Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Total 210374 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41839 1 Insyde 1 Insydeh2o 2022-03-29 4.6 MEDIUM 8.2 HIGH
An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVE-2022-24069 1 Insyde 1 Insydeh2o 2022-03-29 7.2 HIGH 8.2 HIGH
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29. An SMM callout vulnerability allows an attacker to hijack the execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.
CVE-2021-43522 1 Insyde 1 Insydeh2o 2022-03-29 6.9 MEDIUM 7.5 HIGH
An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08. A StorageSecurityCommandDxe SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVE-2020-8562 1 Kubernetes 1 Kubernetes 2022-03-29 3.5 LOW 3.1 LOW
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
CVE-2021-45971 1 Insyde 1 Insydeh2o 2022-03-29 7.2 HIGH 8.2 HIGH
An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData).
CVE-2021-45970 1 Insyde 1 Insydeh2o 2022-03-29 7.2 HIGH 8.2 HIGH
An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the status code saved at the CommBuffer+4 location).
CVE-2021-45969 1 Insyde 1 Insydeh2o 2022-03-29 7.2 HIGH 8.2 HIGH
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the CommBuffer+8 location).
CVE-2021-40525 1 Apache 1 James 2022-03-29 6.4 MEDIUM 9.1 CRITICAL
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
CVE-2022-26285 1 Simple Client Management System Project 1 Simple Client Management System 2022-03-29 7.5 HIGH 9.8 CRITICAL
Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests.
CVE-2021-45459 1 Node-windows Project 1 Node-windows 2022-03-29 7.5 HIGH 9.8 CRITICAL
lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.
CVE-2021-45100 3 Ksmbd Project, Linux, Netapp 18 Ksmbd, Linux Kernel, H300e and 15 more 2022-03-29 5.0 MEDIUM 7.5 HIGH
The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.
CVE-2021-44655 1 Online Pre-owned\/used Car Showroom Management System Project 1 Online Pre-owned\/used Car Showroom Management System 2022-03-29 7.5 HIGH 9.8 CRITICAL
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
CVE-2021-44653 1 Online Magazine Management System Project 1 Online Magazine Management System 2022-03-29 7.5 HIGH 9.8 CRITICAL
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.
CVE-2021-43326 2 Automox, Microsoft 2 Automox, Windows 2022-03-29 4.6 MEDIUM 7.8 HIGH
Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory.
CVE-2021-34426 2 Keybase, Microsoft 2 Keybase, Windows 2022-03-29 7.2 HIGH 7.8 HIGH
A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. In versions prior to 5.6.0, a malicious actor with write access to a user\'s Git repository could leverage this vulnerability to potentially execute arbitrary Windows commands on a user\'s local system.
CVE-2022-26189 1 Totolink 2 N600r, N600r Firmware 2022-03-29 7.5 HIGH 9.8 CRITICAL
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.
CVE-2022-26188 1 Totolink 2 N600r, N600r Firmware 2022-03-29 7.5 HIGH 9.8 CRITICAL
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via /setting/NTPSyncWithHost.
CVE-2022-1003 1 Mattermost 1 Mattermost 2022-03-29 4.0 MEDIUM 4.9 MEDIUM
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.
CVE-2021-44760 1 Wp-downloadmanager Project 1 Wp-downloadmanager 2022-03-29 3.5 LOW 5.4 MEDIUM
Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6).
CVE-2021-46364 1 Magnolia-cms 1 Magnolia Cms 2022-03-29 6.8 MEDIUM 7.8 HIGH
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.