022-05-03 CVE-2021-27439 Tencent Unspecified vulnerability in Tencent Tencentos-Tiny 3.1.0

TencentOS-tiny version 3.1.0 is vulnerable to integer wrap-around in function 'tos_mmheap_alloc incorrect calculation of effective memory allocation size.

9.8
2022-05-03 CVE-2022-27413 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.

9.8
2022-05-03 CVE-2022-28585 Phome SQL Injection vulnerability in Phome Empirecms 7.5

EmpireCMS 7.5 has a SQL injection vulnerability in AdClass.php

9.8
2022-05-03 CVE-2022-27962 Bluecms Project SQL Injection vulnerability in Bluecms Project Bluecms 1.6

Bluecms 1.6 has a SQL injection vulnerability at cooike.

9.8
2022-05-03 CVE-2022-1292 Openssl
Debian
Netapp
Oracle
Fedoraproject
OS Command Injection vulnerability in multiple products

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection.

9.8
2022-05-03 CVE-2022-28560 Tenda Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.2.21Cn

There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router.

9.8
2022-05-03 CVE-2022-28561 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn

There is a stack overflow vulnerability in the /goform/setMacFilterCfg function in the httpd service of Tenda ax12 22.03.01.21_cn router.

9.8
2022-05-03 CVE-2022-28118 Sscms Unspecified vulnerability in Sscms Siteserver CMS

SiteServer CMS v7.x allows attackers to execute arbitrary code via a crafted plug-in.

9.8
2022-05-02 CVE-2020-23620 Orlansoft Deserialization of Untrusted Data vulnerability in Orlansoft ERP

The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.

9.8
2022-05-02 CVE-2020-23621 Squire Technologies Deserialization of Untrusted Data vulnerability in Squire-Technologies SVI MS Management System

The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.

9.8
2022-05-02 CVE-2022-1367 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx.

9.8
2022-05-02 CVE-2022-1369 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND.

9.8
2022-05-02 CVE-2022-1370 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID.

9.8
2022-05-02 CVE-2022-1371 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf.

9.8
2022-05-02 CVE-2022-1372 Deltaww SQL Injection vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx.

9.8
2022-05-02 CVE-2022-1374 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx.

9.8
2022-05-02 CVE-2022-1375 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx.

9.8
2022-05-02 CVE-2022-1376 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx.

9.8
2022-05-02 CVE-2022-1377 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx.

9.8
2022-05-02 CVE-2022-1378 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx.

9.8
2022-05-02 CVE-2022-1366 Deltaww Unspecified vulnerability in Deltaww Diaenergie 1.08.00/1.7.5/1.8.0

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx.

9.8
2022-05-02 CVE-2022-0771 Marketingheroes Unspecified vulnerability in Marketingheroes Sitesupercharger

The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions (available to both unauthenticated and authenticated users), leading to Unauthenticated SQL Injections

9.8
2022-05-02 CVE-2022-0773 Documentor Project SQL Injection vulnerability in Documentor Project Documentor 1.5.3

The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.

9.8
2022-05-02 CVE-2022-0783 Themehigh Unspecified vulnerability in Themehigh multiple Shipping Addresses for Woocommerce

The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections

9.8
2022-05-02 CVE-2022-1281 10Web Unspecified vulnerability in 10Web Photo Gallery

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.

9.8
2022-05-02 CVE-2022-27466 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 5.2.27

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

9.8
2022-05-02 CVE-2022-27982 Ruijienetworks Unspecified vulnerability in Ruijienetworks Rg-Nbr2100G-E Firmware

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php.

9.8
2022-05-02 CVE-2022-28054 Vandyke Unspecified vulnerability in Vandyke Vshell 3.5.0.0/4.6.2

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value.

9.8
2022-05-02 CVE-2022-28056 Shopxo Unspecified vulnerability in Shopxo 2.2.5

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php.

9.8
2022-05-02 CVE-2022-28573 Dlink OS Command Injection vulnerability in Dlink Dir-823 PRO Firmware 1.0.2

D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNTPserverSeting.

9.8
2022-05-02 CVE-2022-28571 Dlink OS Command Injection vulnerability in Dlink Dir-882 Firmware 1.30B06

D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli.

9.8
2022-05-05 CVE-2022-1575 Diagrams Cross-site Scripting vulnerability in Diagrams Drawio

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0.

9.6
2022-05-06 CVE-2022-1053 Keylime
Fedoraproject
Improper Input Validation vulnerability in multiple products

Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote.

9.1
2022-05-05 CVE-2021-38425 Eprosima Unspecified vulnerability in Eprosima Fast DDS

eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.

9.1
2022-05-05 CVE-2021-38429 Objectcomputing Unspecified vulnerability in Objectcomputing Opendds

OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.

9.1
2022-05-05 CVE-2021-38487 RTI Unspecified vulnerability in RTI products

RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic.

9.1
2022-05-05 CVE-2022-26415 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.

9.1
2022-05-02 CVE-2021-3643 SOX Project Unspecified vulnerability in SOX Project SOX 14.4.1

A flaw was found in sox 14.4.1.

9.1

177 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-06 CVE-2022-26889 Splunk Path Traversal vulnerability in Splunk 8.1.0/8.1.1

In Splunk Enterprise versions before 8.1.2, the uri path to load a relative resource within a web page is vulnerable to path traversal.

8.8
2022-05-06 CVE-2022-28165 Broadcom Unspecified vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8

A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

8.8
2022-05-06 CVE-2022-21934 Johnsoncontrols Improper Authentication vulnerability in Johnsoncontrols products

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

8.8
2022-05-06 CVE-2020-19215 Piwigo SQL Injection vulnerability in Piwigo 2.9.5

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

8.8
2022-05-06 CVE-2020-19216 Piwigo SQL Injection vulnerability in Piwigo 2.9.5

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.

8.8
2022-05-06 CVE-2020-19217 Piwigo SQL Injection vulnerability in Piwigo 2.9.5

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

8.8
2022-05-06 CVE-2022-24877 Fluxcd Path Traversal vulnerability in Fluxcd Flux2

Flux is an open and extensible continuous delivery solution for Kubernetes.

8.8
2022-05-05 CVE-2022-29166 Matrix Injection vulnerability in Matrix IRC Bridge

matrix-appservice-irc is a Node.js IRC bridge for Matrix.

8.8
2022-05-05 CVE-2022-29173 Theupdateframework Improper Validation of Integrity Check Value vulnerability in Theupdateframework Go-Tuf 0.2.0

go-tuf is a Go implementation of The Update Framework (TUF).

8.8
2022-05-05 CVE-2022-25989 Anker Authentication Bypass by Spoofing vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H

An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h.

8.8
2022-05-05 CVE-2021-44051 Qnap Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS.

8.8
2022-05-05 CVE-2022-28079 College Management System Project SQL Injection vulnerability in College Management System Project College Management System 1.0

College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter.

8.8
2022-05-05 CVE-2022-28080 Event Management System Project SQL Injection vulnerability in Event Management System Project Event Management System 1.0

Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.

8.8
2022-05-05 CVE-2022-28716 F5 Unspecified vulnerability in F5 products

On 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP AFM, CGNAT, and PEM Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

8.8
2022-05-05 CVE-2022-29500 Schedmd
Fedoraproject
Debian
SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Information Disclosure.
8.8
2022-05-05 CVE-2022-29501 Schedmd
Fedoraproject
Debian
SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges and code execution.
8.8
2022-05-05 CVE-2022-29938 Librehealth SQL Injection vulnerability in Librehealth EHR 2.0.0

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameter payment_id in interface\billing\new_payment.php via interface\billing\payment_master.inc.php leads to SQL injection.

8.8
2022-05-04 CVE-2022-20779 Cisco Improper Input Validation vulnerability in Cisco Enterprise NFV Infrastructure Software

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.

8.8
2022-05-04 CVE-2021-41020 Fortinet Unspecified vulnerability in Fortinet Fortiisolator 2.3.0/2.3.1/2.3.2

An improper access control vulnerability [CWE-284] in FortiIsolator versions 2.3.2 and below may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.

8.8
2022-05-04 CVE-2022-28552 Chshcms SQL Injection vulnerability in Chshcms Cscms 4.1

Cscms 4.1 is vulnerable to SQL Injection.

8.8
2022-05-04 CVE-2022-25778 Secomea Cross-Site Request Forgery (CSRF) vulnerability in Secomea products

Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea GateManager allows phishing attacker to issue get request in logged in user session.

8.8
2022-05-04 CVE-2022-27903 EVE NG OS Command Injection vulnerability in Eve-Ng 2.0.3112/4.0.165

An OS Command Injection vulnerability in the configuration parser of Eve-NG Professional through 4.0.1-65 and Eve-NG Community through 2.0.3-112 allows a remote authenticated attacker to execute commands as root by editing virtualization command parameters of imported UNL files.

8.8
2022-05-04 CVE-2022-28099 Poultry Farm Management System Project SQL Injection vulnerability in Poultry Farm Management System Project Poultry Farm Management System 1.0

Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.

8.8
2022-05-04 CVE-2021-42192 Konga Project Incorrect Authorization vulnerability in Konga Project Konga 0.14.9

Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation.

8.8
2022-05-04 CVE-2021-43159 Ruijienetworks Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the setSessionTime function in /cgi-bin/luci/api/common..

8.8
2022-05-04 CVE-2021-43160 Ruijienetworks Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the switchFastDhcp function in /cgi-bin/luci/api/diagnose.

8.8
2022-05-04 CVE-2021-43161 Ruijienetworks Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the doSwitchApi function in /cgi-bin/luci/api/switch.

8.8
2022-05-04 CVE-2021-43162 Ruijienetworks Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the runPackDiagnose function in /cgi-bin/luci/api/diagnose.

8.8
2022-05-04 CVE-2021-43164 Ruijienetworks OS Command Injection vulnerability in Ruijienetworks Reyeeos

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.

8.8
2022-05-03 CVE-2022-1548 Mattermost Unspecified vulnerability in Mattermost Playbooks

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

8.8
2022-05-03 CVE-2022-0916 Logitech Cross-Site Request Forgery (CSRF) vulnerability in Logitech Options

An issue was discovered in Logitech Options.

8.8
2022-05-03 CVE-2021-42165 Mitrastar OS Command Injection vulnerability in Mitrastar Gpt-2541Gnac-N1 Firmware Brg3.5100Vnz0B33

MitraStar GPT-2541GNAC-N1 (HGU) 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path".

8.8
2022-05-03 CVE-2022-21949 Opensuse Unspecified vulnerability in Opensuse Open Build Service

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations.

8.8
2022-05-03 CVE-2022-20743 Cisco Unrestricted Upload of File with Dangerous Type vulnerability in Cisco Secure Firewall Management Center

A vulnerability in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to bypass security protections and upload malicious files to the affected system.

8.8
2022-05-03 CVE-2022-20759 Cisco Improper Privilege Management vulnerability in Cisco Firepower Threat Defense

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.

8.8
2022-05-02 CVE-2022-0952 Sitemap Project Missing Authorization vulnerability in Sitemap Project Sitemap 1.0.0

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin.

8.8
2022-05-02 CVE-2022-1239 Hubspot Unspecified vulnerability in Hubspot

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

8.8
2022-05-02 CVE-2022-28572 Tenda OS Command Injection vulnerability in Tenda Ax1803 Firmware and Ax1806 Firmware

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

8.8
2022-05-04 CVE-2022-28067 Sandboxie Unspecified vulnerability in Sandboxie 5.55.13

An incorrect access control issue in Sandboxie Classic v5.55.13 allows attackers to cause a Denial of Service (DoS) in the Sandbox via a crafted executable.

8.6
2022-05-03 CVE-2022-20715 Cisco Improper Input Validation vulnerability in Cisco Firepower Threat Defense

A vulnerability in the remote access SSL VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

8.6
2022-05-05 CVE-2021-25267 Sophos Cross-site Scripting vulnerability in Sophos Firewall Firmware

Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA.

8.4
2022-05-05 CVE-2021-25268 Sophos Cross-site Scripting vulnerability in Sophos Firewall Firmware

Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from MySophos admin to SFOS admin in Sophos Firewall older than version 19.0 GA.

8.4
2022-05-03 CVE-2022-20111 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

In ion, there is a possible use after free due to incorrect error handling.

8.4
2022-05-05 CVE-2021-43547 Twinoakscomputing Unspecified vulnerability in Twinoakscomputing Coredx DDS

TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic.

8.2
2022-05-05 CVE-2022-1592 Clinical Genomics Server-Side Request Forgery (SSRF) vulnerability in Clinical-Genomics Scout

Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42.

8.2
2022-05-02 CVE-2021-3750 Qemu
Redhat
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU.
8.2
2022-05-08 CVE-2018-25033 Admesh Project
Debian
Out-of-bounds Read vulnerability in multiple products

ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a.

8.1
2022-05-06 CVE-2021-26253 Splunk Unspecified vulnerability in Splunk

A potential vulnerability in Splunk Enterprise's implementation of DUO MFA allows for bypassing the MFA verification in Splunk Enterprise versions before 8.1.6.

8.1
2022-05-06 CVE-2021-25745 Kubernetes Improper Input Validation vulnerability in Kubernetes Ingress-Nginx

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller.

8.1
2022-05-06 CVE-2022-24903 Rsyslog
Fedoraproject
Debian
Netapp
Improper Validation of Specified Quantity in Input vulnerability in multiple products

Rsyslog is a rocket-fast system for log processing.

8.1
2022-05-05 CVE-2021-44052 Qnap Link Following vulnerability in Qnap Qts, Quts Hero and Qutscloud

An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS.

8.1
2022-05-04 CVE-2022-20764 Cisco Unspecified vulnerability in Cisco Telepresence Collaboration Endpoint

Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination.

8.1
2022-05-04 CVE-2022-23724 Pingidentity Use of Hard-coded Credentials vulnerability in Pingidentity Pingid Integration for Windows Login

Use of static encryption key material allows forging an authentication token to other users within a tenant organization.

8.1
2022-05-04 CVE-2021-32010 Secomea Inadequate Encryption Strength vulnerability in Secomea products

Inadequate Encryption Strength vulnerability in TLS stack of Secomea SiteManager, LinkManager, GateManager may facilitate man in the middle attacks.

8.1
2022-05-02 CVE-2022-23904 Rainworx Cross-Site Request Forgery (CSRF) vulnerability in Rainworx Auctionworx 3.1

Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel.

8.0
2022-05-08 CVE-2022-28463 Imagemagick
Debian
Classic Buffer Overflow vulnerability in multiple products

ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.

7.8
2022-05-08 CVE-2022-1619 VIM
Fedoraproject
Debian
Netapp
Apple
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899.
7.8
2022-05-07 CVE-2022-1616 VIM
Fedoraproject
Debian
Apple
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895.
7.8
2022-05-06 CVE-2021-27765 Hcltech Improper Privilege Management vulnerability in Hcltech Bigfix Platform

The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation.

7.8
2022-05-06 CVE-2021-27766 Hcltech Improper Privilege Management vulnerability in Hcltech Bigfix Platform

The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation.

7.8
2022-05-06 CVE-2021-27767 Hcltech Improper Privilege Management vulnerability in Hcltech Bigfix Platform

The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation.

7.8
2022-05-06 CVE-2022-24098 Adobe Unspecified vulnerability in Adobe Photoshop

Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by an improper input validation vulnerability when parsing a PCX file that could result in arbitrary code execution in the context of the current user.

7.8
2022-05-06 CVE-2022-28278 Adobe Unspecified vulnerability in Adobe Photoshop

Adobe Photoshop versions 22.5.6 (and earlier) and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2022-05-06 CVE-2021-42743 Splunk Uncontrolled Search Path Element vulnerability in Splunk

A misconfiguration in the node default path allows for local privilege escalation from a lower privileged user to the Splunk user in Splunk Enterprise versions before 8.1.1 on Windows.

7.8
2022-05-05 CVE-2021-38427 RTI Out-of-bounds Write vulnerability in RTI Connext DDS Professional and Connext DDS Secure

RTI Connext DDS Professional and Connext DDS Secure Versions 4.2.x to 6.1.0 are vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.

7.8
2022-05-05 CVE-2021-38433 RTI Unspecified vulnerability in RTI Connext DDS Professional and Connext DDS Secure

RTI Connext DDS Professional and Connext DDS Secure Versions 4.2x to 6.1.0 vulnerable to a stack-based buffer overflow, which may allow a local attacker to execute arbitrary code.

7.8
2022-05-05 CVE-2022-28714 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, a DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer.

7.8
2022-05-05 CVE-2022-29263 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, the BIG-IP Edge Client Component Installer Service does not use best practice while saving temporary files.

7.8
2022-05-04 CVE-2021-20051 Sonicwall Uncontrolled Search Path Element vulnerability in Sonicwall Global VPN Client 4.10.4.0314/4.10.6/4.10.7.1117

SonicWall Global VPN Client 4.10.7.1117 installer (32-bit and 64-bit) and earlier versions have a DLL Search Order Hijacking vulnerability in one of the installer components.

7.8
2022-05-04 CVE-2022-28806 Fujitsu Out-of-bounds Write vulnerability in Fujitsu products

An issue was discovered on certain Fujitsu LIEFBOOK devices (A3510, U9310, U7511/U7411/U7311, U9311, E5510/E5410, U7510/U7410/U7310, E459/E449) with BIOS versions before v1.09 (A3510), v2.17 (U9310), v2.30 (U7511/U7411/U7311), v2.33 (U9311), v2.23 (E5510), v2.19 (U7510/U7410), v2.13 (U7310), and v1.09 (E459/E449).

7.8
2022-05-04 CVE-2022-27470 Libsdl
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid().

7.8
2022-05-03 CVE-2022-21743 Google Integer Overflow or Wraparound vulnerability in Google Android

In ion, there is a possible use after free due to an integer overflow.

7.8
2022-05-03 CVE-2022-20084 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In telephony, there is a possible way to disable receiving emergency broadcasts due to a missing permission check.

7.8
2022-05-03 CVE-2022-20088 Google Improper Handling of Exceptional Conditions vulnerability in Google Android 11.0/12.0

In aee driver, there is a possible reference count mistake due to incorrect error handling.

7.8
2022-05-03 CVE-2022-20093 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In telephony, there is a possible way to disable receiving SMS messages due to a missing permission check.

7.8
2022-05-03 CVE-2022-20099 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible out of bounds write due to improper input validation.

7.8
2022-05-03 CVE-2022-20109 Google Unspecified vulnerability in Google Android

In ion, there is a possible use after free due to improper update of reference count.

7.8
2022-05-03 CVE-2022-28792 Samsung Uncontrolled Search Path Element vulnerability in Samsung Gear Iconx PC Manager

DLL hijacking vulnerability in Gear IconX PC Manager prior to version 2.1.220405.51 allows attacker to execute arbitrary code.

7.8
2022-05-03 CVE-2021-22556 Google Integer Overflow or Wraparound vulnerability in Google Fuchsia

The Security Team discovered an integer overflow bug that allows an attacker with code execution to issue memory cache invalidation operations on pages that they don’t own, allowing them to control kernel memory from userspace.

7.8
2022-05-03 CVE-2022-20729 Cisco XML Injection (aka Blind XPath Injection) vulnerability in Cisco Firepower Threat Defense

A vulnerability in CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject XML into the command parser.

7.8
2022-05-02 CVE-2021-42529 Adobe
Debian
XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user.
7.8
2022-05-02 CVE-2021-42531 Adobe
Debian
XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user.
7.8
2022-05-02 CVE-2021-42532 Adobe
Debian
XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user.
7.8
2022-05-02 CVE-2021-46790 Tuxera
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving buffer+512*3-2.

7.8
2022-05-02 CVE-2022-29968 Linux
Fedoraproject
Netapp
Missing Initialization of Resource vulnerability in multiple products

An issue was discovered in the Linux kernel through 5.17.5.

7.8
2022-05-02 CVE-2022-29849 Progress Unspecified vulnerability in Progress Openedge

In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation.

7.8
2022-05-02 CVE-2022-23723 Pingidentity Improper Authentication vulnerability in Pingidentity Pingone MFA Integration KIT

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow.

7.7
2022-05-08 CVE-2022-1620 VIM
Fedoraproject
Apple
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901.
7.5
2022-05-06 CVE-2022-25324 Bignum Project Unspecified vulnerability in Bignum Project Bignum

All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks.

7.5
2022-05-06 CVE-2021-27761 Hcltech Inadequate Encryption Strength vulnerability in Hcltech Bigfix Platform

Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks

7.5
2022-05-06 CVE-2022-23802 Ijoomla Incorrect Default Permissions vulnerability in Ijoomla Guru 5.2.5

Joomla Guru extension 5.2.5 is affected by: Insecure Permissions.

7.5
2022-05-06 CVE-2021-31559 Splunk Unspecified vulnerability in Splunk

A crafted request bypasses S2S TCP Token authentication writing arbitrary events to an index in Splunk Enterprise Indexer 8.1 versions before 8.1.5 and 8.2 versions before 8.2.1.

7.5
2022-05-06 CVE-2021-39023 IBM Information Exposure Through an Error Message vulnerability in IBM Guardium Data Encryption

IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

7.5
2022-05-06 CVE-2022-28969 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the shareSpeed parameter in the function fromSetWifiGusetBasic.

7.5
2022-05-06 CVE-2022-28970 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow via the mac parameter in the function GetParentControlInfo.

7.5
2022-05-06 CVE-2022-28971 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function fromSetIpMacBind.

7.5
2022-05-06 CVE-2022-28972 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the timeZone parameter in the function form_fast_setting_wifi_set.

7.5
2022-05-06 CVE-2022-28973 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the function fromAdvSetMacMtuWan.

7.5
2022-05-06 CVE-2022-30293 Webkitgtk
Debian
Out-of-bounds Write vulnerability in multiple products

In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.

7.5
2022-05-06 CVE-2022-24884 Ecdsautils Project
Fedoraproject
Debian
Improper Verification of Cryptographic Signature vulnerability in multiple products

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify).

7.5
2022-05-05 CVE-2022-29167 Mozilla Unspecified vulnerability in Mozilla Hawk

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload.

7.5
2022-05-05 CVE-2022-29176 Rubygems Unspecified vulnerability in Rubygems Rubygems.Org

Rubygems is a package registry used to supply software for the Ruby language ecosystem.

7.5
2022-05-05 CVE-2021-38447 Objectcomputing Unspecified vulnerability in Objectcomputing Opendds

OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.

7.5
2022-05-05 CVE-2022-26071 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a flaw in the way reply ICMP packets are limited in the Traffic Management Microkernel (TMM) allows an attacker to quickly scan open UDP ports.

7.5
2022-05-05 CVE-2022-26370 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, and 14.1.x versions prior to 14.1.4.6, when a Session Initiation Protocol (SIP) message routing framework (MRF) application layer gateway (ALG) profile is configured on a Message Routing virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.5
2022-05-05 CVE-2022-26372 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 15.1.x versions prior to 15.1.0.2, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when a DNS listener is configured on a virtual server with DNS queueing (default), undisclosed requests can cause an increase in memory resource utilization.

7.5
2022-05-05 CVE-2022-26517 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when the BIG-IP CGNAT Large Scale NAT (LSN) pool is configured on a virtual server and packet filtering is enabled, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.5
2022-05-05 CVE-2022-26890 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate.

7.5
2022-05-05 CVE-2022-27189 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when an Internet Content Adaptation Protocol (ICAP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) memory resource utilization.

7.5
2022-05-05 CVE-2022-28691 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when a Real Time Streaming Protocol (RTSP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) resource utilization.

7.5
2022-05-05 CVE-2022-28701 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, when the stream profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.

7.5
2022-05-05 CVE-2022-28705 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, on platforms with an ePVA and the pva.fwdaccel BigDB variable enabled, undisclosed requests to a virtual server with a FastL4 profile that has ePVA acceleration enabled can cause the Traffic Management Microkernel (TMM) process to terminate.

7.5
2022-05-05 CVE-2022-28706 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2 and 15.1.x versions prior to 15.1.5.1, when the DNS resolver configuration is used, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.

7.5
2022-05-05 CVE-2022-29473 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when an IPSec ALG profile is configured on a virtual server, undisclosed responses can cause Traffic Management Microkernel(TMM) to terminate.

7.5
2022-05-05 CVE-2022-29491 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate.

7.5
2022-05-05 CVE-2022-22433 IBM Improper Input Validation vulnerability in IBM products

IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input.

7.5
2022-05-05 CVE-2021-42183 Masacms Path Traversal vulnerability in Masacms 7.2.1

MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.

7.5
2022-05-05 CVE-2022-28462 Xxyopen Files or Directories Accessible to External Parties vulnerability in Xxyopen Novel-Plus 3.6.0

novel-plus 3.6.0 suffers from an Arbitrary file reading vulnerability.

7.5
2022-05-05 CVE-2022-29339 Gpac Reachable Assertion vulnerability in Gpac

In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils/bitstream.c has a failed assertion, which causes a Denial of Service.

7.5
2022-05-05 CVE-2022-29340 Gpac NULL Pointer Dereference vulnerability in Gpac

GPAC 2.1-DEV-rev87-g053aae8-master.

7.5
2022-05-04 CVE-2022-30288 Ohler Unspecified vulnerability in Ohler Agoo

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash.

7.5
2022-05-04 CVE-2022-20770 Clamav
Cisco
Fedoraproject
Debian
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.
7.5
2022-05-04 CVE-2022-20771 Clamav
Cisco
Fedoraproject
Debian
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.
7.5
2022-05-04 CVE-2022-20785 Clamav
Cisco
Fedoraproject
Debian
Memory Leak vulnerability in multiple products

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.

7.5
2022-05-04 CVE-2022-23443 Fortinet Unspecified vulnerability in Fortinet Fortisoar

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.

7.5
2022-05-04 CVE-2022-28556 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.20Multitde01

Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin is vulnerable to Buffer Overflow.

7.5
2022-05-04 CVE-2022-28940 H3C Unspecified vulnerability in H3C Magic R100 Firmware V100R005

In H3C MagicR100 <=V100R005, the / Ajax / ajaxget interface can be accessed without authorization.

7.5
2022-05-04 CVE-2022-28487 Broadcom
Fedoraproject
Memory Leak vulnerability in multiple products

Tcpreplay version 4.4.1 contains a memory leakage flaw in fix_ipv6_checksums() function.

7.5
2022-05-04 CVE-2022-28488 Libwav Project Use of Uninitialized Resource vulnerability in Libwav Project Libwav

The function wav_format_write in libwav.c in libwav through 2017-04-20 has an Use of Uninitialized Variable vulnerability.

7.5
2022-05-04 CVE-2022-24901 Parseplatform Improper Certificate Validation vulnerability in Parseplatform Parse-Server

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks.

7.5
2022-05-03 CVE-2022-27313 Gitea Unspecified vulnerability in Gitea 1.16.3

An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.

7.5
2022-05-03 CVE-2022-22368 IBM Inadequate Encryption Strength vulnerability in IBM Spectrum Scale

IBM Spectrum Scale 5.1.0 through 5.1.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2022-05-03 CVE-2021-46440 Strapi Insufficiently Protected Credentials vulnerability in Strapi

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.

7.5
2022-05-03 CVE-2022-1473 Openssl
Netapp
Incomplete Cleanup vulnerability in multiple products

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries.

7.5
2022-05-03 CVE-2021-41959 Jerryscript Memory Leak vulnerability in Jerryscript

JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via jerry-core/ecma/operations/ecma-regexp-object.c after RegExp, which causes a memory leak.

7.5
2022-05-03 CVE-2021-42218 Rice Memory Leak vulnerability in Rice Open Motion Planning Library 1.5.2

OMPL v1.5.2 contains a memory leak in VFRRT.cpp

7.5
2022-05-03 CVE-2022-1554 Clinical Genomics Path Traversal vulnerability in Clinical-Genomics Scout

Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52.

7.5
2022-05-03 CVE-2022-20730 Cisco Unspecified vulnerability in Cisco Firepower Threat Defense

A vulnerability in the Security Intelligence feed feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the Security Intelligence DNS feed.

7.5
2022-05-03 CVE-2022-20745 Cisco Improper Input Validation vulnerability in Cisco Firepower Threat Defense

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

7.5
2022-05-03 CVE-2022-20746 Cisco NULL Pointer Dereference vulnerability in Cisco Firepower Threat Defense

A vulnerability in the TCP proxy functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition.

7.5
2022-05-03 CVE-2022-20751 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense

A vulnerability in the Snort detection engine integration for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause unlimited memory consumption, which could lead to a denial of service (DoS) condition on an affected device.

7.5
2022-05-03 CVE-2022-20757 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense

A vulnerability in the connection handling function in Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.5
2022-05-03 CVE-2022-20760 Cisco Resource Exhaustion vulnerability in Cisco Firepower Threat Defense

A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device.

7.5
2022-05-03 CVE-2022-20767 Cisco Allocation of Resources Without Limits or Throttling vulnerability in Cisco Firepower Threat Defense

A vulnerability in the Snort rule evaluation function of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

7.5
2022-05-02 CVE-2022-24897 Xwiki Path Traversal vulnerability in Xwiki

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity.

7.5
2022-05-02 CVE-2022-28613 ABB
Hitachienergy
Improper Validation of Specified Quantity in Input vulnerability in multiple products

A vulnerability exists in the HCI Modbus TCP function included in the product versions listed above.

7.5
2022-05-02 CVE-2021-25002 Tipsacarrier Project Unspecified vulnerability in Tipsacarrier Project Tipsacarrier 1.4.4.2

The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL

7.5
2022-05-02 CVE-2022-27983 Ruijienetworks Unspecified vulnerability in Ruijienetworks Rg-Nbr2100G-E Firmware

RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php.

7.5
2022-05-02 CVE-2021-36778 Suse Unspecified vulnerability in Suse Rancher

A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers.

7.5
2022-05-02 CVE-2022-29970 Sinatrarb
Debian
Path Traversal vulnerability in multiple products

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

7.5
2022-05-02 CVE-2021-40822 Osgeo Server-Side Request Forgery (SSRF) vulnerability in Osgeo Geoserver

GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.

7.5
2022-05-02 CVE-2022-28451 Nopcommerce Path Traversal vulnerability in Nopcommerce 4.50.1

nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.

7.5
2022-05-04 CVE-2022-20780 Cisco XXE vulnerability in Cisco Enterprise NFV Infrastructure Software

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM.

7.4
2022-05-03 CVE-2022-20742 Cisco Unspecified vulnerability in Cisco Firepower Threat Defense

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel.

7.4
2022-05-03 CVE-2021-22573 Google Improper Verification of Cryptographic Signature vulnerability in Google Oauth Client Library for Java

The vulnerability is that IDToken verifier does not verify if token is properly signed.

7.3
2022-05-06 CVE-2022-29171 Sourcegraph Code Injection vulnerability in Sourcegraph

Sourcegraph is a fast and featureful code search and navigation engine.

7.2
2022-05-05 CVE-2022-27634 F5 Unspecified vulnerability in F5 Big-Ip Access Policy Manager

On 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, BIG-IP APM does not properly validate configurations, allowing an authenticated attacker with high privileges to manipulate the APM policy leading to privilege escalation/remote code execution.

7.2
2022-05-05 CVE-2022-27806 F5 Unspecified vulnerability in F5 products

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration.

7.2
2022-05-05 CVE-2022-28695 F5 Unspecified vulnerability in F5 Big-Ip Advanced Firewall Manager

On F5 BIG-IP AFM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, an authenticated attacker with high privileges can upload a maliciously crafted file to the BIG-IP AFM Configuration utility, which allows an attacker to run arbitrary commands.

7.2
2022-05-04 CVE-2022-20753 Cisco Out-of-bounds Write vulnerability in Cisco products

A vulnerability in web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device.

7.2
2022-05-04 CVE-2022-20799 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device.

7.2
2022-05-04 CVE-2022-20801 Cisco OS Command Injection vulnerability in Cisco products

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device.

7.2
2022-05-04 CVE-2022-25785 Secomea Out-of-bounds Write vulnerability in Secomea products

Stack-based Buffer Overflow vulnerability in SiteManager allows logged-in or local user to cause arbitrary code execution.

7.2
2022-05-04 CVE-2022-28076 Seacms Unspecified vulnerability in Seacms 11.6

Seacms v11.6 was discovered to contain a remote command execution (RCE) vulnerability via the Mail Server Settings.

7.2
2022-05-04 CVE-2022-28096 Skycaiji Unspecified vulnerability in Skycaiji 2.4

Skycaiji v2.4 was discovered to contain a remote code execution (RCE) vulnerability via /SkycaijiApp/admin/controller/Develop.php.

7.2
2022-05-03 CVE-2021-29854 IBM Improper Encoding or Escaping of Output vulnerability in IBM Maximo Application Suite and Maximo Asset Management

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

7.2
2022-05-03 CVE-2022-29001 Springbootmovie Project Unrestricted Upload of File with Dangerous Type vulnerability in Springbootmovie Project Springbootmovie 1.0/1.1/1.2

In SpringBootMovie <=1.2, the uploaded file suffix parameter is not filtered, resulting in arbitrary file upload vulnerability

7.2
2022-05-03 CVE-2022-28505 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.

7.2
2022-05-03 CVE-2022-28590 Pixelimity Unspecified vulnerability in Pixelimity 1.0

A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.

7.2
2022-05-02 CVE-2022-1273 Importwp Unspecified vulnerability in Importwp Import WP

The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

7.2
2022-05-02 CVE-2021-36784 Suse Improper Privilege Management vulnerability in Suse Rancher

A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin.

7.2
2022-05-06 CVE-2021-25746 Kubernetes Improper Input Validation vulnerability in Kubernetes Ingress-Nginx

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller.

7.1
2022-05-06 CVE-2022-29164 Argo Workflows Project Unspecified vulnerability in Argo Workflows Project Argo Workflows

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes.

7.1
2022-05-03 CVE-2022-28783 Google Improper Input Validation vulnerability in Google Android 10.0/11.0/12.0

Improper validation of removing package name in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to uninstall arbitrary packages without permission.

7.1
2022-05-03 CVE-2022-23400 Accusoft Out-of-bounds Write vulnerability in Accusoft Imagegear 19.10

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10.

7.1
2022-05-03 CVE-2022-20737 Cisco Out-of-bounds Write vulnerability in Cisco Adaptive Security Appliance Software

A vulnerability in the handler for HTTP authentication for resources accessed through the Clientless SSL VPN portal of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device or to obtain portions of process memory from an affected device.

7.1
2022-05-03 CVE-2022-20110 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android

In ion, there is a possible use after free due to a race condition.

7.0

169 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-05 CVE-2022-27878 F5 Unspecified vulnerability in F5 products

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

6.8
2022-05-02 CVE-2021-29859 IBM Unspecified vulnerability in IBM Cloud PAK for Business Automation 21.0.1/21.0.2/21.0.3

IBM ICP4A - User Management System Component (IBM Cloud Pak for Business Automation V21.0.3 through V21.0.3-IF008, V21.0.2 through V21.0.2-IF009, and V21.0.1 through V21.0.1-IF007) could allow a user with physical access to the system to perform unauthorized actions or obtain sensitive information due to insufficient validation and recvocation another user logouting out.

6.8
2022-05-04 CVE-2022-25787 Secomea Information Exposure vulnerability in Secomea products

Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection.

6.7
2022-05-03 CVE-2022-20105 Google
Linux
Out-of-bounds Write vulnerability in multiple products

In MM service, there is a possible out of bounds write due to a stack-based buffer overflow.

6.7
2022-05-03 CVE-2022-20106 Google
Linux
Out-of-bounds Write vulnerability in multiple products

In MM service, there is a possible out of bounds write due to a heap-based buffer overflow.

6.7
2022-05-03 CVE-2022-20108 Google
Linux
Out-of-bounds Write vulnerability in multiple products

In voice service, there is a possible out of bounds write due to a stack-based buffer overflow.

6.7
2022-05-03 CVE-2022-20085 Google Link Following vulnerability in Google Android 11.0/12.0

In netdiag, there is a possible symbolic link following due to an improper link resolution.

6.7
2022-05-03 CVE-2022-20087 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In ccu, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-05-03 CVE-2022-20089 Google Unspecified vulnerability in Google Android 11.0/12.0

In aee driver, there is a possible memory corruption due to active debug code.

6.7
2022-05-03 CVE-2022-20094 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In imgsensor, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-05-03 CVE-2022-20095 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In imgsensor, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-05-03 CVE-2022-28781 Google Improper Input Validation vulnerability in Google Android 11.0/12.0

Improper input validation in Settings prior to SMR-May-2022 Release 1 allows attackers to launch arbitrary activity with system privilege.

6.7
2022-05-07 CVE-2022-30330 Keepkey Improper Input Validation vulnerability in Keepkey Firmware

In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations.

6.6
2022-05-06 CVE-2021-27758 Hcltech Cross-Site Request Forgery (CSRF) vulnerability in Hcltech Bigfix Inventory

There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account.

6.5
2022-05-06 CVE-2021-27759 Hcltech Insufficient Verification of Data Authenticity vulnerability in Hcltech Bigfix Inventory

This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally.

6.5
2022-05-06 CVE-2021-27764 Hcltech Incorrect Permission Assignment for Critical Resource vulnerability in Hcltech Bigfix Webui

Cookie without HTTPONLY flag set.

6.5
2022-05-06 CVE-2022-28164 Broadcom Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.1.1.8

Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords.

6.5
2022-05-06 CVE-2022-30295 Uclibc
Uclibc NG Project
Use of Insufficiently Random Values vulnerability in multiple products

uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning.

6.5
2022-05-06 CVE-2022-24878 Fluxcd Path Traversal vulnerability in Fluxcd Flux2

Flux is an open and extensible continuous delivery solution for Kubernetes.

6.5
2022-05-05 CVE-2022-27337 Freedesktop
Fedoraproject
Debian
A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
6.5
2022-05-05 CVE-2022-26073 Anker Integer Overflow or Wraparound vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H

A denial of service vulnerability exists in the libxm_av.so DemuxCmdInBuffer functionality of Anker Eufy Homebase 2 2.1.8.5h.

6.5
2022-05-05 CVE-2022-25946 F5 Unspecified vulnerability in F5 products

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker with Administrator role privilege may be able to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration.

6.5
2022-05-05 CVE-2022-27495 F5 Unspecified vulnerability in F5 Nginx Service Mesh 1.3.0/1.3.1

On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network.

6.5
2022-05-05 CVE-2022-28859 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 15.1.x versions prior to 15.1.5.1 and 14.1.x versions prior to 14.1.4.6, when installing Net HSM, the scripts (nethsm-safenet-install.sh and nethsm-thales-install.sh) expose the Net HSM partition password.

6.5
2022-05-05 CVE-2022-22415 IBM Unspecified vulnerability in IBM Robotic Process Automation 21.0.1

A vulnerability exists where an IBM Robotic Process Automation 21.0.1 regular user is able to obtain view-only access to some admin pages in the Control Center IBM X-Force ID: 223029.

6.5
2022-05-05 CVE-2022-28471 Rockcarry Integer Overflow or Wraparound vulnerability in Rockcarry Ffjpeg 20211206

In ffjpeg (commit hash: caade60), the function bmp_load() in bmp.c contains an integer overflow vulnerability, which eventually results in the heap overflow in jfif_encode() in jfif.c.

6.5
2022-05-04 CVE-2022-29942 Talend Server-Side Request Forgery (SSRF) vulnerability in Talend Administration Center 7.2.0/7.3.0/8.0.0

Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network.

6.5
2022-05-04 CVE-2022-29943 Talend XXE vulnerability in Talend Administration Center 7.2.0/7.3.0/8.0.0

Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem.

6.5
2022-05-04 CVE-2022-28090 Ujcms Server-Side Request Forgery (SSRF) vulnerability in Ujcms Jspxcms 10.2.0

Jspxcms v10.2.0 allows attackers to execute a Server-Side Request Forgery (SSRF) via /cmscp/ext/collect/fetch_url.do?url=.

6.5
2022-05-03 CVE-2021-27411 Silabs Unspecified vulnerability in Silabs Micrium OS 5.10.0/5.10.1/5.9.0

Micrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-around in functions Mem_DynPoolCreate, Mem_DynPoolCreateHW and Mem_PoolCreate.

6.5
2022-05-03 CVE-2022-22137 Accusoft Incorrect Calculation of Buffer Size vulnerability in Accusoft Imagegear 19.10

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10.

6.5
2022-05-03 CVE-2022-20744 Cisco Unspecified vulnerability in Cisco Secure Firewall Management Center

A vulnerability in the input protection mechanisms of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view data without proper authorization.

6.5
2022-05-03 CVE-2022-29824 Xmlsoft
Fedoraproject
Debian
Netapp
Oracle
Integer Overflow or Wraparound vulnerability in multiple products

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows.

6.5
2022-05-02 CVE-2022-23722 Pingidentity Improper Authentication vulnerability in Pingidentity Pingfederate

When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password.

6.5
2022-05-02 CVE-2022-0191 Acnam Unspecified vulnerability in Acnam AD Invalid Click Protector

The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

6.5
2022-05-03 CVE-2022-20090 Google Use After Free vulnerability in Google Android 11.0/12.0

In aee driver, there is a possible use after free due to a race condition.

6.4
2022-05-03 CVE-2022-20091 Google Use After Free vulnerability in Google Android 11.0/12.0

In aee driver, there is a possible use after free due to a race condition.

6.4
2022-05-06 CVE-2022-27183 Splunk Cross-site Scripting vulnerability in Splunk 8.1.0/8.1.1/8.1.2

The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4.

6.1
2022-05-06 CVE-2022-29421 Edmonsoft Unspecified vulnerability in Edmonsoft Countdown Builder

Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin on WordPress via &ycd_type vulnerable parameter.

6.1
2022-05-06 CVE-2022-24899 Contao Cross-site Scripting vulnerability in Contao 4.13.0/4.13.1/4.13.2

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications.

6.1
2022-05-05 CVE-2022-29172 Auth0 Unspecified vulnerability in Auth0 Lock

Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce.

6.1
2022-05-05 CVE-2021-44053 Qnap Cross-site Scripting vulnerability in Qnap Qts, Quts Hero and Qutscloud

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud.

6.1
2022-05-05 CVE-2021-44054 Qnap Open Redirect vulnerability in Qnap Qts, Quts Hero and Qutscloud

An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS.

6.1
2022-05-05 CVE-2022-27230 F5 Unspecified vulnerability in F5 products

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user.

6.1
2022-05-05 CVE-2022-1411 Yetiforce Unrestricted Upload of File with Dangerous Type vulnerability in Yetiforce Customer Relationship Management

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

6.1
2022-05-04 CVE-2022-1584 Microweber Cross-site Scripting vulnerability in Microweber

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16.

6.1
2022-05-04 CVE-2022-30241 Jquery Json Viewer Project Cross-site Scripting vulnerability in Jquery Json-Viewer Project Jquery Json-Viewer

The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element.

6.1
2022-05-04 CVE-2022-27461 Nopcommerce Open Redirect vulnerability in Nopcommerce

In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.

6.1
2022-05-04 CVE-2022-25781 Secomea Cross-site Scripting vulnerability in Secomea products

Cross-site Scripting (XSS) vulnerability in Web UI of Secomea GateManager allows phishing attacker to inject javascript or html into logged in user session.

6.1
2022-05-04 CVE-2022-28081 AR PHP Cross-site Scripting vulnerability in Ar-PHP Arphp 3.6.0

A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts.

6.1
2022-05-04 CVE-2022-28508 Mantisbt Cross-site Scripting vulnerability in Mantisbt

An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2.

6.1
2022-05-04 CVE-2022-1571 Facturascripts Cross-site Scripting vulnerability in Facturascripts

Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07.

6.1
2022-05-04 CVE-2022-1555 Microweber Cross-site Scripting vulnerability in Microweber

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16.

6.1
2022-05-03 CVE-2022-20740 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack.

6.1
2022-05-02 CVE-2020-23617 Totolink Cross-site Scripting vulnerability in Totolink N100Re Firmware and N200Re Firmware

A cross site scripting (XSS) vulnerability in the error page of Totolink N200RE and N100RE Routers 2.0 allows attackers to execute arbitrary web scripts or HTML via SCRIPT element.

6.1
2022-05-02 CVE-2020-23618 Xtendtech Cross-site Scripting vulnerability in Xtendtech Voice Logger 1.0

A reflected cross site scripting (XSS) vulnerability in Xtend Voice Logger 1.0 allows attackers to execute arbitrary web scripts or HTML, via the path of the error page.

6.1
2022-05-02 CVE-2022-26325 Microfocus Cross-site Scripting vulnerability in Microfocus Netiq Access Manager

Reflected Cross Site Scripting (XSS) vulnerability in NetIQ Access Manager prior to 5.0.2

6.1
2022-05-02 CVE-2022-26326 Microfocus Open Redirect vulnerability in Microfocus Netiq Access Manager

Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2

6.1
2022-05-02 CVE-2021-25086 Advanced Page Visit Counter Project Cross-site Scripting vulnerability in Advanced Page Visit Counter Project Advanced Page Visit Counter

The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it

6.1
2022-05-02 CVE-2022-0428 Keywordrush Unspecified vulnerability in Keywordrush Content EGG

The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting

6.1
2022-05-02 CVE-2022-1250 Lifterlms Unspecified vulnerability in Lifterlms

The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue

6.1
2022-05-02 CVE-2022-1269 Fastflow Unspecified vulnerability in Fastflow

The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting

6.1
2022-05-02 CVE-2022-1282 10Web Unspecified vulnerability in 10Web Photo Gallery

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

6.1
2022-05-02 CVE-2022-29969 Mediawiki Cross-site Scripting vulnerability in Mediawiki RSS for Mediawiki

The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true).

6.1
2022-05-02 CVE-2021-31673 Cyclos Cross-site Scripting vulnerability in Cyclos 4.0.0/4.14.7

A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.

6.1
2022-05-02 CVE-2021-31674 Cyclos Cross-site Scripting vulnerability in Cyclos 4.0.0/4.14.7

Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.

6.1
2022-05-05 CVE-2022-28708 F5 Improper Input Validation vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP DNS resolver-enabled, HTTP-Explicit or SOCKS profile is configured on a virtual server, an undisclosed DNS response can cause the Traffic Management Microkernel (TMM) process to terminate.

5.9
2022-05-03 CVE-2022-1434 Openssl
Netapp
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key.

5.9
2022-05-06 CVE-2021-27760 Hcltech Unspecified vulnerability in Hcltech HCL Inotes 11.0.0/11.0.1

An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients.

5.5
2022-05-06 CVE-2022-24823 Netty
Oracle
Netapp
Netty is an open-source, asynchronous event-driven network application framework.
5.5
2022-05-05 CVE-2022-27359 Foxit NULL Pointer Dereference vulnerability in Foxit PDF Editor and PDF Reader

Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a this.maildoc NULL pointer dereference.

5.5
2022-05-05 CVE-2022-27636 F5 Information Exposure Through Log Files vulnerability in F5 products

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system.

5.5
2022-05-05 CVE-2022-27875 F5 Unspecified vulnerability in F5 Access for Android

On F5 Access for Android 3.x versions prior to 3.0.8, a Task Hijacking vulnerability exists in the F5 Access for Android application, which may allow an attacker to steal sensitive user information.

5.5
2022-05-05 CVE-2022-1516 Linux
Debian
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection.

5.5
2022-05-04 CVE-2022-20796 Clamav
Cisco
Fedoraproject
Debian
NULL Pointer Dereference vulnerability in multiple products

On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device.

5.5
2022-05-03 CVE-2022-20101 Google Path Traversal vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to a path traversal.

5.5
2022-05-03 CVE-2022-20104 Google Unspecified vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to improper access control.

5.5
2022-05-03 CVE-2022-20092 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In alac decoder, there is a possible out of bounds read due to a missing bounds check.

5.5
2022-05-03 CVE-2022-28780 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in Weather prior to SMR May-2022 Release 1 allows that attackers can access location information that set in Weather without permission.

5.5
2022-05-03 CVE-2022-28785 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.

5.5
2022-05-03 CVE-2022-28786 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.

5.5
2022-05-03 CVE-2022-28787 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

Improper buffer size check logic in wmfextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.

5.5
2022-05-03 CVE-2022-28788 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

Improper buffer size check logic in aviextractor library prior to SMR May-2022 Release 1 allows out of bounds read leading to possible temporary denial of service.

5.5
2022-05-03 CVE-2022-28789 Samsung Missing Authorization vulnerability in Samsung Voice Note

Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction.

5.5
2022-05-03 CVE-2022-28791 Samsung Improper Input Validation vulnerability in Samsung Galaxy Store 4.5.32.4/4.5.36.4

Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path.

5.5
2022-05-03 CVE-2022-1331 Deltaww Unspecified vulnerability in Deltaww Dmars

In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure.

5.5
2022-05-03 CVE-2022-0882 Google Unspecified vulnerability in Google Fuchsia 4.1

A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT.

5.5
2022-05-02 CVE-2021-42528 Adobe
Debian
XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file.
5.5
2022-05-02 CVE-2022-1475 Ffmpeg Integer Overflow or Wraparound vulnerability in Ffmpeg

An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.

5.5
2022-05-02 CVE-2022-1515 Matio Project Memory Leak vulnerability in Matio Project Matio

A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarReadNextInfo5() in mat5.c via a crafted file.

5.5
2022-05-06 CVE-2021-36912 Google News Sitemap Project Unspecified vulnerability in Google-News-Sitemap Project Google-News-Sitemap

Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role.

5.4
2022-05-06 CVE-2022-28545 Fudforum Cross-site Scripting vulnerability in Fudforum 3.1.1

FUDforum 3.1.1 is vulnerable to Stored XSS.

5.4
2022-05-05 CVE-2022-28707 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, a stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility (also referred to as the BIG-IP TMUI) that allows an attacker to execute JavaScript in the context of the currently logged-in user.

5.4
2022-05-05 CVE-2022-1464 Gogs Cross-site Scripting vulnerability in Gogs

Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7.

5.4
2022-05-05 CVE-2022-29939 Librehealth Cross-site Scripting vulnerability in Librehealth EHR 2.0.0

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters debug and InsId in interface\billing\sl_eob_process.php leads to multiple cross-site scripting (XSS) vulnerabilities.

5.4
2022-05-05 CVE-2022-29940 Librehealth Cross-site Scripting vulnerability in Librehealth EHR 2.0.0

In LibreHealth EHR 2.0.0, lack of sanitization of the GET parameters formseq and formid in interface\orders\find_order_popup.php leads to multiple cross-site scripting (XSS) vulnerabilities.

5.4
2022-05-05 CVE-2022-1590 Bludit Cross-site Scripting vulnerability in Bludit 3.13.1

A vulnerability was found in Bludit 3.13.1.

5.4
2022-05-04 CVE-2021-41032 Fortinet Unspecified vulnerability in Fortinet Fortios

An improper access control vulnerability [CWE-284] in FortiOS versions 6.4.8 and prior and 7.0.3 and prior may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands.

5.4
2022-05-04 CVE-2022-25782 Secomea Improper Privilege Management vulnerability in Secomea products

Improper Handling of Insufficient Privileges vulnerability in Web UI of Secomea GateManager allows logged in user to access and update privileged information.

5.4
2022-05-03 CVE-2022-27330 E Commerce Website Project Cross-site Scripting vulnerability in E-Commerce Website Project E-Commerce Website 1.0

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.

5.4
2022-05-03 CVE-2022-28588 Springbootmovie Project Cross-site Scripting vulnerability in Springbootmovie Project Springbootmovie 1.0/1.1/1.2

In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS.

5.4
2022-05-03 CVE-2022-28599 Thedaylightstudio Cross-site Scripting vulnerability in Thedaylightstudio Fuel CMS 1.5.1

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload.

5.4
2022-05-03 CVE-2021-39390 Partkeepr Cross-site Scripting vulnerability in Partkeepr 1.4.0

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

5.4
2022-05-03 CVE-2022-20627 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

5.4
2022-05-03 CVE-2022-20628 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

5.4
2022-05-03 CVE-2022-20629 Cisco Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

5.4
2022-05-02 CVE-2022-29444 Cloudways Unspecified vulnerability in Cloudways Breeze

Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.

5.4
2022-05-02 CVE-2021-4200 Suse Unspecified vulnerability in Suse Rancher

A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled.

5.4
2022-05-07 CVE-2022-30334 Brave Information Exposure vulnerability in Brave

Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers.

5.3
2022-05-06 CVE-2021-33845 Splunk Information Exposure Through Discrepancy vulnerability in Splunk

The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message.

5.3
2022-05-05 CVE-2021-38693 Qnap Path Traversal vulnerability in Qnap QTS and Qutscloud

A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance.

5.3
2022-05-05 CVE-2022-25990 F5 Unspecified vulnerability in F5 F5Os-A 1.0.0

On 1.0.x versions prior to 1.0.1, systems running F5OS-A software may expose certain registry ports externally.

5.3
2022-05-05 CVE-2022-26130 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when an Active mode-enabled FTP profile is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing active FTP data channel connections.

5.3
2022-05-05 CVE-2022-27181 F5 Unspecified vulnerability in F5 Big-Ip Access Policy Manager

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when APM is configured on a virtual server and the associated access profile is configured with APM AAA NTLM Auth, undisclosed requests can cause an increase in internal resource utilization.

5.3
2022-05-05 CVE-2022-27182 F5 Resource Exhaustion vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, when BIG-IP packet filters are enabled and a virtual server is configured with the type set to Reject, undisclosed requests can cause an increase in memory resource utilization.

5.3
2022-05-05 CVE-2022-29479 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, when an IPv6 self IP address is configured and the ipv6.strictcompliance database key is enabled (disabled by default) on a BIG-IP system, undisclosed packets may cause decreased performance.

5.3
2022-05-05 CVE-2022-29480 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when multiple route domains are configured, undisclosed requests to big3d can cause an increase in CPU resource utilization.

5.3
2022-05-05 CVE-2021-39020 IBM Information Exposure vulnerability in IBM Guardium Data Encryption

IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower stores sensitive information in URL parameters.

5.3
2022-05-03 CVE-2022-1343 Openssl
Netapp
Improper Certificate Validation vulnerability in multiple products

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response.

5.3
2022-05-03 CVE-2022-20748 Cisco Improper Handling of Exceptional Conditions vulnerability in Cisco Firepower Threat Defense 7.0.0

A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.

5.3
2022-05-02 CVE-2021-4138 Mozilla Unspecified vulnerability in Mozilla Geckodriver

Improved Host header checks to reject requests not sent to a well-known local hostname or IP, or the server-specified hostname.

5.3
2022-05-02 CVE-2022-24974 Menlosecurity Unspecified vulnerability in Menlosecurity Email Isolation 2.81.1/2.81.8

Links may not be rewritten according to policy in some specially formatted emails.

5.3
2022-05-06 CVE-2021-39027 IBM Improper Encoding or Escaping of Output vulnerability in IBM Guardium Data Encryption 4.0.0.0/5.0.0.0

IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly.

5.0
2022-05-06 CVE-2020-19212 Piwigo SQL Injection vulnerability in Piwigo 2.9.5

SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.

4.9
2022-05-05 CVE-2022-26340 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, an authenticated, high-privileged attacker with no bash access may be able to access Certificate and Key files using Secure Copy (SCP) protocol from a remote system.

4.9
2022-05-05 CVE-2022-26835 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell (tmsh) commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files.

4.9
2022-05-04 CVE-2022-25786 Secomea Unspecified vulnerability in Secomea Gatemanager 9.6.621421014

Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information.

4.9
2022-05-06 CVE-2022-29422 Edmonsoft Unspecified vulnerability in Edmonsoft Countdown Builder

Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabilities in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-countdown-width, &ycd-progress-height, &ycd-progress-width, &ycd-button-margin-top, &ycd-button-margin-right, &ycd-button-margin-bottom, &ycd-button-margin-left, &ycd-circle-countdown-before-countdown, &ycd-circle-countdown-after-countdown vulnerable parameters.

4.8
2022-05-06 CVE-2022-28507 BDT 121 Project Cross-site Scripting vulnerability in Bdt-121 Project Bdt-121 Firmware 2.1.1T16

Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121 version 1.0 is vulnerable to Cross Site Scripting (XSS) via Dragon path router admin page.

4.8
2022-05-06 CVE-2022-29420 Edmonsoft Unspecified vulnerability in Edmonsoft Countdown Builder

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Adam Skaat Countdown & Clock (WordPress plugin) countdown-builder allows Stored XSS.This issue affects Countdown & Clock (WordPress plugin): from n/a through 2.3.2.

4.8
2022-05-05 CVE-2022-27662 F5 Unspecified vulnerability in F5 Traffix Signaling Delivery Controller 5.1.0/5.2.0

On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Template Injection vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute template language-specific instructions in the context of the server.

4.8
2022-05-05 CVE-2022-27880 F5 Unspecified vulnerability in F5 Traffix Signaling Delivery Controller 5.1.0/5.2.0

On F5 Traffix SDC 5.2.x versions prior to 5.2.2 and 5.1.x versions prior to 5.1.35, a stored Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the Traffix SDC Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.

4.8
2022-05-04 CVE-2022-25784 Secomea Cross-site Scripting vulnerability in Secomea products

Cross-site Scripting (XSS) vulnerability in Web GUI of SiteManager allows logged-in user to inject scripting.

4.8
2022-05-03 CVE-2022-28589 Pixelimity Cross-site Scripting vulnerability in Pixelimity 1.0

A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new

4.8
2022-05-02 CVE-2021-36844 Mythemeshop Unspecified vulnerability in Mythemeshop WP Subscribe

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.

4.8
2022-05-02 CVE-2021-41810 M Files Cross-site Scripting vulnerability in M-Files Server

Admin tool allows storing configuration data with script which may then get run by another vault administrator.

4.8
2022-05-02 CVE-2022-0418 Event List Project Unspecified vulnerability in Event List Project Event List

The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed

4.8
2022-05-02 CVE-2022-0649 Ajdg Unspecified vulnerability in Ajdg Adrotate

The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-05-02 CVE-2022-0662 Ajdg Unspecified vulnerability in Ajdg Adrotate

The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-05-02 CVE-2022-1046 Vfbpro Unspecified vulnerability in Vfbpro Visual Form Builder

The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-05-02 CVE-2022-1255 Codection Cross-site Scripting vulnerability in Codection Import and Export Users and Customers

The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues

4.8
2022-05-04 CVE-2022-20794 Cisco Open Redirect vulnerability in Cisco Telepresence Collaboration Endpoint

Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination.

4.7
2022-05-03 CVE-2022-20097 Google Race Condition vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to a race condition.

4.7
2022-05-02 CVE-2021-25102 Tipsandtricks HQ Unspecified vulnerability in Tipsandtricks-Hq ALL in ONE WP Security & Firewall

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue.

4.7
2022-05-02 CVE-2022-29973 Exfat Project Allocation of Resources Without Limits or Throttling vulnerability in Exfat Project Exfat 1.3.0

relan exFAT 1.3.0 allows local users to obtain sensitive information (data from deleted files in the filesystem) in certain situations involving offsets beyond ValidDataLength.

4.7
2022-05-05 CVE-2022-22434 IBM Unspecified vulnerability in IBM products

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects.

4.6
2022-05-05 CVE-2021-45783 Bookeen Path Traversal vulnerability in Bookeen Notea Firmware Bkr1.0.520210608

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

4.6
2022-05-03 CVE-2022-28782 Google Unspecified vulnerability in Google Android 11.0/12.0

Improper access control vulnerability in Contents To Window prior to SMR May-2022 Release 1 allows physical attacker to install package before completion of Setup wizard.

4.6
2022-05-04 CVE-2022-20734 Cisco Information Exposure vulnerability in Cisco Catalyst Sd-Wan Manager

A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, local attacker to view sensitive information on an affected system.

4.4
2022-05-03 CVE-2022-20102 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to a missing permission check.

4.4
2022-05-03 CVE-2022-20103 Google Link Following vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to symbolic link following.

4.4
2022-05-03 CVE-2022-20107 Google
Linux
Integer Overflow or Wraparound vulnerability in multiple products

In subtitle service, there is a possible application crash due to an integer overflow.

4.4
2022-05-03 CVE-2022-20096 Google Use of Uninitialized Resource vulnerability in Google Android

In camera, there is a possible information disclosure due to uninitialized data.

4.4
2022-05-03 CVE-2022-20098 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to a missing permission check.

4.4
2022-05-03 CVE-2022-20100 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In aee daemon, there is a possible information disclosure due to a missing permission check.

4.4
2022-05-03 CVE-2022-28793 Samsung Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Galaxy S22 Firmware

Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE.

4.4
2022-05-06 CVE-2022-27909 Jdownloads Unspecified vulnerability in Jdownloads 3.9.8.2

In Joomla component 'jDownloads 3.9.8.2 Stable' the remote user can change some parameters in the address bar and see the names of other users' files

4.3
2022-05-06 CVE-2022-26070 Splunk Information Exposure Through an Error Message vulnerability in Splunk

When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path.

4.3
2022-05-06 CVE-2022-24902 Python Resource Exhaustion vulnerability in Python Tkvideoplayer

TkVideoplayer is a simple library to play video files in tkinter.

4.3
2022-05-05 CVE-2022-1389 F5 Unspecified vulnerability in F5 products

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP (fixed in 17.0.0), a cross-site request forgery (CSRF) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.

4.3
2022-05-05 CVE-2022-1468 F5 Unspecified vulnerability in F5 products

On all versions of 17.0.x, 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x on F5 BIG-IP, an authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests.

4.3
2022-05-05 CVE-2022-27659 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, an authenticated attacker can modify or delete Dashboards created by other BIG-IP users in the Traffic Management User Interface (TMUI).

4.3
2022-05-05 CVE-2022-29474 F5 Unspecified vulnerability in F5 products

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system.

4.3
2022-05-04 CVE-2021-43206 Fortinet Information Exposure Through an Error Message vulnerability in Fortinet Fortios and Fortiproxy

A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages.

4.3
2022-05-04 CVE-2022-29950 Experian Unspecified vulnerability in Experian Hunter 1.16

Experian Hunter 1.16 allows remote authenticated users to modify assumed-immutable elements via the (1) rule name parameter to the Rules page or the (2) subrule name or (3) categories name parameter to the Subrules page.

4.3
2022-05-04 CVE-2022-25779 Secomea Resource Exhaustion vulnerability in Secomea products

Logging of Excessive Data vulnerability in audit log of Secomea GateManager allows logged in user to write text entries in audit log.

4.3
2022-05-04 CVE-2022-25780 Secomea Unspecified vulnerability in Secomea products

Information Exposure vulnerability in web UI of Secomea GateManager allows logged in user to query devices outside own scope.

4.3
2022-05-04 CVE-2022-25783 Secomea Unspecified vulnerability in Secomea products

Insufficient Logging vulnerability in web server of Secomea GateManager allows logged in user to issue improper queries without logging.

4.3
2022-05-04 CVE-2022-1502 Octopus Unspecified vulnerability in Octopus Server

Permissions were not properly verified in the API on projects using version control in Git.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-06 CVE-2021-27751 Hcltechsw Insufficient Session Expiration vulnerability in Hcltechsw HCL Commerce

HCL Commerce is affected by an Insufficient Session Expiration vulnerability.

3.3
2022-05-03 CVE-2022-28784 Google Path Traversal vulnerability in Google Android 10.0/11.0/12.0

Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user.

3.3
2022-05-03 CVE-2022-28790 Samsung Improper Authentication vulnerability in Samsung Link to Windows Service

Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device.

3.3