Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22190 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2022-04-21 | 4.3 MEDIUM | 7.5 HIGH |
| An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated attacker to leverage a crafted URL to generate PDF reports, potentially containing sensitive configuration information. A feature was introduced in version 3.1 of the Paragon Active Assurance Control Center which allows users to selective share account data using a unique identifier. Knowing the proper format of the URL and the identifier of an existing object in an application it is possible to get access to that object without being logged in, even if the object is not shared, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance version 3.1.0. | |||||
| CVE-2022-22188 | 1 Juniper | 8 Ex4600, Ex4650, Junos and 5 more | 2022-04-21 | 4.3 MEDIUM | 7.5 HIGH |
| An Uncontrolled Memory Allocation vulnerability leading to a Heap-based Buffer Overflow in the packet forwarding engine (PFE) of Juniper Networks Junos OS allows a network-based unauthenticated attacker to flood the device with traffic leading to a Denial of Service (DoS). The device must be configured with storm control profiling limiting the number of unknown broadcast, multicast, or unicast traffic to be vulnerable to this issue. This issue affects: Juniper Networks Junos OS on QFX5100/QFX5110/QFX5120/QFX5200/QFX5210/EX4600/EX4650 Series; 20.2 version 20.2R1 and later versions prior to 20.2R2. This issue does not affect: Juniper Networks Junos OS versions prior to 20.2R1. | |||||
| CVE-2022-22186 | 1 Juniper | 2 Ex4650, Junos | 2022-04-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Due to an Improper Initialization vulnerability in Juniper Networks Junos OS on EX4650 devices, packets received on the management interface (em0) but not destined to the device, may be improperly forwarded to an egress interface, instead of being discarded. Such traffic being sent by a client may appear genuine, but is non-standard in nature and should be considered as potentially malicious. This issue affects: Juniper Networks Junos OS on EX4650 Series: All versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R3-S5; 19.3 versions prior to 19.3R3-S5; 19.4 versions prior to 19.4R3-S7; 20.1 versions prior to 20.1R3-S3; 20.2 versions prior to 20.2R3-S4; 20.3 versions prior to 20.3R3-S3; 20.4 versions prior to 20.4R3-S2; 21.1 versions prior to 21.1R3-S1; 21.2 versions prior to 21.2R3; 21.3 versions prior to 21.3R2; 21.4 versions prior to 21.4R2; 22.1 versions prior to 22.1R1. | |||||
| CVE-2022-22182 | 1 Juniper | 1 Junos | 2022-04-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability in Juniper Networks Junos OS J-Web allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S19; 15.1 versions prior to 15.1R7-S10; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S10, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S6; 19.2 versions prior to 19.2R1-S8, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2; 21.2 versions prior to 21.2R1-S1, 21.2R2. | |||||
| CVE-2022-22181 | 1 Juniper | 1 Junos | 2022-04-21 | 3.5 LOW | 5.4 MEDIUM |
| A reflected Cross-site Scripting (XSS) vulnerability in J-Web of Juniper Networks Junos OS allows a network-based authenticated attacker to run malicious scripts reflected off J-Web to the victim's browser in the context of their session within J-Web. This may allow the attacker to gain control of the device or attack other authenticated user sessions. This issue affects: Juniper Networks Junos OS All versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S4; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. | |||||
| CVE-2021-45228 | 1 Coins-global | 1 Coins Construction Cloud | 2022-04-21 | 3.5 LOW | 5.4 MEDIUM |
| An XSS issue was discovered in COINS Construction Cloud 11.12. Due to insufficient neutralization of user input in the description of a task, it is possible to store malicious JavaScript code in the task description. This is later executed when it is reflected back to the user. | |||||
| CVE-2021-45227 | 1 Coins-global | 1 Coins Construction Cloud | 2022-04-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in COINS Construction Cloud 11.12. Due to an inappropriate use of HTML IFRAME elements, the file upload functionality is vulnerable to a persistent Cross-Site Scripting (XSS) attack. | |||||
| CVE-2022-27479 | 1 Apache | 1 Superset | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. | |||||
| CVE-2022-22955 | 2 Linux, Vmware | 4 Linux Kernel, Identity Manager, Vrealize Automation and 1 more | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. | |||||
| CVE-2022-27503 | 1 Citrix | 1 Storefront Server | 2022-04-20 | 2.6 LOW | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in Citrix StoreFront affects version 1912 before CU5 and version 3.12 before CU9 | |||||
| CVE-2022-27847 | 1 Yooslider | 1 Yoo Slider | 2022-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to import templates. | |||||
| CVE-2022-27846 | 1 Yooslider | 1 Yoo Slider | 2022-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to create or modify slider. | |||||
| CVE-2022-0221 | 1 Schneider-electric | 1 Scadapack Workbench | 2022-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
| A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior) | |||||
| CVE-2022-1337 | 1 Mattermost | 1 Mattermost Server | 2022-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files. | |||||
| CVE-2022-25615 | 1 Stylemixthemes | 1 Eroom - Zoom Meetings \& Webinar | 2022-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion. | |||||
| CVE-2022-28542 | 1 Samsung | 1 Galaxy Store | 2022-04-20 | 2.1 LOW | 5.5 MEDIUM |
| Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission. | |||||
| CVE-2022-27844 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Read vulnerability in WPvivid Team Migration, Backup, Staging – WPvivid (WordPress plugin) versions <= 0.9.70 | |||||
| CVE-2021-42136 | 1 Vanderbilt | 1 Redcap | 2022-04-20 | 3.5 LOW | 9.0 CRITICAL |
| A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator. | |||||
| CVE-2022-1280 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2022-04-20 | 3.3 LOW | 6.3 MEDIUM |
| A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak. | |||||
| CVE-2022-1332 | 1 Mattermost | 1 Mattermost Server | 2022-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. | |||||