Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21705 | 1 Octobercms | 1 October | 2022-03-02 | 8.5 HIGH | 7.2 HIGH |
| Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. | |||||
| CVE-2021-4029 | 1 Zyxel | 4 Nbg6816, Nbg6816 Firmware, Nbg6817 and 1 more | 2022-03-02 | 8.3 HIGH | 8.8 HIGH |
| A command injection vulnerability in the CGI program of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary OS commands via a LAN interface. | |||||
| CVE-2021-45746 | 1 Webank | 1 Wecube | 2022-03-02 | 5.0 MEDIUM | 7.5 HIGH |
| A Directory Traversal vulnerability exists in WeBankPartners wecube-platform 3.2.1 via the file variable in PluginPackageController.java. | |||||
| CVE-2022-20623 | 1 Cisco | 31 N9k-c92160yc-x, N9k-c92300yc, N9k-c92304qc and 28 more | 2022-03-02 | 7.1 HIGH | 7.5 HIGH |
| A vulnerability in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software for Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device. This vulnerability is due to a logic error in the BFD rate limiter functionality. An attacker could exploit this vulnerability by sending a crafted stream of traffic through the device. A successful exploit could allow the attacker to cause BFD traffic to be dropped, resulting in BFD session flaps. BFD session flaps can cause route instability and dropped traffic, resulting in a denial of service (DoS) condition. This vulnerability applies to both IPv4 and IPv6 traffic. | |||||
| CVE-2021-44967 | 1 Limesurvey | 1 Limesurvey | 2022-03-02 | 9.0 HIGH | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. | |||||
| CVE-2021-43826 | 1 Envoyproxy | 1 Envoy | 2022-03-02 | 4.3 MEDIUM | 7.5 HIGH |
| Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:`upstream tunneling <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config>` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. There are no workarounds for this issue. Users are advised to upgrade. | |||||
| CVE-2022-21656 | 1 Envoyproxy | 1 Envoy | 2022-03-02 | 5.8 MEDIUM | 5.9 MEDIUM |
| Envoy is an open source edge and service proxy, designed for cloud-native applications. The default_validator.cc implementation used to implement the default certificate validation routines has a "type confusion" bug when processing subjectAltNames. This processing allows, for example, an rfc822Name or uniformResourceIndicator to be authenticated as a domain name. This confusion allows for the bypassing of nameConstraints, as processed by the underlying OpenSSL/BoringSSL implementation, exposing the possibility of impersonation of arbitrary servers. As a result Envoy will trust upstream certificates that should not be trusted. | |||||
| CVE-2022-23606 | 1 Envoyproxy | 1 Envoy | 2022-03-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade. | |||||
| CVE-2022-21655 | 1 Envoyproxy | 1 Envoy | 2022-03-02 | 4.3 MEDIUM | 7.5 HIGH |
| Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn off internal redirects if direct response entries are configured on the same listener. | |||||
| CVE-2022-23612 | 1 Openmrs | 1 Openmrs | 2022-03-02 | 5.0 MEDIUM | 7.5 HIGH |
| OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` & `/initfilter/scripts`. This can allow an attacker to access any file on a system running OpenMRS that is accessible to the user id OpenMRS is running under. Affected implementations should update to the latest patch version of OpenMRS Core for the minor version they use. These are: 2.1.5, 2.2.1, 2.3.5, 2.4.5 and 2.5.3. As a general rule, this vulnerability is already mitigated by Tomcat's URL normalization in Tomcat 7.0.28+. Users on older versions of Tomcat should consider upgrading their Tomcat instance as well as their OpenMRS instance. | |||||
| CVE-2022-0654 | 1 Node-request-retry Project | 1 Node-request-retry | 2022-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0. | |||||
| CVE-2022-0717 | 1 Mruby | 1 Mruby | 2022-03-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Out-of-bounds Read in GitHub repository mruby/mruby prior to 3.2. | |||||
| CVE-2022-0736 | 1 Lfprojects | 1 Mlflow | 2022-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1. | |||||
| CVE-2022-0719 | 1 Microweber | 1 Microweber | 2022-03-01 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-0721 | 1 Microweber | 1 Microweber | 2022-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-0724 | 1 Microweber | 1 Microweber | 2022-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-0727 | 1 Framasoft | 1 Peertube | 2022-03-01 | 5.5 MEDIUM | 5.4 MEDIUM |
| Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. | |||||
| CVE-2022-22333 | 1 Ibm | 2 Sterling External Authentication Server, Sterling Secure Proxy | 2022-03-01 | 3.3 LOW | 6.5 MEDIUM |
| IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 and IBM Sterling External Authentication Server are vulnerable a buffer overflow, due to the Jetty based GUI in the Secure Zone not properly validating the sizes of the form content and/or HTTP headers submitted. A local attacker positioned inside the Secure Zone could submit a specially crafted HTTP request to disrupt service. IBM X-Force ID: 219133. | |||||
| CVE-2022-22336 | 1 Ibm | 2 Sterling External Authentication Server, Sterling Secure Proxy | 2022-03-01 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Sterling External Authentication Server and IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 could allow a remote user to consume resources causing a denial of service due to a resource leak. IBM X-Force ID: 219395. | |||||
| CVE-2021-27755 | 1 Hcltech | 1 Hcl Sametime | 2022-03-01 | 2.1 LOW | 5.5 MEDIUM |
| "Sametime Android potential path traversal vulnerability when using File class" | |||||