Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-20
Total 8593 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-0124 1 Gitlab 1 Gitlab 2022-01-25 4.0 MEDIUM 4.3 MEDIUM
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack.
CVE-2022-21696 1 Onionshare 1 Onionshare 2022-01-24 4.0 MEDIUM 4.3 MEDIUM
OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions it is possible to change the username to that of another chat participant with an additional space character at the end of the name string. An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username.
CVE-2021-33498 1 Pexip 1 Infinity 2022-01-24 5.0 MEDIUM 7.5 HIGH
Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2).
CVE-2021-33499 1 Pexip 1 Infinity 2022-01-24 5.0 MEDIUM 7.5 HIGH
Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2).
CVE-2021-35969 1 Pexip 1 Infinity 2022-01-24 5.0 MEDIUM 7.5 HIGH
Pexip Infinity before 26 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.
CVE-2021-42555 1 Pexip 1 Infinity 2022-01-24 5.0 MEDIUM 7.5 HIGH
Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.
CVE-2016-2786 1 Puppet 2 Puppet Agent, Puppet Enterprise 2022-01-24 7.5 HIGH 9.8 CRITICAL
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
CVE-2017-2296 1 Puppet 1 Puppet Enterprise 2022-01-24 4.0 MEDIUM 6.5 MEDIUM
In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted strings with certain formatting characters as Classifier node group names or RBAC role display names causes errors, effectively causing a DOS to the service. This was resolved in Puppet Enterprise 2017.2.2.
CVE-2021-34994 1 Commvault 1 Commcell 2022-01-21 6.5 MEDIUM 8.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider class. The issue results from the lack of proper validation of a user-supplied string before executing it as JavaScript code. An attacker can leverage this vulnerability to escape the JavaScript sandbox and execute Java code in the context of NETWORK SERVICE. Was ZDI-CAN-13755.
CVE-2021-32545 1 Pexip 1 Infinity 2022-01-21 5.0 MEDIUM 7.5 HIGH
Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation.
CVE-2022-21646 1 Authzed 1 Spicedb 2022-01-21 5.5 MEDIUM 8.1 HIGH
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.
CVE-2021-44548 2 Apache, Microsoft 2 Solr, Windows 2022-01-21 6.8 MEDIUM 9.8 CRITICAL
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
CVE-2022-20698 3 Canonical, Clamav, Debian 3 Ubuntu Linux, Clamav, Debian Linux 2022-01-21 5.0 MEDIUM 7.5 HIGH
A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) Software version 0.104.1 and LTS version 0.103.4 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper checks that may result in an invalid pointer read. An attacker could exploit this vulnerability by sending a crafted OOXML file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.
CVE-2021-45763 1 Gpac 1 Gpac 2022-01-20 4.3 MEDIUM 5.5 MEDIUM
GPAC v1.1.0 was discovered to contain an invalid call in the function gf_node_changed(). This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-21408 1 Smarty 1 Smarty 2022-01-19 6.5 MEDIUM 8.8 HIGH
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.
CVE-2022-0174 1 Dolibarr 1 Dolibarr 2022-01-19 4.0 MEDIUM 4.3 MEDIUM
dolibarr is vulnerable to Business Logic Errors
CVE-2021-1108 1 Nvidia 8 Jetson Agx Xavier, Jetson Linux, Jetson Nano and 5 more 2022-01-19 4.6 MEDIUM 7.3 HIGH
NVIDIA Linux kernel distributions contain a vulnerability in FuSa Capture (VI/ISP), where integer underflow due to lack of input validation may lead to complete denial of service, partial integrity, and serious confidentiality loss for all processes in the system.
CVE-2021-35247 1 Solarwinds 1 Serv-u 2022-01-19 5.0 MEDIUM 5.3 MEDIUM
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters
CVE-2021-41769 1 Siemens 62 6md85, 6md85 Firmware, 6md86 and 59 more 2022-01-19 5.0 MEDIUM 7.5 HIGH
A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD89 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MU85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7KE85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SA82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SA86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SA87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SD82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SD87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SJ81 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SJ82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SJ85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SJ86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SK82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SK85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SL82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7SL86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SL87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SS85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7ST85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7SX85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UM85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT82 devices (CPU variant CP100) (All versions < V8.83), SIPROTEC 5 7UT85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7UT87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7VE85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 7VK87 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 Compact 7SX800 devices (CPU variant CP050) (All versions < V8.83). An improper input validation vulnerability in the web server could allow an unauthenticated user to access device information.
CVE-2021-43762 1 Adobe 2 Experience Manager, Experience Manager Cloud Service 2022-01-19 6.4 MEDIUM 6.5 MEDIUM
AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by a dispatcher bypass vulnerability that could be abused to evade security controls. Sensitive areas of the web application may be exposed through exploitation of the vulnerability.