Search
Total
17685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21874 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-04-28 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in DSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21873 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-04-28 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in RSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21872 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-04-28 | 9.0 HIGH | 9.9 CRITICAL |
| An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21805 | 1 Advantech | 1 R-seenet | 2022-04-28 | 10.0 HIGH | 9.8 CRITICAL |
| An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21804 | 1 Advantech | 1 R-seenet | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21833 | 1 Accusoft | 1 Imagegear | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| An improper array index validation vulnerability exists in the TIF IP_planar_raster_unpack functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2022-28431 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2. | |||||
| CVE-2022-28429 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=. | |||||
| CVE-2022-28427 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=. | |||||
| CVE-2022-28023 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier. | |||||
| CVE-2022-28432 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2. | |||||
| CVE-2022-28435 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1. | |||||
| CVE-2022-28434 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=edit&sid=2. | |||||
| CVE-2022-28433 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=. | |||||
| CVE-2022-28439 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4. | |||||
| CVE-2022-28438 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=. | |||||
| CVE-2022-28436 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=. | |||||
| CVE-2022-28416 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_phase. | |||||
| CVE-2022-28415 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_collection. | |||||
| CVE-2022-28414 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via /hocms/classes/Master.php?f=delete_member. | |||||
| CVE-2022-28413 | 1 Car Driving School Management System Project | 1 Car Driving School Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Car Driving School Management System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_enrollment. | |||||
| CVE-2022-28412 | 1 Car Driving School Management System Project | 1 Car Driving School Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Car Driving School Managment System v1.0 was discovered to contain a SQL injection vulnerability via /cdsms/classes/Master.php?f=delete_package. | |||||
| CVE-2022-28411 | 1 Simple Real Estate Portal System Portal | 1 Simple Real Estate Portal System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent. | |||||
| CVE-2022-28410 | 1 Simple Real Estate Portal System Project | 1 Simple Real Estate Portal System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Users.php?f=delete_agent. | |||||
| CVE-2022-28030 | 1 Simple Real Estate Portal System Project | 1 Simple Real Estate Portal System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate. | |||||
| CVE-2022-28029 | 1 Simple Real Estate Portal System Project | 1 Simple Real Estate Portal System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type. | |||||
| CVE-2022-28028 | 1 Simple Real Estate Portal System Project | 1 Simple Real Estate Portal System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity. | |||||
| CVE-2022-28026 | 1 Student Grading System Project | 1 Student Grading System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=. | |||||
| CVE-2022-28025 | 1 Student Grading System Project | 1 Student Grading System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year. | |||||
| CVE-2022-28024 | 1 Student Grading System Project | 1 Student Grading System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade. | |||||
| CVE-2021-4039 | 1 Zyxel | 2 Nwa1100-nh, Nwa1100-nh Firmware | 2022-04-28 | 10.0 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device. | |||||
| CVE-2022-21445 | 1 Oracle | 1 Jdeveloper | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2022-28437 | 1 Baby Care System Project | 1 Baby Care System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3. | |||||
| CVE-2022-28022 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item. | |||||
| CVE-2022-27862 | 1 Vikwp | 1 Vikbooking Hotel Booking Engine \& Property Management System Plugin | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary File Upload leading to RCE in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows attackers to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form. | |||||
| CVE-2022-1162 | 1 Gitlab | 1 Gitlab | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts | |||||
| CVE-2022-24231 | 1 Simple Student Information System Project | 1 Simple Student Information System | 2022-04-27 | 10.0 HIGH | 9.8 CRITICAL |
| Simple Student Information System v1.0 was discovered to contain a SQL injection vulnerability via add/Student. | |||||
| CVE-2022-21431 | 1 Oracle | 1 Communications Billing And Revenue Management | 2022-04-27 | 7.5 HIGH | 10.0 CRITICAL |
| Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications Applications (component: Connection Manager). Supported versions that are affected are 12.0.0.4 and 12.0.0.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Communications Billing and Revenue Management. While the vulnerability is in Oracle Communications Billing and Revenue Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Communications Billing and Revenue Management. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | |||||
| CVE-2022-21420 | 1 Oracle | 1 Coherence | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2021-42847 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files. | |||||
| CVE-2019-2725 | 1 Oracle | 8 Agile Plm, Communications Converged Application Server, Peoplesoft Enterprise Peopletools and 5 more | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2020-15900 | 3 Artifex, Canonical, Opensuse | 3 Ghostscript, Ubuntu Linux, Leap | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b. | |||||
| CVE-2020-6102 | 1 Amd | 1 Radeon Directx 11 Driver Atidxx64.dll | 2022-04-27 | 6.5 MEDIUM | 9.9 CRITICAL |
| An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). | |||||
| CVE-2022-0992 | 1 Siteground | 1 Siteground Security | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5. | |||||
| CVE-2020-12720 | 1 Vbulletin | 1 Vbulletin | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control. | |||||
| CVE-2022-27104 | 1 Formalms | 1 Formalms | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3. | |||||
| CVE-2022-26651 | 1 Digium | 2 Asterisk, Certified Asterisk | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. | |||||
| CVE-2021-3652 | 1 Port389 | 1 389-ds-base | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. | |||||
| CVE-2022-0785 | 1 Daily Prayer Time Project | 1 Daily Prayer Time | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection | |||||
| CVE-2019-12525 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1. | |||||