Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-20781 | 1 Cisco | 2 Asyncos, Web Security Appliance | 2022-04-14 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface. | |||||
| CVE-2021-25313 | 1 Suse | 1 Rancher | 2022-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rancher allows remote attackers to execute JavaScript via malicious links. This issue affects: SUSE Rancher Rancher versions prior to 2.5.6. | |||||
| CVE-2019-13209 | 1 Suse | 1 Rancher | 2022-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim. | |||||
| CVE-2019-11202 | 1 Suse | 1 Rancher | 2022-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered that affects the following versions of Rancher: v2.0.0 through v2.0.13, v2.1.0 through v2.1.8, and v2.2.0 through 2.2.1. When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user rather than completing deleting them. | |||||
| CVE-2019-11881 | 1 Suse | 1 Rancher | 2022-04-13 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability exists in Rancher 2.1.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message. | |||||
| CVE-2019-12303 | 1 Suse | 1 Rancher | 2022-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container. | |||||
| CVE-2019-12274 | 1 Suse | 1 Rancher | 2022-04-13 | 4.0 MEDIUM | 8.8 HIGH |
| In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml. | |||||
| CVE-2019-6287 | 1 Suse | 1 Rancher | 2022-04-13 | 6.5 MEDIUM | 8.1 HIGH |
| In Rancher 2.0.0 through 2.1.5, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. | |||||
| CVE-2018-20321 | 1 Suse | 1 Rancher | 2022-04-13 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher. | |||||
| CVE-2017-7297 | 1 Suse | 1 Rancher | 2022-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3. | |||||
| CVE-2022-27061 | 1 Aerocms Project | 1 Aerocms | 2022-04-13 | 6.5 MEDIUM | 7.2 HIGH |
| AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-27063 | 1 Aerocms Project | 1 Aerocms | 2022-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field. | |||||
| CVE-2022-27062 | 1 Aerocms Project | 1 Aerocms | 2022-04-13 | 3.5 LOW | 4.8 MEDIUM |
| AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field. | |||||
| CVE-2022-26627 | 1 Online Project Time Management System Project | 1 Online Project Time Management System | 2022-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| Online Project Time Management System v1.0 was discovered to contain an arbitrary file write vulnerability which allows attackers to execute arbitrary code via a crafted HTML file. | |||||
| CVE-2022-1219 | 1 Pimcore | 1 Pimcore | 2022-04-13 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data | |||||
| CVE-2021-46436 | 1 Zzcms | 1 Zzcms | 2022-04-13 | 6.8 MEDIUM | 7.2 HIGH |
| An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php. | |||||
| CVE-2022-28000 | 1 Car Rental System Project | 1 Car Rental System | 2022-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter. | |||||
| CVE-2022-26613 | 1 Php-cms Project | 1 Php-cms | 2022-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php. | |||||
| CVE-2021-43421 | 1 Std42 | 1 Elfinder | 2022-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | |||||
| CVE-2021-43432 | 1 Exrick | 1 Xmall | 2022-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp. | |||||