Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11837 | 1 F5 | 1 Njs | 2022-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c. | |||||
| CVE-2021-29899 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-03-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Engineering Requirements Quality Assistant prior to 3.1.3 could allow an authenticated user to cause a denial of service. IBM X-Force ID: 207413. | |||||
| CVE-2021-44088 | 1 Attendance And Payroll System Project | 1 Attendance And Payroll System | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters. | |||||
| CVE-2022-24770 | 1 Gradio Project | 1 Gradio | 2022-03-24 | 6.8 MEDIUM | 8.8 HIGH |
| `gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs. | |||||
| CVE-2022-24755 | 1 Bareos | 1 Bareos | 2022-03-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized. | |||||
| CVE-2022-24756 | 1 Bareos | 1 Bareos | 2022-03-23 | 4.3 MEDIUM | 7.5 HIGH |
| Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, a failed PAM authentication will leak a small amount of memory. An attacker that is able to use the PAM Console (i.e. by knowing the shared secret or via the WebUI) can flood the Director with failing login attempts which will eventually lead to an out-of-memory condition in which the Director will not work anymore. Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 contain a Bugfix for this problem. Users who are unable to upgrade may disable PAM authentication as a workaround. | |||||
| CVE-2022-25354 | 1 Set-in Project | 1 Set-in | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049) | |||||
| CVE-2022-25296 | 1 Bodymen Project | 1 Bodymen | 2022-03-23 | 7.5 HIGH | 7.3 HIGH |
| The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897) | |||||
| CVE-2022-21221 | 2 Fasthttp Project, Microsoft | 2 Fasthttp, Windows | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only. | |||||
| CVE-2022-0749 | 1 Singoo | 1 Singoocms.utility | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter. | |||||
| CVE-2022-25352 | 1 Libnested Project | 1 Libnested | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930) | |||||
| CVE-2022-0748 | 1 Post-loader Project | 1 Post-loader | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed. | |||||
| CVE-2021-45794 | 1 Slims | 1 Senayan Library Management System | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained. | |||||
| CVE-2021-45793 | 1 Slims | 1 Senayan Library Management System | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained. | |||||
| CVE-2021-44908 | 1 Sailsjs | 1 Sails | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). | |||||
| CVE-2021-23632 | 1 Git Project | 1 Git | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work. | |||||
| CVE-2021-23771 | 2 Argencoders-notevil Project, Notevil Project | 2 Argencoders-notevil, Notevil | 2022-03-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878). | |||||
| CVE-2022-20701 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2022-03-23 | 7.2 HIGH | 7.8 HIGH |
| Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-39725 | 1 Google | 1 Android | 2022-03-23 | 4.6 MEDIUM | 6.7 MEDIUM |
| In gasket_free_coherent_memory_all of gasket_page_table.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151454974References: N/A | |||||
| CVE-2021-39726 | 1 Google | 1 Android | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| In cd_ParseMsg of cd_codec.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-181782896References: N/A | |||||