Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27952 | 1 Payloadcms | 1 Payload | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. | |||||
| CVE-2021-39804 | 1 Google | 1 Android | 2022-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| In reinit of HeifDecoderImpl.cpp, there is a possible crash due to a missing null check. This could lead to remote persistent denial of service in the file picker with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-215002587 | |||||
| CVE-2022-28216 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform (BI Workspace) - version 420, is susceptible to a Cross-Site Scripting attack by an unauthenticated attacker due to improper sanitization of the user inputs on the network. On successful exploitation, an attacker can access certain reports causing a limited impact on confidentiality of the application data. | |||||
| CVE-2022-28795 | 1 Avira | 1 Password Manager | 2022-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari. | |||||
| CVE-2021-0707 | 1 Google | 1 Android | 2022-04-20 | 7.2 HIGH | 7.8 HIGH |
| In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel | |||||
| CVE-2022-28773 | 1 Sap | 2 Netweaver, Web Dispatcher | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically. | |||||
| CVE-2021-0694 | 1 Google | 1 Android | 2022-04-20 | 7.2 HIGH | 7.8 HIGH |
| In setServiceForegroundInnerLocked of ActiveServices.java, there is a possible way for a background application to regain foreground permissions due to insufficient background restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-183147114 | |||||
| CVE-2022-28772 | 1 Sap | 2 Netweaver, Web Dispatcher | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81, 7.85, 7.86, or Internet Communication Manager - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, which makes these programs unavailable, leading to denial of service. | |||||
| CVE-2022-28770 | 1 Sap | 1 Sapui5 Library | 2022-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Due to insufficient input validation, SAPUI5 library(vbm) - versions 750, 753, 754, 755, 75, allows an unauthenticated attacker to inject a script into the URL and execute code. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application. | |||||
| CVE-2018-8770 | 1 Cobub | 1 Razor | 2022-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via generate.php, controllers/getConfigTest.php, controllers/getUpdateTest.php, controllers/postclientdataTest.php, controllers/posterrorTest.php, controllers/posteventTest.php, controllers/posttagTest.php, controllers/postusinglogTest.php, fixtures/Controller_fixt.php, fixtures/Controller_fixt2.php, fixtures/view_fixt2.php, libs/ipTest.php, or models/commonDbfix.php in tests/. | |||||
| CVE-2022-21803 | 1 Nconf Project | 1 Nconf | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype. | |||||
| CVE-2021-42255 | 1 Blueplanet-works | 1 Appguard | 2022-04-20 | 7.2 HIGH | 7.8 HIGH |
| AppGuard Enterprise before 6.7.100.1 creates a Temporary File in a Directory with Insecure Permissions. Local users can gain SYSTEM privileges because a repair operation relies on the %TEMP% directory of an unprivileged user. | |||||
| CVE-2022-22541 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2022-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence Platform - versions 420, 430, may allow legitimate users to access information they shouldn't see through relational or OLAP connections. The main impact is the disclosure of company data to people that shouldn't or don't need to have access. | |||||
| CVE-2022-27476 | 1 Newbee-mall Project | 1 Newbee-mall | 2022-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter. | |||||
| CVE-2022-25614 | 1 Stylemixthemes | 1 Eroom - Zoom Meetings \& Webinar | 2022-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.7 allows an attacker to Sync with Zoom Meetings. | |||||
| CVE-2022-21155 | 4 Apple, Fernhillsoftware, Linux and 1 more | 4 Macos, Scada Server, Linux Kernel and 1 more | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| A specially crafted packet sent to the Fernhill SCADA Server Version 3.77 and earlier may cause an exception, causing the server process (FHSvrService.exe) to exit. | |||||
| CVE-2019-12086 | 2 Debian, Fasterxml | 2 Debian Linux, Jackson-databind | 2022-04-19 | 5.0 MEDIUM | 7.5 HIGH |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | |||||
| CVE-2018-11212 | 7 Canonical, Debian, Ijg and 4 more | 13 Ubuntu Linux, Debian Linux, Libjpeg and 10 more | 2022-04-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. | |||||
| CVE-2014-0097 | 1 Vmware | 1 Spring Security | 2022-04-19 | 7.5 HIGH | 7.3 HIGH |
| The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. | |||||
| CVE-2012-5351 | 1 Apache | 1 Axis2 | 2022-04-19 | 6.4 MEDIUM | N/A |
| Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418. | |||||