Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-45889 | 1 Ponton | 1 X\/p Messenger | 2022-03-19 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to reflected XSS, as demonstrated by private/index.jsp?partners/ShowNonLocalPartners.do?localID= or private/index.jsp or private/index.jsp?database/databaseTab.jsp or private/index.jsp?activation/activationMainTab.jsp or private/index.jsp?communication/serverTab.jsp or private/index.jsp?emailNotification/notificationTab.jsp. | |||||
| CVE-2021-45888 | 1 Ponton | 1 X\/p Messenger | 2022-03-19 | 3.5 LOW | 4.8 MEDIUM |
| An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator. | |||||
| CVE-2021-45887 | 1 Ponton | 1 X\/p Messenger | 2022-03-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to path traversal in private/SchemaSetUpload.do for uploaded ZIP files, an executable script can be uploaded by web application administrators, giving the attacker remote code execution on the underlying server via an imgs/*.jsp URI. | |||||
| CVE-2021-45886 | 1 Ponton | 1 X\/p Messenger | 2022-03-19 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin). | |||||
| CVE-2022-0895 | 1 Microweber | 1 Microweber | 2022-03-19 | 7.5 HIGH | 9.8 CRITICAL |
| Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-26319 | 1 Trendmicro | 1 Portable Security | 2022-03-19 | 6.9 MEDIUM | 6.5 MEDIUM |
| An installer search patch element vulnerability in Trend Micro Portable Security 3.0 Pro, 3.0 and 2.0 could allow a local attacker to place an arbitrarily generated DLL file in an installer folder to elevate local privileges. Please note: an attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2022-24387 | 1 Smartertools | 1 Smartertrack | 2022-03-18 | 6.5 MEDIUM | 7.2 HIGH |
| With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010 | |||||
| CVE-2022-24386 | 1 Smartertools | 1 Smartertrack | 2022-03-18 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||||
| CVE-2022-24385 | 1 Smartertools | 1 Smartertrack | 2022-03-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||||
| CVE-2022-24384 | 1 Smartertools | 1 Smartertrack | 2022-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||||
| CVE-2021-46709 | 1 Phpliteadmin | 1 Phpliteadmin | 2022-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number). | |||||
| CVE-2022-24696 | 1 Mirametrix | 1 Glance | 2022-03-18 | 4.6 MEDIUM | 7.8 HIGH |
| Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. NOTE: this is unrelated to products from the glance.com and glance.net websites. | |||||
| CVE-2022-24128 | 1 Timescale | 1 Timescaledb | 2022-03-18 | 6.0 MEDIUM | 8.0 HIGH |
| Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. The installation process uses commands such as CREATE x IF NOT EXIST that allow an unprivileged user to precreate objects. These objects will be used by the installer (which executes as Superuser), leading to privilege escalation. In order to be able to take advantage of this, an unprivileged user would need to be able to create objects in a database and then get a Superuser to install TimescaleDB into their database. (In the fixed versions, the installation aborts when it finds that an object already exists.) | |||||
| CVE-2022-25922 | 1 Hegemonelectronics | 2 Plc4trucks, Plc4trucks Firmware | 2022-03-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions. | |||||
| CVE-2021-24762 | 1 Getperfectsurvey | 1 Perfect Survey | 2022-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. | |||||
| CVE-2021-25076 | 1 Wedevs | 1 Wp User Frontend | 2022-03-18 | 6.5 MEDIUM | 8.8 HIGH |
| The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting | |||||
| CVE-2021-41849 | 3 Bluproducts, Luna, Wikomobile | 10 G9, G90, G90 Firmware and 7 more | 2022-03-18 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software. | |||||
| CVE-2022-0557 | 1 Microweber | 1 Microweber | 2022-03-18 | 9.0 HIGH | 7.2 HIGH |
| OS Command Injection in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-22993 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2022-03-18 | 8.3 HIGH | 8.8 HIGH |
| A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. | |||||
| CVE-2021-37419 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-03-18 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | |||||