Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24589 | 1 Burden Project | 1 Burden | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. | |||||
| CVE-2022-25210 | 1 Jenkins | 1 Convertigo Mobile Platform | 2022-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured. | |||||
| CVE-2022-25209 | 1 Jenkins | 1 Chef Sinatra | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-25208 | 1 Jenkins | 1 Chef Sinatra | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response. | |||||
| CVE-2022-25207 | 1 Jenkins | 1 Chef Sinatra | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response. | |||||
| CVE-2022-25191 | 1 Jenkins | 1 Agent Server Parameter | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape parameter names of agent server parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-25206 | 1 Jenkins | 1 Dbcharts | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials. | |||||
| CVE-2022-25204 | 1 Jenkins | 1 Doktor | 2022-02-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists. | |||||
| CVE-2022-25203 | 1 Jenkins | 1 Team Views | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Read permission. | |||||
| CVE-2022-25202 | 1 Jenkins | 1 Promoted Builds \(simple\) | 2022-02-23 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of custom promotion levels, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2022-25199 | 1 Jenkins | 1 Scp Publisher | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| A missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials. | |||||
| CVE-2022-25198 | 1 Jenkins | 1 Scp Publisher | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. | |||||
| CVE-2022-25196 | 1 Jenkins | 1 Gitlab Authentication | 2022-02-23 | 4.9 MEDIUM | 5.4 MEDIUM |
| Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. | |||||
| CVE-2022-25205 | 1 Jenkins | 1 Dbcharts | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts Plugin 0.5.2 and earlier allows attackers to connect to an attacker-specified database via JDBC using attacker-specified credentials and to determine if a class is available in the Jenkins instance. | |||||
| CVE-2021-22796 | 1 Schneider-electric | 1 C-gate Server | 2022-02-23 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-287: Improper Authentication vulnerability exists that could allow remote code execution when a malicious file is uploaded. Affected Product: C-Bus Toolkit (V1.15.9 and prior), C-Gate Server (V2.11.7 and prior) | |||||
| CVE-2021-22788 | 1 Schneider-electric | 28 140cpu65150, 140cpu65150 Firmware, 140noc77101 and 25 more | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-787: Out-of-bounds Write vulnerability exists that could cause denial of service when an attacker sends a specially crafted HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions) | |||||
| CVE-2022-25201 | 1 Jenkins | 1 Checkmarx | 2022-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-25200 | 1 Jenkins | 1 Checkmarx | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2022-23367 | 1 Fulusso Project | 1 Fulusso | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user's device via open redirection. | |||||
| CVE-2022-25197 | 1 Jenkins | 1 Hashicorp Vault | 2022-02-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2022-25195 | 1 Jenkins | 1 Autonomiq | 2022-02-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2022-25194 | 1 Jenkins | 1 Autonomiq | 2022-02-23 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials. | |||||
| CVE-2021-46558 | 1 Issabel | 1 Pbx | 2022-02-23 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Add User module of Issabel PBX 20200102 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the username and password fields. | |||||
| CVE-2020-13668 | 1 Drupal | 1 Drupal | 2022-02-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2022-0512 | 1 Url-parse Project | 1 Url-parse | 2022-02-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6. | |||||
| CVE-2022-21818 | 1 Nvidia | 1 License System | 2022-02-23 | 5.5 MEDIUM | 5.4 MEDIUM |
| NVIDIA License System contains a vulnerability in the installation scripts for the DLS virtual appliance, where a user on a network after signing in to the portal can access other users’ credentials, allowing them to gain escalated privileges, resulting in limited impact to both confidentiality and integrity. | |||||
| CVE-2020-13670 | 1 Drupal | 1 Drupal | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. | |||||
| CVE-2021-45402 | 1 Linux | 1 Linux Kernel | 2022-02-23 | 2.1 LOW | 5.5 MEDIUM |
| The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." | |||||
| CVE-2021-44892 | 1 Thinkphp | 1 Thinkphp | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x via value[_filename] in index.php, which could let a malicious user obtain server control privileges. | |||||
| CVE-2021-38679 | 1 Qnap | 1 Kazoo Server | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| An improper authentication vulnerability has been reported to affect QNAP NAS running Kazoo Server. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.22 and later | |||||
| CVE-2022-24111 | 1 Mahara | 1 Mahara | 2022-02-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known. | |||||
| CVE-2021-3398 | 1 Stormshield | 1 Stormshield Network Security | 2022-02-23 | 5.0 MEDIUM | 5.8 MEDIUM |
| Stormshield Network Security (SNS) 3.x has an Integer Overflow in the high-availability component. | |||||
| CVE-2021-22787 | 1 Schneider-electric | 28 140cpu65150, 140cpu65150 Firmware, 140noc77101 and 25 more | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-20: Improper Input Validation vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions) | |||||
| CVE-2021-4201 | 1 Forgerock | 1 Access Management | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. | |||||
| CVE-2021-46262 | 1 Tenda | 2 Ac11, Ac11 Firmware | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the PPPoE module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. | |||||
| CVE-2022-23390 | 1 Diyhi | 1 Bbs Forum | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary files. | |||||
| CVE-2021-22785 | 1 Schneider-electric | 28 140cpu65150, 140cpu65150 Firmware, 140noc77101 and 25 more | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions) | |||||
| CVE-2021-46263 | 1 Tenda | 2 Ac11, Ac11 Firmware | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wifiTime module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. | |||||
| CVE-2021-46264 | 1 Tenda | 2 Ac11, Ac11 Firmware | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the onlineList module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. | |||||
| CVE-2021-46265 | 1 Tenda | 2 Ac11, Ac11 Firmware | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wanBasicCfg module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. | |||||
| CVE-2021-46321 | 1 Tenda | 2 Ac11, Ac11 Firmware | 2022-02-23 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain a stack buffer overflow in the wifiBasicCfg module. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data. | |||||
| CVE-2021-43734 | 1 Keking | 1 Kkfileview | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host. | |||||
| CVE-2021-42712 | 1 Splashtop | 1 Streamer | 2022-02-23 | 7.2 HIGH | 7.8 HIGH |
| Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Directory with Insecure Permissions. | |||||
| CVE-2021-41552 | 1 Commscope | 10 Arris Surfboard Sbg10, Arris Surfboard Sbg10 Firmware, Arris Surfboard Sbg6950ac2 and 7 more | 2022-02-23 | 5.8 MEDIUM | 8.8 HIGH |
| CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection. | |||||
| CVE-2019-25057 | 1 R3 | 1 Corda | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| In Corda before 4.1, the meaning of serialized data can be modified via an attacker-controlled CustomSerializer. | |||||
| CVE-2021-45348 | 1 Attendance Management System Project | 1 Attendance Management System | 2022-02-23 | 5.0 MEDIUM | 7.5 HIGH |
| An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash). | |||||
| CVE-2019-16864 | 2 Enterprisedt, Microsoft | 2 Completeftp Server, Windows | 2022-02-23 | 8.5 HIGH | 8.8 HIGH |
| CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP before 12.1.4 allows Remote Code Execution by leveraging a Windows user account that has SSH access. The exec command is always run as SYSTEM. | |||||
| CVE-2022-0597 | 1 Microweber | 1 Microweber | 2022-02-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open Redirect in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-22748 | 1 Schneider-electric | 1 C-bus Toolkit | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow a remote code execution when a file is saved. Affected Product: C-Bus Toolkit (V1.15.9 and prior), C-Gate Server (V2.11.7 and prior) | |||||
| CVE-2022-0596 | 1 Microweber | 1 Microweber | 2022-02-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| Business Logic Errors in Packagist microweber/microweber prior to 1.2.11. | |||||