Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44556 | 1 Huawei | 2 Emui, Harmonyos | 2023-03-03 | N/A | 7.5 HIGH |
| Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2022-41358 | 1 Garage Management System Project | 1 Garage Management System | 2023-03-03 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php. | |||||
| CVE-2019-15215 | 5 Canonical, Debian, Linux and 2 more | 10 Ubuntu Linux, Debian Linux, Linux Kernel and 7 more | 2023-03-03 | 4.9 MEDIUM | 4.6 MEDIUM |
| An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. | |||||
| CVE-2019-1936 | 1 Cisco | 3 Integrated Management Controller Supervisor, Ucs Director, Ucs Director Express For Big Data | 2023-03-03 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an authenticated, remote attacker to execute arbitrary commands on the underlying Linux shell as the root user. Exploitation of this vulnerability requires privileged access to an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrator privileges and then sending a malicious request to a certain part of the interface. | |||||
| CVE-2013-4536 | 1 Qemu | 1 Qemu | 2023-03-03 | 4.6 MEDIUM | 7.8 HIGH |
| An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. | |||||
| CVE-2020-11077 | 4 Debian, Fedoraproject, Opensuse and 1 more | 4 Debian Linux, Fedora, Leap and 1 more | 2023-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5. | |||||
| CVE-2023-24081 | 1 Go-redrock | 1 Tutortrac | 2023-03-03 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page. | |||||
| CVE-2020-13388 | 1 Python | 1 Jw.util | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. | |||||
| CVE-2022-24697 | 1 Apache | 1 Kylin | 2023-03-03 | N/A | 9.8 CRITICAL |
| Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier. | |||||
| CVE-2020-28367 | 1 Golang | 1 Go | 2023-03-03 | 5.1 MEDIUM | 7.5 HIGH |
| Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. | |||||
| CVE-2019-16255 | 4 Debian, Opensuse, Oracle and 1 more | 4 Debian Linux, Leap, Graalvm and 1 more | 2023-03-03 | 6.8 MEDIUM | 8.1 HIGH |
| Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | |||||
| CVE-2019-14246 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to discover phpMyAdmin passwords (of any user in /etc/passwd) via an attacker account. | |||||
| CVE-2019-14245 | 1 Centos-webpanel | 1 Centos Web Panel | 2023-03-03 | 5.5 MEDIUM | 6.5 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to delete databases (such as oauthv2) from the server via an attacker account. | |||||
| CVE-2019-18676 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2023-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme. | |||||
| CVE-2019-14513 | 2 Debian, Thekelleys | 2 Debian Linux, Dnsmasq | 2023-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet, a different vulnerability than CVE-2017-14491. | |||||
| CVE-2021-4325 | 1 Nhncloud | 1 Toast Ui Chart | 2023-03-03 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in NHN TOAST UI Chart 4.1.4. This issue affects some unknown processing of the component Legend Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 4.2.0 is able to address this issue. The name of the patch is 1a3f455d17df379e11b501bb5ba1dd1bcc41d63e. It is recommended to upgrade the affected component. The identifier VDB-221501 was assigned to this vulnerability. | |||||
| CVE-2022-38779 | 1 Elastic | 1 Kibana | 2023-03-03 | N/A | 6.1 MEDIUM |
| An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. | |||||
| CVE-2023-20855 | 1 Vmware | 2 Vrealize Automation, Vrealize Orchestrator | 2023-03-03 | N/A | 8.8 HIGH |
| VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. | |||||
| CVE-2023-20858 | 2 Microsoft, Vmware | 2 Windows, Carbon Black App Control | 2023-03-03 | N/A | 7.2 HIGH |
| VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system. | |||||
| CVE-2020-35137 | 1 Mobileiron | 1 Mobile\@work | 2023-03-03 | 4.3 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature. | |||||