Search
Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29812 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 2.1 LOW | 2.3 LOW |
| In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient | |||||
| CVE-2022-29816 | 1 Jetbrains | 1 Intellij Idea | 2022-05-05 | 2.1 LOW | 3.3 LOW |
| In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible | |||||
| CVE-2022-29820 | 1 Jetbrains | 1 Pycharm | 2022-05-05 | 3.3 LOW | 3.5 LOW |
| In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible | |||||
| CVE-2021-36192 | 1 Fortinet | 1 Fortimanager | 2022-05-03 | 2.1 LOW | 3.8 LOW |
| An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS. | |||||
| CVE-2021-22468 | 1 Huawei | 1 Harmonyos | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| A component of the HarmonyOS has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability. Local attackers may exploit this vulnerability to cause kernel address leakage. | |||||
| CVE-2020-18900 | 1 Libexe Project | 1 Libexe | 2022-05-03 | 1.9 LOW | 3.3 LOW |
| ** DISPUTED ** A heap-based buffer overflow in the libexe_io_handle_read_coff_optional_header function of libyal libexe before 20181128. NOTE: the vendor has disputed this as described in libyal/libexe issue 1 on GitHub. | |||||
| CVE-2021-36282 | 1 Dell | 1 Emc Powerscale Onefs | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions. | |||||
| CVE-2021-22308 | 1 Huawei | 2 Emui, Magic Ui | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| There is a Business Logic Errors vulnerability in Huawei Smartphone. The malicious apps installed on the device can keep taking screenshots in the background. This issue does not cause system errors, but may cause personal information leakage. | |||||
| CVE-2020-27746 | 2 Debian, Schedmd | 2 Debian Linux, Slurm | 2022-05-03 | 4.3 MEDIUM | 3.7 LOW |
| Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive Information to an Unauthorized Actor because xauth for X11 magic cookies is affected by a race condition in a read operation on the /proc filesystem. | |||||
| CVE-2020-25779 | 1 Trendmicro | 1 Antivirus | 2022-05-03 | 2.1 LOW | 3.3 LOW |
| Trend Micro Antivirus for Mac 2020 (Consumer) has a vulnerability in which a Internationalized Domain Name homograph attack (Puny-code) could be used to add a malicious website to the approved websites list of Trend Micro Antivirus for Mac to bypass the web threat protection feature. | |||||
| CVE-2022-21486 | 2 Netapp, Oracle | 4 Active Iq Unified Manager, Oncommand Insight, Snapcenter and 1 more | 2022-05-03 | 2.9 LOW | 2.9 LOW |
| Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). | |||||
| CVE-2022-21484 | 2 Netapp, Oracle | 4 Active Iq Unified Manager, Oncommand Insight, Snapcenter and 1 more | 2022-05-02 | 2.9 LOW | 2.9 LOW |
| Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). | |||||
| CVE-2022-21485 | 2 Netapp, Oracle | 4 Active Iq Unified Manager, Oncommand Insight, Snapcenter and 1 more | 2022-05-02 | 2.9 LOW | 2.9 LOW |
| Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). | |||||
| CVE-2022-21488 | 1 Oracle | 1 Vm Virtualbox | 2022-04-29 | 2.1 LOW | 3.8 LOW |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.8 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N). | |||||
| CVE-2022-21487 | 1 Oracle | 1 Vm Virtualbox | 2022-04-29 | 2.1 LOW | 3.8 LOW |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.34. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). | |||||
| CVE-2020-14634 | 3 Canonical, Netapp, Oracle | 3 Ubuntu Linux, Snapcenter, Mysql | 2022-04-28 | 4.0 MEDIUM | 2.7 LOW |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2019-20634 | 1 Proofpoint | 1 Email Protection | 2022-04-27 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in Proofpoint Email Protection through 2019-09-08. By collecting scores from Proofpoint email headers, it is possible to build a copy-cat Machine Learning Classification model and extract insights from this model. The insights gathered allow an attacker to craft emails that receive preferable scores, with a goal of delivering malicious emails. | |||||
| CVE-2020-11736 | 3 Canonical, Debian, Gnome | 3 Ubuntu Linux, Debian Linux, File-roller | 2022-04-27 | 3.3 LOW | 3.9 LOW |
| fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. | |||||
| CVE-2020-11526 | 4 Canonical, Debian, Freerdp and 1 more | 4 Ubuntu Linux, Debian Linux, Freerdp and 1 more | 2022-04-26 | 3.5 LOW | 2.2 LOW |
| libfreerdp/core/update.c in FreeRDP versions > 1.1 through 2.0.0-rc4 has an Out-of-bounds Read. | |||||
| CVE-2019-19126 | 3 Canonical, Fedoraproject, Gnu | 3 Ubuntu Linux, Fedora, Glibc | 2022-04-26 | 2.1 LOW | 3.3 LOW |
| On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | |||||
| CVE-2020-12394 | 1 Mozilla | 1 Firefox | 2022-04-26 | 2.1 LOW | 3.3 LOW |
| A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76. | |||||
| CVE-2020-16166 | 7 Canonical, Debian, Fedoraproject and 4 more | 16 Ubuntu Linux, Debian Linux, Fedora and 13 more | 2022-04-26 | 4.3 MEDIUM | 3.7 LOW |
| The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c. | |||||
| CVE-2021-3392 | 3 Debian, Fedoraproject, Qemu | 3 Debian Linux, Fedora, Qemu | 2022-04-26 | 2.1 LOW | 3.2 LOW |
| A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. | |||||
| CVE-2020-35448 | 2 Gnu, Netapp | 2 Binutils, Ontap Select Deploy Administration Utility | 2022-04-26 | 4.3 MEDIUM | 3.3 LOW |
| An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c. | |||||
| CVE-2020-29668 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2022-04-26 | 4.3 MEDIUM | 3.7 LOW |
| Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. | |||||
| CVE-2020-14354 | 2 C-ares Project, Fedoraproject | 2 C-ares, Fedora | 2022-04-26 | 2.1 LOW | 3.3 LOW |
| A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability. | |||||
| CVE-2020-2297 | 1 Jenkins | 1 Sms Notification | 2022-04-25 | 2.1 LOW | 3.3 LOW |
| Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2020-2291 | 1 Jenkins | 1 Couchdb-statistics | 2022-04-25 | 2.1 LOW | 3.3 LOW |
| Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2021-3533 | 2 Fedoraproject, Redhat | 6 Fedora, Ansible Automation Platform, Ansible Engine and 3 more | 2022-04-25 | 1.2 LOW | 2.5 LOW |
| A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2. | |||||
| CVE-2022-0279 | 1 Bologer | 1 Anycomment | 2022-02-28 | 3.5 LOW | 3.1 LOW |
| The AnyComment WordPress plugin before 0.2.18 is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users | |||||
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2022-02-28 | 3.5 LOW | 3.5 LOW |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25743 | 1 Kubernetes | 1 Kubernetes | 2022-02-28 | 2.1 LOW | 3.0 LOW |
| kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. | |||||
| CVE-2021-46608 | 1 Bentley | 3 Microstation, Microstation Connect, View | 2022-02-26 | 4.3 MEDIUM | 3.3 LOW |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-15402. | |||||
| CVE-2021-46607 | 1 Bentley | 3 Microstation, Microstation Connect, View | 2022-02-26 | 4.3 MEDIUM | 3.3 LOW |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-15401. | |||||
| CVE-2021-46602 | 1 Bentley | 3 Microstation, Microstation Connect, View | 2022-02-26 | 4.3 MEDIUM | 3.3 LOW |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-15396. | |||||
| CVE-2021-46600 | 1 Bentley | 3 Microstation, Microstation Connect, View | 2022-02-26 | 4.3 MEDIUM | 3.3 LOW |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-15394. | |||||
| CVE-2021-46599 | 1 Bentley | 3 Microstation, Microstation Connect, View | 2022-02-26 | 4.3 MEDIUM | 3.3 LOW |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-15393. | |||||
| CVE-2022-0474 | 1 Otrs | 1 Custom Contact Fields | 2022-02-25 | 3.5 LOW | 3.5 LOW |
| Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions. | |||||
| CVE-2020-8562 | 1 Kubernetes | 1 Kubernetes | 2022-02-25 | 3.5 LOW | 3.1 LOW |
| As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. | |||||
| CVE-2019-4352 | 1 Ibm | 1 Maximo Anywhere | 2022-02-23 | 2.1 LOW | 2.4 LOW |
| IBM Maximo Anywhere 7.6.4.0 applications could allow obfuscation of the application source code. IBM X-Force ID: 161494. | |||||
| CVE-2021-25109 | 1 Futuriowp | 1 Futurio Extra | 2022-02-22 | 4.0 MEDIUM | 2.7 LOW |
| The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link. | |||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2022-02-22 | 3.5 LOW | 3.5 LOW |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2022-24923 | 1 Samsung | 1 Searchwidget | 2022-02-22 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in Samsung SearchWidget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview. | |||||
| CVE-2022-24000 | 1 Google | 1 Android | 2022-02-22 | 2.1 LOW | 3.3 LOW |
| PendingIntent hijacking vulnerability in DataUsageReminderReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent. | |||||
| CVE-2022-23999 | 1 Google | 1 Android | 2022-02-22 | 2.1 LOW | 3.3 LOW |
| PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb-2022 Release 1 allows local attackers to access media files without permission in KnoxPrivacyNoticeReceiver via implicit Intent. | |||||
| CVE-2022-23996 | 1 Samsung | 1 Wear Os | 2022-02-22 | 4.3 MEDIUM | 3.3 LOW |
| Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission. | |||||
| CVE-2020-18442 | 3 Debian, Fedoraproject, Zziplib Project | 3 Debian Linux, Fedora, Zziplib | 2022-02-22 | 2.1 LOW | 3.3 LOW |
| Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file". | |||||
| CVE-2022-23995 | 1 Samsung | 1 Wear Os | 2022-02-22 | 4.3 MEDIUM | 3.3 LOW |
| Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission. | |||||
| CVE-2022-23994 | 1 Samsung | 1 Wear Os | 2022-02-22 | 4.3 MEDIUM | 3.3 LOW |
| An Improper access control vulnerability in StBedtimeModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission. | |||||
| CVE-2020-9389 | 1 Squaredup | 1 Squaredup | 2022-02-22 | 4.3 MEDIUM | 3.7 LOW |
| A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames. | |||||