Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21670 | 1 Markdown-it Project | 1 Markdown-it | 2022-01-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading. | |||||
| CVE-2022-22821 | 1 Nvidia | 1 Nemo | 2022-01-18 | 2.1 LOW | 4.4 MEDIUM |
| NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available. | |||||
| CVE-2022-22284 | 1 Samsung | 1 Internet | 2022-01-18 | 2.1 LOW | 5.5 MEDIUM |
| Improper authentication vulnerability in Samsung Internet prior to 16.0.2.19 allows attackers to bypass secret mode password authentication | |||||
| CVE-2015-7515 | 1 Linux | 1 Linux Kernel | 2022-01-18 | 4.9 MEDIUM | 4.6 MEDIUM |
| The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel before 4.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints. | |||||
| CVE-2021-28377 | 1 Chronoengine | 1 Chronoforums | 2022-01-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files. | |||||
| CVE-2022-0159 | 1 Orchardcore | 1 Orchardcore | 2022-01-18 | 3.5 LOW | 5.4 MEDIUM |
| orchardcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2022-0087 | 1 Keystonejs | 1 Keystone | 2022-01-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-30313 | 1 Qualcomm | 360 Apq8096au, Apq8096au Firmware, Ar8031 and 357 more | 2022-01-18 | 4.4 MEDIUM | 6.4 MEDIUM |
| Use after free condition can occur in wired connectivity due to a race condition while creating and deleting folders in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2022-22846 | 1 Dnslib Project | 1 Dnslib | 2022-01-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query. | |||||
| CVE-2021-46145 | 1 Honda | 1 Civic 2012 | 2022-01-18 | 2.9 LOW | 5.3 MEDIUM |
| The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter resynchronization. | |||||
| CVE-2021-23425 | 1 Trim-off-newlines Project | 1 Trim-off-newlines | 2022-01-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing. | |||||
| CVE-2020-9061 | 4 Aeotec, Samsung, Silabs and 1 more | 6 Zw090-a, Sth-eth-200, 500 Series Firmware and 3 more | 2022-01-18 | 3.3 LOW | 6.5 MEDIUM |
| Z-Wave devices using Silicon Labs 500 and 700 series chipsets, including but not likely limited to the SiLabs UZB-7 version 7.00, ZooZ ZST10 version 6.04, Aeon Labs ZW090-A version 3.95, and Samsung STH-ETH-200 version 6.04, are susceptible to denial of service via malformed routing messages. | |||||
| CVE-2020-9060 | 4 Aeotec, Fibaro, Silabs and 1 more | 6 Zw090-a, Fgwpb-111, 500 Series Firmware and 3 more | 2022-01-18 | 6.1 MEDIUM | 6.5 MEDIUM |
| Z-Wave devices based on Silicon Labs 500 series chipsets using S2, including but likely not limited to the ZooZ ZST10 version 6.04, ZooZ ZEN20 version 5.03, ZooZ ZEN25 version 5.03, Aeon Labs ZW090-A version 3.95, and Fibaro FGWPB-111 version 4.3, are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages. | |||||
| CVE-2020-9059 | 2 Schlage, Silabs | 2 Be468, 500 Series Firmware | 2022-01-18 | 6.1 MEDIUM | 6.5 MEDIUM |
| Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption leading to battery exhaustion. As an example, the Schlage BE468 version 3.42 door lock is vulnerable and fails open at a low battery level. | |||||
| CVE-2020-10137 | 1 Silabs | 2 700 Series Firmware, Uzb-7 | 2022-01-18 | 3.3 LOW | 6.5 MEDIUM |
| Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames, allowing a remote, unauthenticated attacker to inject a FIND_NODE_IN_RANGE frame with an invalid random payload, denying service by blocking the processing of upcoming events. | |||||
| CVE-2021-25047 | 1 10web | 1 10websocial | 2022-01-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the wdi_apply_changes admin page, allowing an attacker to perform such attack against any logged in users | |||||
| CVE-2021-22147 | 1 Elastic | 1 Elasticsearch | 2022-01-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. | |||||
| CVE-2021-44926 | 1 Gpac | 1 Gpac | 2022-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A null pointer dereference vulnerability exists in gpac 1.1.0-DEV in the gf_node_get_tag function, which causes a segmentation fault and application crash. | |||||
| CVE-2021-44919 | 1 Gpac | 1 Gpac | 2022-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function in gpac 1.1.0-DEV, which causes a segmentation fault and application crash. | |||||
| CVE-2021-37971 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2022-01-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-45054 | 3 Adobe, Apple, Microsoft | 3 Incopy, Macos, Windows | 2022-01-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| Adobe InCopy version 16.4 (and earlier) is affected by a use-after-free vulnerability in the processing of a JPEG2000 file that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-44178 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a reflected Cross-Site Scripting (XSS) vulnerability via the itemResourceType parameter. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser | |||||
| CVE-2022-22271 | 1 Google | 1 Android | 2022-01-15 | 2.1 LOW | 5.5 MEDIUM |
| A missing input validation before memory copy in TIMA trustlet prior to SMR Jan-2022 Release 1 allows attackers to copy data from arbitrary memory. | |||||
| CVE-2021-46225 | 1 Libmeshb Project | 1 Libmeshb | 2022-01-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allows attackers to cause a Denial of Service (DoS) via a crafted MESH file. | |||||
| CVE-2021-43764 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-44176 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-43765 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2021-44177 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2022-22268 | 1 Google | 1 Android | 2022-01-14 | 3.6 LOW | 6.1 MEDIUM |
| Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode. | |||||
| CVE-2021-38674 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later | |||||
| CVE-2021-25043 | 1 Pluginus | 1 Woocommerce Currency Switcher | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-22116 | 1 Rangerstudio | 1 Directus | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL. | |||||
| CVE-2022-22117 | 1 Rangerstudio | 1 Directus | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered. | |||||
| CVE-2022-22124 | 1 Fit2cloud | 1 Halo | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser. | |||||
| CVE-2022-22123 | 1 Fit2cloud | 1 Halo | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server. | |||||
| CVE-2022-22263 | 1 Google | 1 Android | 2022-01-14 | 2.1 LOW | 5.5 MEDIUM |
| Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Release 1 allows untrusted applications to launch arbitrary activity. | |||||
| CVE-2021-41767 | 1 Apache | 1 Guacamole | 2022-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Guacamole 1.3.0 and older may incorrectly include a private tunnel identifier in the non-private details of some REST responses. This may allow an authenticated user who already has permission to access a particular connection to read from or interact with another user's active use of that same connection. | |||||
| CVE-2021-40576 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the gf_isom_get_payt_count function in hint_track.c, which allows attackers to cause a denial of service. | |||||
| CVE-2021-40575 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the mpgviddmx_process function in reframe_mpgvid.c, which allows attackers to cause a denial of service. This vulnerability is possibly due to an incomplete fix for CVE-2021-40566. | |||||
| CVE-2021-40573 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_list_del function in list.c, which allows attackers to cause a denial of service. | |||||
| CVE-2021-40572 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service. | |||||
| CVE-2021-40569 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The binary MP4Box in Gpac through 1.0.1 has a double-free vulnerability in the iloc_entry_del funciton in box_code_meta.c, which allows attackers to cause a denial of service. | |||||
| CVE-2021-40567 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| Segmentation fault vulnerability exists in Gpac through 1.0.1 via the gf_odf_size_descriptor function in desc_private.c when using mp4box, which causes a denial of service. | |||||
| CVE-2022-0179 | 1 Snipeitapp | 1 Snipe-it | 2022-01-14 | 4.9 MEDIUM | 5.4 MEDIUM |
| snipe-it is vulnerable to Improper Access Control | |||||
| CVE-2021-41789 | 1 Mediatek | 4 Mt7615, Mt7615 Firmware, Mt7622 and 1 more | 2022-01-14 | 6.1 MEDIUM | 6.5 MEDIUM |
| In wifi driver, there is a possible system crash due to a missing validation check. This could lead to remote denial of service from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20190426015; Issue ID: GN20190426015. | |||||
| CVE-2022-21823 | 1 Ivanti | 1 Workspace Control | 2022-01-14 | 2.1 LOW | 5.5 MEDIUM |
| A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control <2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector. | |||||
| CVE-2021-42749 | 1 Fastlinemedia | 1 Beaver Themer | 2022-01-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set. | |||||
| CVE-2021-44528 | 1 Rubyonrails | 1 Rails | 2022-01-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. | |||||
| CVE-2021-23173 | 1 Philips | 1 Engage | 2022-01-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data. | |||||
| CVE-2021-40566 | 1 Gpac | 1 Gpac | 2022-01-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service. | |||||