Total
210374 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-41839 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 4.6 MEDIUM | 8.2 HIGH |
An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM. | |||||
CVE-2022-24069 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 7.2 HIGH | 8.2 HIGH |
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29. An SMM callout vulnerability allows an attacker to hijack the execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM. | |||||
CVE-2021-43522 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 6.9 MEDIUM | 7.5 HIGH |
An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08. A StorageSecurityCommandDxe SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM. | |||||
CVE-2020-8562 | 1 Kubernetes | 1 Kubernetes | 2022-03-29 | 3.5 LOW | 3.1 LOW |
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane. | |||||
CVE-2021-45971 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 7.2 HIGH | 8.2 HIGH |
An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData). | |||||
CVE-2021-45970 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 7.2 HIGH | 8.2 HIGH |
An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the status code saved at the CommBuffer+4 location). | |||||
CVE-2021-45969 | 1 Insyde | 1 Insydeh2o | 2022-03-29 | 7.2 HIGH | 8.2 HIGH |
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the CommBuffer+8 location). | |||||
CVE-2021-40525 | 1 Apache | 1 James | 2022-03-29 | 6.4 MEDIUM | 9.1 CRITICAL |
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. | |||||
CVE-2022-26285 | 1 Simple Client Management System Project | 1 Simple Client Management System | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests. | |||||
CVE-2021-45459 | 1 Node-windows Project | 1 Node-windows | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter. | |||||
CVE-2021-45100 | 3 Ksmbd Project, Linux, Netapp | 18 Ksmbd, Linux Kernel, H300e and 15 more | 2022-03-29 | 5.0 MEDIUM | 7.5 HIGH |
The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption. | |||||
CVE-2021-44655 | 1 Online Pre-owned\/used Car Showroom Management System Project | 1 Online Pre-owned\/used Car Showroom Management System | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application. | |||||
CVE-2021-44653 | 1 Online Magazine Management System Project | 1 Online Magazine Management System | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application. | |||||
CVE-2021-43326 | 2 Automox, Microsoft | 2 Automox, Windows | 2022-03-29 | 4.6 MEDIUM | 7.8 HIGH |
Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory. | |||||
CVE-2021-34426 | 2 Keybase, Microsoft | 2 Keybase, Windows | 2022-03-29 | 7.2 HIGH | 7.8 HIGH |
A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. In versions prior to 5.6.0, a malicious actor with write access to a user\'s Git repository could leverage this vulnerability to potentially execute arbitrary Windows commands on a user\'s local system. | |||||
CVE-2022-26189 | 1 Totolink | 2 N600r, N600r Firmware | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface. | |||||
CVE-2022-26188 | 1 Totolink | 2 N600r, N600r Firmware | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost. | |||||
CVE-2022-1003 | 1 Mattermost | 1 Mattermost | 2022-03-29 | 4.0 MEDIUM | 4.9 MEDIUM |
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. | |||||
CVE-2021-44760 | 1 Wp-downloadmanager Project | 1 Wp-downloadmanager | 2022-03-29 | 3.5 LOW | 5.4 MEDIUM |
Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). | |||||
CVE-2021-46364 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-03-29 | 6.8 MEDIUM | 7.8 HIGH |
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file. |