Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45548 | 1 Netgear | 55 D7800, D7800 Firmware, Dm200 and 52 more | 2022-01-10 | 6.5 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.60, DM200 before 1.0.0.66, EX2700 before 1.0.1.56, EX6150v2 before 1.0.1.86, EX6200v2 before 1.0.1.86, EX6250 before 1.0.0.128, EX6400 before 1.0.2.144, EX6400v2 before 1.0.0.128, EX6410 before 1.0.0.128, EX6420 before 1.0.0.128, EX7300 before 1.0.2.144, EX7300v2 before 1.0.0.128, EX7320 before 1.0.0.128, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.5.26, R9000 before 1.0.5.2, RAX120 before 1.0.1.128, WN3000RPv2 before 1.0.0.78, WN3000RPv3 before 1.0.2.80, WNR2000v5 before 1.0.0.74, XR500 before 2.3.2.66, RBK20 before 2.7.3.22, RBR20 before 2.7.3.22, RBS20 before 2.7.3.22, RBK40 before 2.7.3.22, RBR40 before 2.7.3.22, and RBS40 before 2.7.3.22. | |||||
| CVE-2021-32467 | 1 Mediatek | 18 Mt7603e, Mt7603e Firmware, Mt7612 and 15 more | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol. (Affected Chipsets MT7603E, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 7.4.0.0; Out-of-bounds read). | |||||
| CVE-2021-45622 | 1 Netgear | 80 Cbr40, Cbr40 Firmware, Cbr750 and 77 more | 2022-01-10 | 10.0 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, EAX20 before 1.0.0.58, EAX80 before 1.0.1.68, EX7500 before 1.0.0.74, LAX20 before 1.1.6.28, MK62 before 1.0.6.116, MR60 before 1.0.6.116, MS60 before 1.0.6.116, R6400 before 1.0.1.70, R6400v2 before 1.0.4.118, R6700v3 before 1.0.4.118, R6900P before 1.3.3.140, R7000 before 1.0.11.116, R7000P before 1.3.3.140, R7850 before 1.0.5.68, R7900 before 1.0.4.38, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 1.5.1.80, XR1000 before 1.0.0.58, and XR300 before 1.0.3.68. | |||||
| CVE-2021-45621 | 1 Netgear | 96 Cbr40, Cbr40 Firmware, Cbr750 and 93 more | 2022-01-10 | 10.0 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.24, CBR750 before 3.2.18.2, EAX20 before 1.0.0.58, EAX80 before 1.0.1.68, EX3700 before 1.0.0.94, EX3800 before 1.0.0.94, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7000 before 1.0.1.104, EX7500 before 1.0.0.74, LAX20 before 1.1.6.28, MR60 before 1.0.6.116, MS60 before 1.0.6.116, R6300v2 before 1.0.4.52, R6400 before 1.0.1.70, R6400v2 before 1.0.4.106, R6700v3 before 1.0.4.106, R6900P before 1.3.3.140, R7000 before 1.0.11.126, R7000P before 1.3.3.140, R7100LG before 1.0.0.72, R7850 before 1.0.5.74, R7900 before 1.0.4.46, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, R8300 before 1.0.2.154, R8500 before 1.0.2.154, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 1.5.1.80, XR1000 before 1.0.0.58, and XR300 before 1.0.3.68. | |||||
| CVE-2021-44160 | 1 Cth | 1 Carinal Tien Hospital Health Report System | 2022-01-10 | 7.5 HIGH | 7.3 HIGH |
| Carinal Tien Hospital Health Report System’s login page has improper authentication, a remote attacker can acquire another general user’s privilege by modifying the cookie parameter without authentication. The attacker can then perform limited operations on the system or modify data, making the service partially unavailable to the user. | |||||
| CVE-2021-44161 | 1 Changingtec | 1 Motp | 2022-01-10 | 5.8 MEDIUM | 8.8 HIGH |
| Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication. | |||||
| CVE-2021-32993 | 1 Philips | 4 Intellibridge Ec40, Intellibridge Ec40 Firmware, Intellibridge Ec80 and 1 more | 2022-01-10 | 5.8 MEDIUM | 8.8 HIGH |
| IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded credentials, such as a password or a cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | |||||
| CVE-2021-45647 | 1 Netgear | 68 Ac2100, Ac2100 Firmware, Ac2400 and 65 more | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| Certain NETGEAR devices are affected by disclosure of sensitive information. This affects EAX80 before 1.0.1.62, EX7000 before 1.0.1.104, R6120 before 1.0.0.76, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.78, R6850 before 1.1.0.78, R6350 before 1.1.0.78, R6330 before 1.1.0.78, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 1.2.0.76, R7000 before 1.0.11.116, R6900P before 1.3.3.140, R7000P before 1.3.3.140, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.68, R7900P before 1.4.1.66, R8000P before 1.4.1.66, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106. | |||||
| CVE-2021-33017 | 1 Philips | 4 Intellibridge Ec40, Intellibridge Ec40 Firmware, Intellibridge Ec80 and 1 more | 2022-01-10 | 5.8 MEDIUM | 8.8 HIGH |
| The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) requires authentication, but the product has an alternate path or channel that does not require authentication. | |||||
| CVE-2020-25697 | 1 X.org | 1 X Server | 2022-01-10 | 4.4 MEDIUM | 7.0 HIGH |
| A privilege escalation flaw was found in the Xorg-x11-server due to a lack of authentication for X11 clients. This flaw allows an attacker to take control of an X application by impersonating the server it is expecting to connect to. | |||||
| CVE-2019-1010238 | 1 Gnome | 1 Pango | 2022-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. | |||||
| CVE-2021-45527 | 1 Netgear | 72 D6220, D6220 Firmware, D6400 and 69 more | 2022-01-10 | 6.5 MEDIUM | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. This affects D6220 before 1.0.0.68, D6400 before 1.0.0.102, D7000v2 before 1.0.0.66, D8500 before 1.0.3.58, DC112A before 1.0.0.54, EX7000 before 1.0.1.94, EX7500 before 1.0.0.72, R6250 before 1.0.4.48, R6300v2 before 1.0.4.52, R6400 before 1.0.1.70, R6400v2 before 1.0.4.102, R6700v3 before 1.0.4.102, R7000 before 1.0.11.116, R7100LG before 1.0.0.64, R7850 before 1.0.5.68, R7900 before 1.0.4.30, R7960P before 1.4.1.68, R8000 before 1.0.4.52, RAX200 before 1.0.2.88, RBS40V before 2.6.2.4, RS400 before 1.5.1.80, XR300 before 1.0.3.56, R7000P before 1.3.2.124, R8000P before 1.4.1.68, R8500 before 1.0.2.144, RAX80 before 1.0.3.102, R6900P before 1.3.2.124, R7900P before 1.4.1.68, R8300 before 1.0.2.144, RAX75 before 1.0.3.102, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 before 3.2.17.12, and RBK852 before 3.2.17.12. | |||||
| CVE-2021-37567 | 1 Mediatek | 14 Mt7603e, Mt7603e Firmware, Mt7613 and 11 more | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. (Affected Chipsets MT7603E, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 2.0.2; Out-of-bounds read). | |||||
| CVE-2021-38876 | 1 Ibm | 1 I | 2022-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208404. | |||||
| CVE-2021-45815 | 1 Quectel | 2 Uc20, Uc20 Firmware | 2022-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-45459 | 1 Node-windows Project | 1 Node-windows | 2022-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter. | |||||
| CVE-2021-45100 | 2 Ksmbd Project, Linux | 2 Ksmbd, Linux Kernel | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption. | |||||
| CVE-2021-45078 | 4 Debian, Fedoraproject, Gnu and 1 more | 4 Debian Linux, Fedora, Binutils and 1 more | 2022-01-10 | 6.8 MEDIUM | 7.8 HIGH |
| stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699. | |||||
| CVE-2021-43815 | 1 Grafana | 1 Grafana | 2022-01-10 | 3.5 LOW | 4.3 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. | |||||
| CVE-2021-43813 | 1 Grafana | 1 Grafana | 2022-01-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text. | |||||
| CVE-2021-41192 | 1 Redash | 1 Redash | 2022-01-10 | 3.5 LOW | 6.5 MEDIUM |
| Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory. | |||||
| CVE-2018-17875 | 1 Poly | 2 Trio 8800, Trio 8800 Firmware | 2022-01-10 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution issue in the ping command on Poly Trio 8800 5.7.1.4145 devices allows remote authenticated users to execute commands via unspecified vectors. | |||||
| CVE-2021-3622 | 2 Fedoraproject, Redhat | 4 Fedora, Enterprise Linux, Enterprise Linux Workstation and 1 more | 2022-01-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2021-20874 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect permission assignment for critical resource vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to access arbitrary files on the server and obtain sensitive information via unspecified vectors. | |||||
| CVE-2021-20876 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 4.0 MEDIUM | 6.8 MEDIUM |
| Path traversal vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows an attacker with an administrative privilege to obtain sensitive information stored in the hierarchy above the directory on the published site's server via unspecified vectors. | |||||
| CVE-2021-37566 | 1 Mediatek | 18 Mt7603e, Mt7603e Firmware, Mt7610 and 15 more | 2022-01-10 | 9.3 HIGH | 8.8 HIGH |
| MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. (Affected Chipsets MT7603E, MT7610, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915; Affected Software Versions 2.0.2; Out-of-bounds write). | |||||
| CVE-2021-20875 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks by having a user to access a specially crafted URL. | |||||
| CVE-2021-45948 | 1 Assimp | 1 Assimp | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). | |||||
| CVE-2021-45708 | 1 Abomonation Project | 1 Abomonation | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the abomonation crate through 2021-10-17 for Rust. Because transmute operations are insufficiently constrained, there can be an information leak or ASLR bypass. | |||||
| CVE-2021-45697 | 1 Nervos | 1 Molecule | 2022-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the molecule crate before 0.7.2 for Rust. A FixVec partial read has an incorrect result. | |||||
| CVE-2021-45947 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from EvaluateExpression and InitDataSegments). | |||||
| CVE-2021-45946 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Compile_LoopOrBlock and CompileBlockStatements). | |||||
| CVE-2021-45929 | 1 Wasm3 Project | 1 Wasm3 | 2022-01-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from CompileElseBlock and Compile_If). | |||||
| CVE-2021-45702 | 1 Linuxfoundation | 1 Tremor-script | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A merge operation may result in a use-after-free. | |||||
| CVE-2021-45701 | 1 Linuxfoundation | 1 Tremor-script | 2022-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the tremor-script crate before 0.11.6 for Rust. A patch operation may result in a use-after-free. | |||||
| CVE-2020-23986 | 1 Github Readme Stats Project | 1 Github Readme Stats | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Github Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the function renderError. | |||||
| CVE-2021-46038 | 1 Gpac | 1 Gpac | 2022-01-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chunk.isra, which causes a Denial of Service (context-dependent). | |||||
| CVE-2021-45831 | 1 Gpac | 1 Gpac | 2022-01-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service. | |||||
| CVE-2022-22111 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 6.5 MEDIUM | 8.8 HIGH |
| In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application. | |||||
| CVE-2022-22109 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 3.5 LOW | 5.4 MEDIUM |
| In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks. | |||||
| CVE-2022-22108 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. | |||||
| CVE-2022-22107 | 1 Daybydaycrm | 1 Daybyday Crm | 2022-01-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all. | |||||
| CVE-2020-23026 | 1 Dhrystone Project | 1 Dhrystone | 2022-01-08 | 5.0 MEDIUM | 7.5 HIGH |
| A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS). | |||||
| CVE-2022-21649 | 1 Convos | 1 Convos | 2022-01-08 | 3.5 LOW | 5.4 MEDIUM |
| Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible. | |||||
| CVE-2021-43677 | 1 Fluxbb | 1 Fluxbb | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-41236 | 1 Oroinc | 1 Oroplatform | 2022-01-08 | 3.5 LOW | 4.8 MEDIUM |
| OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible. | |||||
| CVE-2022-0086 | 1 Transloadit | 1 Uppy | 2022-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| uppy is vulnerable to Server-Side Request Forgery (SSRF) | |||||
| CVE-2021-43942 | 1 Atlassian | 1 Jira Server And Data Center | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | |||||
| CVE-2021-46109 | 1 Asus | 1 Rt-ac52u B1 Firmware | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack. | |||||
| CVE-2021-25040 | 1 Booking Calendar Project | 1 Booking Calendar | 2022-01-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||