Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-42841 | 1 Practo | 1 Insta Hms | 2022-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insta HMS before 12.4.10 is vulnerable to XSS because of improper validation of user-supplied input by multiple scripts. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. | |||||
| CVE-2021-45829 | 1 Hdfgroup | 1 Hdf5 | 2022-01-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service. | |||||
| CVE-2021-44674 | 1 Opmantek | 1 Open-audit | 2022-01-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information exposure issue has been discovered in Opmantek Open-AudIT 4.2.0. The vulnerability allows an authenticated attacker to read file outside of the restricted directory. | |||||
| CVE-2021-43861 | 1 Mermaid Project | 1 Mermaid | 2022-01-11 | 3.5 LOW | 5.4 MEDIUM |
| Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-45950 | 1 Gnu | 1 Libredwg | 2022-01-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in dwg_free_BLOCK_private (called from dwg_free_BLOCK and dwg_free_object). | |||||
| CVE-2021-1918 | 1 Qualcomm | 60 Qca6391, Qca6391 Firmware, Qcm6490 and 57 more | 2022-01-11 | 2.1 LOW | 6.5 MEDIUM |
| Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | |||||
| CVE-2021-23147 | 1 Netgear | 2 R6700, R6700 Firmware | 2022-01-11 | 7.2 HIGH | 6.8 MEDIUM |
| Netgear Nighthawk R6700 version 1.0.4.120 does not have sufficient protections for the UART console. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection and execute commands as the root user without authentication. | |||||
| CVE-2021-20171 | 1 Netgear | 2 Rax43, Rax43 Firmware | 2022-01-11 | 2.1 LOW | 5.5 MEDIUM |
| Netgear RAX43 version 1.0.3.96 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device. | |||||
| CVE-2021-20169 | 1 Netgear | 2 Rax43, Rax43 Firmware | 2022-01-11 | 7.2 HIGH | 6.8 MEDIUM |
| Netgear RAX43 version 1.0.3.96 does not utilize secure communications to the web interface. By default, all communication to/from the device is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext. | |||||
| CVE-2021-25021 | 1 Ffw | 1 Optimize My Google Fonts | 2022-01-11 | 4.0 MEDIUM | 4.9 MEDIUM |
| The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin | |||||
| CVE-2021-25020 | 1 Ffw | 1 Complete Analytics Optimization Suite | 2022-01-11 | 4.0 MEDIUM | 4.9 MEDIUM |
| The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin | |||||
| CVE-2021-27393 | 1 Siemens | 5 Capital Vstar, Nucleus Net, Nucleus Readystart and 2 more | 2022-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2013.08), Nucleus Source Code (Versions including affected DNS modules). The DNS client does not properly randomize UDP port numbers of DNS requests. That could allow an attacker to poison the DNS cache or spoof DNS resolving. | |||||
| CVE-2022-0079 | 1 Showdoc | 1 Showdoc | 2022-01-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| showdoc is vulnerable to Generation of Error Message Containing Sensitive Information | |||||
| CVE-2022-22293 | 1 Dolibarr | 1 Dolibarr | 2022-01-10 | 3.5 LOW | 5.4 MEDIUM |
| admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter. | |||||
| CVE-2020-29292 | 1 Iball | 2 Wrd12en, Wrd12en Firmware | 2022-01-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses. | |||||
| CVE-2021-45257 | 1 Nasm | 1 Netwide Assembler | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_tokens function. | |||||
| CVE-2021-45256 | 1 Nasm | 1 Netwide Assembler | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 via asm/preproc.c. | |||||
| CVE-2021-46071 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2022-01-10 | 3.5 LOW | 4.8 MEDIUM |
| A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel. | |||||
| CVE-2021-36724 | 1 Forescout | 1 Secureconnector | 2022-01-10 | 2.1 LOW | 5.5 MEDIUM |
| ForeScout - SecureConnector Local Service DoS - A low privilaged user which doesn't have permissions to shutdown the secure connector service writes a large amount of characters in the installationPath. This will cause the buffer to overflow and override the stack cookie causing the service to crash. | |||||
| CVE-2021-38876 | 1 Ibm | 1 I | 2022-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208404. | |||||
| CVE-2021-45815 | 1 Quectel | 2 Uc20, Uc20 Firmware | 2022-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-43815 | 1 Grafana | 1 Grafana | 2022-01-10 | 3.5 LOW | 4.3 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. | |||||
| CVE-2021-43813 | 1 Grafana | 1 Grafana | 2022-01-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text. | |||||
| CVE-2021-41192 | 1 Redash | 1 Redash | 2022-01-10 | 3.5 LOW | 6.5 MEDIUM |
| Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory. | |||||
| CVE-2021-3622 | 2 Fedoraproject, Redhat | 4 Fedora, Enterprise Linux, Enterprise Linux Workstation and 1 more | 2022-01-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-20876 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 4.0 MEDIUM | 6.8 MEDIUM |
| Path traversal vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows an attacker with an administrative privilege to obtain sensitive information stored in the hierarchy above the directory on the published site's server via unspecified vectors. | |||||
| CVE-2021-20875 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks by having a user to access a specially crafted URL. | |||||
| CVE-2021-45948 | 1 Assimp | 1 Assimp | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). | |||||
| CVE-2021-45947 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from EvaluateExpression and InitDataSegments). | |||||
| CVE-2021-45946 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Compile_LoopOrBlock and CompileBlockStatements). | |||||
| CVE-2021-45929 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from CompileElseBlock and Compile_If). | |||||
| CVE-2020-23986 | 1 Github Readme Stats Project | 1 Github Readme Stats | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Github Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the function renderError. | |||||
| CVE-2021-46038 | 1 Gpac | 1 Gpac | 2022-01-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chunk.isra, which causes a Denial of Service (context-dependent). | |||||
| CVE-2021-45831 | 1 Gpac | 1 Gpac | 2022-01-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service. | |||||
| CVE-2022-22109 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 3.5 LOW | 5.4 MEDIUM |
| In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks. | |||||
| CVE-2022-22108 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. | |||||
| CVE-2022-22107 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all. | |||||
| CVE-2022-21649 | 1 Convos | 1 Convos | 2022-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible. | |||||
| CVE-2021-43677 | 1 Fluxbb | 1 Fluxbb | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-41236 | 1 Oroinc | 1 Oroplatform | 2022-01-08 | 3.5 LOW | 4.8 MEDIUM |
| OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible. | |||||
| CVE-2021-43942 | 1 Atlassian | 1 Jira Server And Data Center | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | |||||
| CVE-2021-46109 | 1 Asus | 1 Rt-ac52u B1 Firmware | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack. | |||||
| CVE-2021-25040 | 1 Booking Calendar Project | 1 Booking Calendar | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25027 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-25022 | 1 Updraftplus | 1 Updraftplus | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-25016 | 1 Premio | 2 Chaty, Chaty Pro | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-25001 | 1 Booster | 1 Booster For Woocommerce | 2022-01-08 | 2.6 LOW | 6.1 MEDIUM |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-25000 | 1 Booster | 1 Booster For Woocommerce | 2022-01-08 | 2.6 LOW | 6.1 MEDIUM |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24999 | 1 Booster | 1 Booster For Woocommerce | 2022-01-08 | 2.6 LOW | 6.1 MEDIUM |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24991 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2022-01-08 | 3.5 LOW | 4.8 MEDIUM |
| The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard | |||||