Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46037 | 1 Mingsoft | 1 Mcms | 2022-02-25 | 5.5 MEDIUM | 8.1 HIGH |
| MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do. | |||||
| CVE-2022-25317 | 1 Cerebrate-project | 1 Cerebrate | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description. | |||||
| CVE-2021-46364 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-02-25 | 6.8 MEDIUM | 7.8 HIGH |
| A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file. | |||||
| CVE-2021-0107 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2022-02-25 | 4.6 MEDIUM | 6.7 MEDIUM |
| Unchecked return value in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-0115 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2022-02-25 | 4.6 MEDIUM | 6.7 MEDIUM |
| Buffer overflow in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-0111 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2022-02-25 | 4.6 MEDIUM | 6.7 MEDIUM |
| NULL pointer dereference in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | |||||
| CVE-2022-25271 | 1 Drupal | 1 Drupal | 2022-02-25 | 4.3 MEDIUM | 7.5 HIGH |
| Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. | |||||
| CVE-2021-0118 | 2 Intel, Netapp | 1360 Atom C3308, Atom C3308 Firmware, Atom C3336 and 1357 more | 2022-02-25 | 4.6 MEDIUM | 6.7 MEDIUM |
| Out-of-bounds read in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. | |||||
| CVE-2021-0093 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2022-02-25 | 2.1 LOW | 4.4 MEDIUM |
| Incorrect default permissions in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2022-25270 | 1 Drupal | 1 Drupal | 2022-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | |||||
| CVE-2022-22885 | 1 Hutool | 1 Hutool | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation. | |||||
| CVE-2022-24984 | 1 Jqueryform | 1 Jqueryform | 2022-02-25 | 6.8 MEDIUM | 9.8 CRITICAL |
| Forms generated by JQueryForm.com before 2022-02-05 (if file-upload capability is enabled) allow remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-extension checks occur on the client side, and because not all executable content (e.g., .phtml or .php.bak) is blocked. | |||||
| CVE-2021-0092 | 2 Intel, Netapp | 681 Atom C3308, Atom C3336, Atom C3338 and 678 more | 2022-02-25 | 2.1 LOW | 4.4 MEDIUM |
| Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access. | |||||
| CVE-2022-24983 | 1 Jqueryform | 1 Jqueryform | 2022-02-25 | 5.0 MEDIUM | 7.5 HIGH |
| Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response. When chained with CVE-2022-24984, this could lead to unauthenticated remote code execution on the underlying web server. This occurs because the Unique ID field is contained in the POST response upon submitting a form. | |||||
| CVE-2022-24982 | 1 Jqueryform | 1 Jqueryform | 2022-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users. admin.php contains a hidden base64-encoded string with these credentials. | |||||
| CVE-2022-24981 | 1 Jqueryform | 1 Jqueryform | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in forms generated by JQueryForm.com before 2022-02-05 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to admin.php. | |||||
| CVE-2018-18623 | 1 Grafana | 1 Grafana | 2022-02-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. | |||||
| CVE-2019-10627 | 1 Qualcomm | 1 Ips | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. in PostScript and PDF printers that use IPS versions prior to 2019.2 in PostScript and PDF printers that use IPS versions prior to 2019.2 | |||||
| CVE-2022-24612 | 2022-02-25 | N/A | N/A | ||
| An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | |||||
| CVE-2022-24594 | 2022-02-25 | N/A | N/A | ||
| In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | |||||
| CVE-2022-25328 | 2022-02-25 | N/A | N/A | ||
| The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above | |||||
| CVE-2022-25327 | 2022-02-25 | N/A | N/A | ||
| The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above | |||||
| CVE-2022-25326 | 2022-02-25 | N/A | N/A | ||
| fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable. | |||||
| CVE-2022-0247 | 2022-02-25 | N/A | N/A | ||
| An issue exists in Fuchsia where VMO data can be modified through access to copy-on-write snapshots. A local attacker could modify objects in the VMO that they do not have permission to. We recommend upgrading past commit d97c05d2301799ed585620a9c5c739d36e7b5d3d or any of the listed versions. | |||||
| CVE-2022-24288 | 2022-02-25 | N/A | N/A | ||
| In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | |||||
| CVE-2022-0746 | 2022-02-25 | N/A | N/A | ||
| Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | |||||
| CVE-2021-45229 | 2022-02-25 | N/A | N/A | ||
| It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | |||||
| CVE-2021-34361 | 2022-02-25 | N/A | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2021-34359 | 2022-02-25 | N/A | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2022-23835 | 2022-02-25 | N/A | N/A | ||
| ** DISPUTED ** The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk." | |||||
| CVE-2022-23701 | 2022-02-25 | N/A | N/A | ||
| A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4). | |||||
| CVE-2021-43745 | 2022-02-25 | N/A | N/A | ||
| A Denial of Service vulnerabilty exists in Trilium Notes 0.48.6 in the setupPage function | |||||
| CVE-2021-39364 | 2022-02-25 | N/A | N/A | ||
| Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow command spoofing (for camera control) after ARP cache poisoning has been achieved. | |||||
| CVE-2021-39363 | 2022-02-25 | N/A | N/A | ||
| Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow a video replay attack after ARP cache poisoning has been achieved. | |||||
| CVE-2021-29220 | 2022-02-25 | N/A | N/A | ||
| Multiple buffer overflow security vulnerabilities have been identified in HPE iLO Amplifier Pack version(s): Prior to 2.12. These vulnerabilities could be exploited by a highly privileged user to remotely execute code that could lead to a loss of confidentiality, integrity, and availability. HPE has provided a software update to resolve this vulnerability in HPE iLO Amplifier Pack. | |||||
| CVE-2021-29217 | 2022-02-25 | N/A | N/A | ||
| A remote URL redirection vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. HPE has provided a software update to resolve this vulnerability in HPE OneView Global Dashboard. | |||||
| CVE-2021-29216 | 2022-02-25 | N/A | N/A | ||
| A remote cross-site scripting vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. HPE has provided a software update to resolve this vulnerability in HPE OneView Global Dashboard. | |||||
| CVE-2021-44665 | 2022-02-25 | N/A | N/A | ||
| A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php. | |||||
| CVE-2022-24709 | 2022-02-25 | N/A | N/A | ||
| @awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue. | |||||
| CVE-2022-25307 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25306 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25305 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25149 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||
| CVE-2022-25148 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||
| CVE-2022-25003 | 2022-02-25 | N/A | N/A | ||
| Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/view_doctor.php. | |||||
| CVE-2022-24232 | 2022-02-25 | N/A | N/A | ||
| A local file inclusion in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-23922 | 2022-02-25 | N/A | N/A | ||
| WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the Program Announcer directory and elevate permissions whenever the program is executed. | |||||
| CVE-2022-23135 | 2022-02-25 | N/A | N/A | ||
| There is a directory traversal vulnerability in some home gateway products of ZTE. Due to the lack of verification of user modified destination path, an attacker with specific permissions could modify the FTP access path to access and modify the system path contents without authorization, which will cause information leak and affect device operation. | |||||
| CVE-2022-23104 | 2022-02-25 | N/A | N/A | ||
| WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the program Operator Workspace directory, which holds DLL files and executables. A low-privilege attacker could write a malicious DLL file to the Operator Workspace directory to achieve privilege escalation and the permissions of the user running the program. | |||||
| CVE-2022-0710 | 2022-02-25 | N/A | N/A | ||
| The Header Footer Code Manager plugin <= 1.1.16 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter. | |||||