Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0347 | 1 Wpbrigade | 1 Loginpress | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-0267 | 1 Adrotate Project | 1 Adrotate | 2022-03-11 | 6.5 MEDIUM | 7.2 HIGH |
| The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection | |||||
| CVE-2022-0205 | 1 Yop-poll | 1 Yop-poll | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2022-0163 | 1 Rednao | 1 Smart Forms | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. | |||||
| CVE-2021-25098 | 1 Fatcatapps | 1 Easy Pricing Tables | 2022-03-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash | |||||
| CVE-2021-25039 | 1 Obtaininfotech | 1 Multisite Content Copier\/updater | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-25038 | 1 Obtaininfotech | 1 Multisite User Sync\/unsync | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24961 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24960 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks | |||||
| CVE-2021-44166 | 1 Fortinet | 1 Fortitoken Mobile | 2022-03-11 | 3.5 LOW | 4.1 MEDIUM |
| An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user. | |||||
| CVE-2021-24953 | 1 Tinywebgallery | 1 Advanced Iframe | 2022-03-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24952 | 1 Tatvic | 1 Conversios.io | 2022-03-11 | 6.5 MEDIUM | 8.8 HIGH |
| The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. | |||||
| CVE-2021-24826 | 1 Custom Content Shortcode Project | 1 Custom Content Shortcode | 2022-03-11 | 3.5 LOW | 5.4 MEDIUM |
| The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed) | |||||
| CVE-2021-4198 | 1 Bitdefender | 5 Antivirus Plus, Endpoint Security Tools, Internet Security and 2 more | 2022-03-11 | 3.6 LOW | 6.1 MEDIUM |
| A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files. This issue affects: Bitdefender Total Security versions prior to 26.0.3.29. Bitdefender Internet Security versions prior to 26.0.3.29. Bitdefender Antivirus Plus versions prior to 26.0.3.29. Bitdefender Endpoint Security Tools versions prior to 7.2.2.92. Bitdefender VPN Standalone versions prior to 25.5.0.48. | |||||
| CVE-2022-26314 | 1 Mendix | 1 Forgot Password | 2022-03-11 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations. | |||||
| CVE-2022-26313 | 1 Mendix | 1 Forgot Password | 2022-03-11 | 6.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbitrary user accounts. | |||||
| CVE-2022-24661 | 1 Siemens | 1 Simcenter Star-ccm\+ Viewer | 2022-03-11 | 6.8 MEDIUM | 7.8 HIGH |
| A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < V2022.1). The starview+.exe contains a memory corruption vulnerability while parsing specially crafted .SCE files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2021-4199 | 1 Bitdefender | 4 Antivirus Plus, Endpoint Security Tools, Internet Security and 1 more | 2022-03-11 | 7.2 HIGH | 7.8 HIGH |
| Incorrect Permission Assignment for Critical Resource vulnerability in the crash handling component BDReinit.exe as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools for Windows allows a remote attacker to escalate local privileges to SYSTEM. This issue affects: Bitdefender Total Security versions prior to 26.0.10.45. Bitdefender Internet Security versions prior to 26.0.10.45. Bitdefender Antivirus Plus versions prior to 26.0.10.45. Bitdefender Endpoint Security Tools for Windows versions prior to 7.4.3.146. | |||||
| CVE-2022-24408 | 1 Siemens | 4 Sinumerik Mc, Sinumerik Mc Firmware, Sinumerik One and 1 more | 2022-03-11 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). The sc SUID binary on affected devices provides several commands that are used to execute system commands or modify system files. A specific set of operations using sc could allow local attackers to escalate their privileges to root. | |||||
| CVE-2021-41543 | 1 Siemens | 2 Climatix Pol909, Climatix Pol909 Firmware | 2022-03-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices contains an information disclosure vulnerability which could allow logged in users to access sensitive files. | |||||