Search
Total
6056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6616 | 3 Apple, Google, Samsung | 7 Ipad Os, Iphone Os, Mac Os X and 4 more | 2022-04-26 | 3.3 LOW | 6.5 MEDIUM |
| Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. This affects, for example, Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset. The Samsung ID is SVE-2020-16882 (May 2020). | |||||
| CVE-2022-28868 | 1 F-secure | 1 Safe | 2022-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| An Address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted malicious webpage/URL, user may be tricked for a short period of time (until the page loads) to think content may be coming from a valid domain, while the content comes from the attacker controlled site. | |||||
| CVE-2021-3308 | 2 Fedoraproject, Xen | 2 Fedora, Xen | 2022-04-26 | 4.9 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case, this would affect the entire host. | |||||
| CVE-2020-0591 | 2 Intel, Siemens | 202 Bios, Core I5-7640x, Core I7-3820 and 199 more | 2022-04-26 | 4.6 MEDIUM | 6.7 MEDIUM |
| Improper buffer restrictions in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-26539 | 1 Apostrophecms | 1 Sanitize-html | 2022-04-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option. | |||||
| CVE-2022-26911 | 1 Microsoft | 2 Lync Server, Skype For Business Server | 2022-04-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Skype for Business Information Disclosure Vulnerability. | |||||
| CVE-2022-26910 | 1 Microsoft | 1 Skype For Business Server | 2022-04-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Skype for Business and Lync Spoofing Vulnerability. | |||||
| CVE-2021-21147 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-04-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in Skia in Google Chrome prior to 88.0.4324.146 allowed a local attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-26897 | 1 Microsoft | 1 Azure Site Recovery | 2022-04-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| Azure Site Recovery Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26896. | |||||
| CVE-2022-26896 | 1 Microsoft | 1 Azure Site Recovery | 2022-04-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| Azure Site Recovery Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26897. | |||||
| CVE-2021-27653 | 1 Pega | 1 Infinity | 2022-04-25 | 4.0 MEDIUM | 4.9 MEDIUM |
| Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure. | |||||
| CVE-2021-25219 | 6 Debian, Fedoraproject, Isc and 3 more | 23 Debian Linux, Fedora, Bind and 20 more | 2022-04-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. | |||||
| CVE-2021-3615 | 1 Lenovo | 6 Smart Camera C2e, Smart Camera C2e Firmware, Smart Camera X3 and 3 more | 2022-04-25 | 4.6 MEDIUM | 6.8 MEDIUM |
| A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card. This vulnerability is the same as CNVD-2021-45262. | |||||
| CVE-2022-26920 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2022-04-25 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Graphics Component Information Disclosure Vulnerability. | |||||
| CVE-2021-36012 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item. | |||||
| CVE-2021-1394 | 1 Cisco | 1 Ios Xe | 2022-04-25 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the ingress traffic manager of Cisco IOS XE Software for Cisco Network Convergence System (NCS) 520 Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the web management interface of an affected device. This vulnerability is due to incorrect processing of certain IPv4 TCP traffic that is destined to an affected device. An attacker could exploit this vulnerability by sending a large number of crafted TCP packets to the affected device. A successful exploit could allow the attacker to cause the web management interface to become unavailable, resulting in a DoS condition. Note: This vulnerability does not impact traffic that is going through the device or going to the Management Ethernet interface of the device. | |||||
| CVE-2021-1377 | 1 Cisco | 2 Ios, Ios Xe | 2022-04-25 | 5.0 MEDIUM | 5.8 MEDIUM |
| A vulnerability in Address Resolution Protocol (ARP) management of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent an affected device from resolving ARP entries for legitimate hosts on the connected subnets. This vulnerability exists because ARP entries are mismanaged. An attacker could exploit this vulnerability by continuously sending traffic that results in incomplete ARP entries. A successful exploit could allow the attacker to cause ARP requests on the device to be unsuccessful for legitimate hosts, resulting in a denial of service (DoS) condition. | |||||
| CVE-2022-26785 | 1 Microsoft | 3 Windows Server 2016, Windows Server 2019, Windows Server 2022 | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-24490, CVE-2022-24539, CVE-2022-26783. | |||||
| CVE-2022-26784 | 1 Microsoft | 4 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 1 more | 2022-04-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-24484, CVE-2022-24538. | |||||
| CVE-2022-26783 | 1 Microsoft | 3 Windows Server 2016, Windows Server 2019, Windows Server 2022 | 2022-04-25 | 6.8 MEDIUM | 6.5 MEDIUM |
| Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-24490, CVE-2022-24539, CVE-2022-26785. | |||||
| CVE-2022-24539 | 1 Microsoft | 3 Windows Server 2016, Windows Server 2019, Windows Server 2022 | 2022-04-25 | 6.8 MEDIUM | 6.5 MEDIUM |
| Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-24490, CVE-2022-26783, CVE-2022-26785. | |||||
| CVE-2022-28870 | 1 F-secure | 1 Safe | 2022-04-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails. | |||||
| CVE-2021-37995 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in WebApp Installer in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially overlay and spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-37994 | 2 Debian, Google | 2 Debian Linux, Chrome | 2022-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in iFrame Sandbox in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2022-0688 | 1 Microweber | 1 Microweber | 2022-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| Business Logic Errors in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-23981 | 1 Quadlayers | 1 Perfect Brands For Woocommerce | 2022-02-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| The vulnerability allows Subscriber+ level users to create brands in WordPress Perfect Brands for WooCommerce plugin (versions <= 2.0.4). | |||||
| CVE-2022-0118 | 1 Google | 1 Chrome | 2022-02-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in WebShare in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-22041 | 1 Vmware | 4 Cloud Foundation, Esxi, Fusion and 1 more | 2022-02-24 | 4.6 MEDIUM | 6.7 MEDIUM |
| VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. | |||||
| CVE-2021-23219 | 3 Linux, Microsoft, Nvidia | 137 Linux Kernel, Windows, Dgx-1 P100 and 134 more | 2022-02-24 | 1.9 LOW | 4.1 MEDIUM |
| NVIDIA GPU and Tegra hardware contain a vulnerability in the internal microcontroller, which may allow a user with elevated privileges to access protected information by identifying, exploiting, and loading vulnerable microcode. Such an attack may lead to information disclosure. | |||||
| CVE-2019-4351 | 1 Ibm | 1 Maximo Anywhere | 2022-02-23 | 2.1 LOW | 4.6 MEDIUM |
| IBM Maximo Anywhere 7.6.4.0 applications could disclose sensitive information to a user with physical access to the device. IBM X-Force ID: 161493. | |||||
| CVE-2022-25204 | 1 Jenkins | 1 Doktor | 2022-02-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists. | |||||
| CVE-2021-39116 | 1 Atlassian | 2 Data Center, Jira | 2022-02-23 | 4.3 MEDIUM | 5.5 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the GIF Image Reader component. The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0. | |||||
| CVE-2021-39080 | 1 Ibm | 1 Cognos Analytics Mobile | 2022-02-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| Due to weak obfuscation, IBM Cognos Analytics Mobile for Android application prior to version 1.1.14 , an attacker could be able to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used. IBM X-Force ID: 215593. | |||||
| CVE-2022-23633 | 1 Rubyonrails | 1 Rails | 2022-02-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. | |||||
| CVE-2022-0116 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| Inappropriate implementation in Compositing in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-0294 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Push messaging in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||||
| CVE-2022-0292 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Fenced Frames in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2022-0291 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in Storage in Google Chrome prior to 97.0.4692.99 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||||
| CVE-2022-24001 | 1 Google | 1 Android | 2022-02-22 | 2.1 LOW | 4.6 MEDIUM |
| Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel. | |||||
| CVE-2022-0112 | 1 Google | 1 Chrome | 2022-02-22 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in Browser UI in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to display missing URL or incorrect URL via a crafted URL. | |||||
| CVE-2021-29974 | 1 Mozilla | 1 Firefox | 2022-02-22 | 2.6 LOW | 4.3 MEDIUM |
| When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically. This vulnerability affects Firefox < 90. | |||||
| CVE-2021-38491 | 1 Mozilla | 1 Firefox | 2022-02-22 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mixed-content checks were unable to analyze opaque origins which led to some mixed content being loaded. This vulnerability affects Firefox < 92. | |||||
| CVE-2020-1954 | 3 Apache, Netapp, Oracle | 10 Cxf, Oncommand Workflow Automation, Snapmanager and 7 more | 2022-02-21 | 2.9 LOW | 5.3 MEDIUM |
| Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. | |||||
| CVE-2019-15718 | 3 Fedoraproject, Redhat, Systemd Project | 14 Fedora, Enterprise Linux, Enterprise Linux Eus and 11 more | 2022-02-20 | 3.6 LOW | 4.4 MEDIUM |
| In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. | |||||
| CVE-2022-24003 | 1 Samsung | 1 Bixby Vision | 2022-02-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent. | |||||
| CVE-2022-23426 | 1 Google | 1 Android | 2022-02-18 | 3.6 LOW | 6.0 MEDIUM |
| A vulnerability using PendingIntent in DeX Home and DeX for PC prior to SMR Feb-2022 Release 1 allows attackers to access files with system privilege. | |||||
| CVE-2021-38022 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2021-38021 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||||
| CVE-2021-38018 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Inappropriate implementation in navigation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||
| CVE-2021-4054 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2022-02-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| Incorrect security UI in autofill in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||||