Filtered by vendor Microsoft
Subscribe
Search
Total
16927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21912 | 2 Advantech, Microsoft | 2 R-seenet, Windows | 2022-04-28 | 7.2 HIGH | 7.8 HIGH |
| A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2022-22516 | 2 Codesys, Microsoft | 5 Control Rte Sl, Control Rte Sl \(for Beckhoff Cx\), Control Win Sl and 2 more | 2022-04-28 | 7.2 HIGH | 7.8 HIGH |
| The SysDrv3S driver in the CODESYS Control runtime system on Microsoft Windows allows any system user to read and write within restricted memory space. | |||||
| CVE-2020-26870 | 4 Cure53, Debian, Microsoft and 1 more | 5 Dompurify, Debian Linux, Visual Studio 2017 and 2 more | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. | |||||
| CVE-2021-26625 | 2 Microsoft, Tobesoft | 2 Windows, Nexacro | 2022-04-27 | 6.8 MEDIUM | 8.8 HIGH |
| Insufficient Verification of input Data leading to arbitrary file download and execute was discovered in Nexacro platform. This vulnerability is caused by an automatic update function that does not verify input data except version information. Remote attackers can use this incomplete validation logic to download and execute arbitrary malicious file. | |||||
| CVE-2021-26626 | 2 Microsoft, Tobesoft | 2 Windows, Xplatform | 2022-04-27 | 5.1 MEDIUM | 8.8 HIGH |
| Improper input validation vulnerability in XPLATFORM's execBrowser method can cause execute arbitrary commands. IF the second parameter value of the execBrowser function is ‘default’, the first parameter value could be passed to the ShellExecuteW API. The passed parameter is an arbitrary code to be executed. Remote attackers can use this vulnerability to execute arbitrary remote code. | |||||
| CVE-2022-25372 | 2 Microsoft, Pritunl | 2 Windows, Pritunl-client-electron | 2022-04-27 | 7.2 HIGH | 7.8 HIGH |
| Pritunl Client through 1.2.3019.52 on Windows allows local privilege escalation, related to an ACL entry for CREATOR OWNER in platform_windows.go. | |||||
| CVE-2020-1400 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2022-04-27 | 9.3 HIGH | 7.8 HIGH |
| A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1401, CVE-2020-1407. | |||||
| CVE-2019-5676 | 2 Microsoft, Nvidia | 3 Windows, Geforce Experience, Gpu Display Driver | 2022-04-27 | 7.2 HIGH | 6.7 MEDIUM |
| NVIDIA Windows GPU Display driver software for Windows (all versions) contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), leading to escalation of privileges through code execution. | |||||
| CVE-2021-39033 | 3 Ibm, Linux, Microsoft | 4 Aix, Sterling B2b Integrator, Linux Kernel and 1 more | 2022-04-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 213963. | |||||
| CVE-2020-0642 | 1 Microsoft | 8 Windows 10, Windows 7, Windows 8.1 and 5 more | 2022-04-26 | 7.2 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0624. | |||||
| CVE-2020-1021 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2022-04-26 | 4.6 MEDIUM | 7.8 HIGH |
| An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1082, CVE-2020-1088. | |||||
| CVE-2021-21552 | 2 Dell, Microsoft | 4 Wyse 5070 Thin Client, Wyse 5470 All-in-one Thin Client, Wyse 5470 Thin Client and 1 more | 2022-04-26 | 7.2 HIGH | 8.8 HIGH |
| Dell Wyse Windows Embedded System versions WIE10 LTSC 2019 and earlier contain an improper authorization vulnerability. A local authenticated malicious user with low privileges may potentially exploit this vulnerability to bypass the restricted environment and perform unauthorized actions on the affected system. | |||||
| CVE-2022-26911 | 1 Microsoft | 2 Lync Server, Skype For Business Server | 2022-04-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Skype for Business Information Disclosure Vulnerability. | |||||
| CVE-2022-26910 | 1 Microsoft | 1 Skype For Business Server | 2022-04-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Skype for Business and Lync Spoofing Vulnerability. | |||||
| CVE-2022-26907 | 1 Microsoft | 1 Azure Sdk For .net | 2022-04-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Azure SDK for .NET Information Disclosure Vulnerability. | |||||
| CVE-2022-26904 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-26 | 4.4 MEDIUM | 7.0 HIGH |
| Windows User Profile Service Elevation of Privilege Vulnerability. | |||||
| CVE-2022-26903 | 1 Microsoft | 16 Excel, Excel Mobile, Powerpoint and 13 more | 2022-04-26 | 9.3 HIGH | 7.8 HIGH |
| Windows Graphics Component Remote Code Execution Vulnerability. | |||||
| CVE-2022-26901 | 1 Microsoft | 6 365 Apps, Excel, Excel Rt and 3 more | 2022-04-26 | 6.8 MEDIUM | 7.8 HIGH |
| Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-24473. | |||||
| CVE-2022-26898 | 1 Microsoft | 1 Azure Site Recovery | 2022-04-26 | 6.5 MEDIUM | 7.2 HIGH |
| Azure Site Recovery Remote Code Execution Vulnerability. | |||||
| CVE-2022-26897 | 1 Microsoft | 1 Azure Site Recovery | 2022-04-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| Azure Site Recovery Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26896. | |||||
| CVE-2022-26896 | 1 Microsoft | 1 Azure Site Recovery | 2022-04-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| Azure Site Recovery Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-26897. | |||||
| CVE-2022-26831 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| Windows LDAP Denial of Service Vulnerability. | |||||
| CVE-2021-27271 | 2 Foxitsoftware, Microsoft | 3 Foxit Reader, Phantompdf, Windows | 2022-04-25 | 6.8 MEDIUM | 7.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.0.37527. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D objects embedded in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12438. | |||||
| CVE-2022-26830 | 1 Microsoft | 2 Windows 11, Windows Server 2022 | 2022-04-25 | 5.1 MEDIUM | 7.5 HIGH |
| DiskUsage.exe Remote Code Execution Vulnerability. | |||||
| CVE-2022-26828 | 1 Microsoft | 4 Windows 10, Windows Server 2016, Windows Server 2019 and 1 more | 2022-04-25 | 4.4 MEDIUM | 7.0 HIGH |
| Windows Bluetooth Driver Elevation of Privilege Vulnerability. | |||||
| CVE-2022-26827 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 6.9 MEDIUM | 7.0 HIGH |
| Windows File Server Resource Management Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26810. | |||||
| CVE-2022-29072 | 2 7-zip, Microsoft | 2 7-zip, Windows | 2022-04-25 | 7.2 HIGH | 7.8 HIGH |
| ** DISPUTED ** 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur. | |||||
| CVE-2021-37712 | 5 Debian, Microsoft, Npmjs and 2 more | 5 Debian Linux, Windows, Tar and 2 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. | |||||
| CVE-2021-37713 | 4 Microsoft, Npmjs, Oracle and 1 more | 4 Windows, Tar, Graalvm and 1 more | 2022-04-25 | 4.4 MEDIUM | 8.6 HIGH |
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves. | |||||
| CVE-2022-26810 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8.1 and 6 more | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Windows File Server Resource Management Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26827. | |||||
| CVE-2022-26924 | 1 Microsoft | 1 Yet Another Reverse Proxy | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| YARP Denial of Service Vulnerability. | |||||
| CVE-2022-26921 | 1 Microsoft | 1 Visual Studio Code | 2022-04-25 | 4.6 MEDIUM | 7.8 HIGH |
| Visual Studio Code Elevation of Privilege Vulnerability. | |||||
| CVE-2022-26920 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2022-04-25 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Graphics Component Information Disclosure Vulnerability. | |||||
| CVE-2022-26919 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 9.3 HIGH | 8.1 HIGH |
| Windows LDAP Remote Code Execution Vulnerability. | |||||
| CVE-2022-26918 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 5.1 MEDIUM | 7.8 HIGH |
| Windows Fax Compose Form Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26916, CVE-2022-26917. | |||||
| CVE-2022-26917 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 5.1 MEDIUM | 7.8 HIGH |
| Windows Fax Compose Form Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26916, CVE-2022-26918. | |||||
| CVE-2022-26916 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 5.1 MEDIUM | 7.8 HIGH |
| Windows Fax Compose Form Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-26917, CVE-2022-26918. | |||||
| CVE-2022-26808 | 1 Microsoft | 8 Windows 10, Windows 11, Windows 8.1 and 5 more | 2022-04-25 | 4.4 MEDIUM | 7.0 HIGH |
| Windows File Explorer Elevation of Privilege Vulnerability. | |||||
| CVE-2021-40702 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious psd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2021-39824 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious png file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2021-40701 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious m4a file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2021-40700 | 3 Adobe, Apple, Microsoft | 3 Premiere Elements, Macos, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Premiere Elements version 2021.2235820 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious TIFF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2022-26915 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| Windows Secure Channel Denial of Service Vulnerability. | |||||
| CVE-2022-26807 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2022-04-25 | 4.4 MEDIUM | 7.0 HIGH |
| Windows Work Folder Service Elevation of Privilege Vulnerability. | |||||
| CVE-2021-36065 | 3 Adobe, Apple, Microsoft | 3 Photoshop, Macos, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Photoshop versions 21.2.10 (and earlier) and 22.4.3 (and earlier) are affected by a heap-based buffer overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28568 | 3 Adobe, Apple, Microsoft | 3 Genuine Service, Macos, Windows | 2022-04-25 | 6.9 MEDIUM | 6.5 MEDIUM |
| Adobe Genuine Services version 7.1 (and earlier) is affected by an Insecure file permission vulnerability during installation process. A local authenticated attacker could leverage this vulnerability to achieve privilege escalation in the context of the current user. | |||||
| CVE-2021-36059 | 2 Adobe, Microsoft | 2 Bridge, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Bridge version 11.1 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious Bridge file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2021-40710 | 2 Adobe, Microsoft | 2 Premiere Pro, Windows | 2022-04-25 | 9.3 HIGH | 7.8 HIGH |
| Adobe Premiere Pro version 15.4 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .svg file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required in that the victim must open a specially crafted file to exploit this vulnerability. | |||||
| CVE-2021-39830 | 2 Adobe, Microsoft | 2 Framemaker, Windows | 2022-04-25 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious PDF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||
| CVE-2021-39832 | 2 Adobe, Microsoft | 2 Framemaker, Windows | 2022-04-25 | 6.8 MEDIUM | 7.8 HIGH |
| Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release Update 2 (and earlier) are affected by a memory corruption vulnerability due to insecure handling of a malicious PDF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability. | |||||