Total
803 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14193 | 1 Atlassian | 1 Automation For Jira | 2022-02-01 | 5.5 MEDIUM | 5.4 MEDIUM |
| Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The affected versions are those before version 7.1.15. | |||||
| CVE-2021-36348 | 1 Dell | 2 Integrated Dell Remote Access Controller 9, Integrated Dell Remote Access Controller 9 Firmware | 2022-01-31 | 5.5 MEDIUM | 8.1 HIGH |
| iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC. | |||||
| CVE-2020-7489 | 1 Schneider-electric | 8 Ecostruxure Machine Expert, Modicon M100, Modicon M100 Firmware and 5 more | 2022-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller. | |||||
| CVE-2021-39031 | 1 Ibm | 1 Websphere Application Server | 2022-01-28 | 6.5 MEDIUM | 8.8 HIGH |
| IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875. | |||||
| CVE-2021-25994 | 1 Userfrosting | 1 Userfrosting | 2022-01-13 | 6.8 MEDIUM | 8.8 HIGH |
| In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account. | |||||
| CVE-2021-45658 | 1 Netgear | 64 D7800, D7800 Firmware, Dm200 and 61 more | 2022-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by server-side injection. This affects D7800 before 1.0.1.58, DM200 before 1.0.0.66, EX2700 before 1.0.1.56, EX6150v2 before 1.0.1.86, EX6100v2 before 1.0.1.86, EX6200v2 before 1.0.1.78, EX6250 before 1.0.0.110, EX6410 before 1.0.0.110, EX6420 before 1.0.0.110, EX6400v2 before 1.0.0.110, EX7300 before 1.0.2.144, EX6400 before 1.0.2.144, EX7320 before 1.0.0.110, EX7300v2 before 1.0.0.110, R7500v2 before 1.0.3.48, R7800 before 1.0.2.68, R8900 before 1.0.5.2, R9000 before 1.0.5.2, RAX120 before 1.0.1.90, RBK40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, RBS50Y before 2.6.1.40, WN3000RPv2 before 1.0.0.78, WN3000RPv3 before 1.0.2.80, WNR2000v5 before 1.0.0.72, XR500 before 2.3.2.56, and XR700 before 1.0.1.20. | |||||
| CVE-2020-28949 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2022-01-06 | 6.8 MEDIUM | 7.8 HIGH |
| Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | |||||
| CVE-2017-18860 | 1 Netgear | 50 Fs752tp, Fs752tp Firmware, Gs108t Firmware and 47 more | 2022-01-04 | 3.6 LOW | 7.7 HIGH |
| Certain NETGEAR devices are affected by debugging command execution. This affects FS752TP 5.4.2.19 and earlier, GS108Tv2 5.4.2.29 and earlier, GS110TP 5.4.2.29 and earlier, GS418TPP 6.6.2.6 and earlier, GS510TLP 6.6.2.6 and earlier, GS510TP 5.04.2.27 and earlier, GS510TPP 6.6.2.6 and earlier, GS716Tv2 5.4.2.27 and earlier, GS716Tv3 6.3.1.16 and earlier, GS724Tv3 5.4.2.27 and earlier, GS724Tv4 6.3.1.16 and earlier, GS728TPSB 5.3.0.29 and earlier, GS728TSB 5.3.0.29 and earlier, GS728TXS 6.1.0.35 and earlier, GS748Tv4 5.4.2.27 and earlier, GS748Tv5 6.3.1.16 and earlier, GS752TPSB 5.3.0.29 and earlier, GS752TSB 5.3.0.29 and earlier, GS752TXS 6.1.0.35 and earlier, M4200 12.0.2.10 and earlier, M4300 12.0.2.10 and earlier, M5300 11.0.0.28 and earlier, M6100 11.0.0.28 and earlier, M7100 11.0.0.28 and earlier, S3300 6.6.1.4 and earlier, XS708T 6.6.0.11 and earlier, XS712T 6.1.0.34 and earlier, and XS716T 6.6.0.11 and earlier. | |||||
| CVE-2021-43437 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2022-01-03 | 6.8 MEDIUM | 8.8 HIGH |
| In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host. And It's possible to send requests with arbitrary Host Headers to the first virtual host. | |||||
| CVE-2019-9900 | 2 Envoyproxy, Redhat | 2 Envoy, Openshift Service Mesh | 2022-01-01 | 7.5 HIGH | 8.3 HIGH |
| When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources. | |||||
| CVE-2020-35213 | 1 Atomix | 1 Atomix | 2021-12-21 | 5.5 MEDIUM | 8.1 HIGH |
| An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | |||||
| CVE-2019-19614 | 1 Halvotec | 1 Raquest | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Halvotec RAQuest 10.23.10801.0. The login page is vulnerable to wildcard injection, allowing an attacker to enumerate the list of users sharing an identical password. Fixed in Release 10.24.11206.1. | |||||
| CVE-2021-37262 | 1 Jflyfox | 1 Jfinal Cms | 2021-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service. | |||||
| CVE-2020-4027 | 1 Atlassian | 2 Confluence, Confluence Server | 2021-12-13 | 6.5 MEDIUM | 4.7 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allowed remote attackers with system administration permissions to bypass velocity template injection mitigations via an injection vulnerability in custom user macros. The affected versions are before version 7.4.5, and from version 7.5.0 before 7.5.1. | |||||
| CVE-2021-37033 | 1 Huawei | 2 Emui, Magic Ui | 2021-12-09 | 5.0 MEDIUM | 7.5 HIGH |
| There is an Injection attack vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability. | |||||
| CVE-2020-26142 | 1 Openbsd | 1 Openbsd | 2021-12-03 | 2.6 LOW | 5.3 MEDIUM |
| An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. | |||||
| CVE-2019-25031 | 2 Debian, Nlnetlabs | 2 Debian Linux, Unbound | 2021-12-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| ** DISPUTED ** Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation. | |||||
| CVE-2020-12108 | 5 Canonical, Debian, Fedoraproject and 2 more | 6 Ubuntu Linux, Debian Linux, Fedora and 3 more | 2021-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| /options/mailman in GNU Mailman before 2.1.31 allows Arbitrary Content Injection. | |||||
| CVE-2021-30506 | 2 Fedoraproject, Google | 3 Fedora, Android, Chrome | 2021-12-02 | 6.8 MEDIUM | 8.8 HIGH |
| Incorrect security UI in Web App Installs in Google Chrome on Android prior to 90.0.4430.212 allowed an attacker who convinced a user to install a web application to inject scripts or HTML into a privileged page via a crafted HTML page. | |||||
| CVE-2020-15011 | 3 Canonical, Debian, Gnu | 3 Ubuntu Linux, Debian Linux, Mailman | 2021-11-30 | 2.6 LOW | 4.3 MEDIUM |
| GNU Mailman before 2.1.33 allows arbitrary content injection via the Cgi/private.py private archive login page. | |||||