Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38172 | 1 Debian | 1 Perm | 2022-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.) | |||||
| CVE-2022-0501 | 1 Beanstalk Console Project | 1 Beanstalk Console | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12. | |||||
| CVE-2022-24113 | 2 Acronis, Microsoft | 5 Agent, Cyber Protect, Cyber Protect Home Office and 2 more | 2022-02-10 | 4.6 MEDIUM | 7.8 HIGH |
| Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287 | |||||
| CVE-2022-23611 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2022-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize image file paths leading to OS level command injection. This issue has been patched in commit cdcd48b. Users are advised to upgrade. | |||||
| CVE-2022-23609 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2022-02-10 | 6.4 MEDIUM | 9.1 CRITICAL |
| iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize user input used to remove files leading to file deletion only limited by the process permissions. Users are advised to upgrade as soon as possible. | |||||
| CVE-2022-23605 | 1 Wire | 1 Wire-webapp | 2022-02-10 | 2.1 LOW | 2.3 LOW |
| Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. On premise instances of wire-webapp need to be updated to 2022-01-27-production.0, so that their users are no longer affected. There are no known workarounds for this issue. | |||||
| CVE-2022-23600 | 1 Fleetdm | 1 Fleet | 2022-02-10 | 3.5 LOW | 6.5 MEDIUM |
| fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service Provider (SP) could reuse the SAML response to log into Fleet as a user -- only if the user has an account with the same email in Fleet, _and_ the user signs into the malicious SP via SAML SSO from the same Identity Provider (IdP) configured with Fleet. 2. A user with an account in Fleet could reuse a SAML response intended for another SP to log into Fleet. This is only a concern if the user is blocked from Fleet in the IdP, but continues to have an account in Fleet. If the user is blocked from the IdP entirely, this cannot be exploited. Fleet 4.9.1 resolves this issue. Users unable to upgrade should: Reduce the length of sessions on your IdP to reduce the window for malicious re-use, Limit the amount of SAML Service Providers/Applications used by user accounts with access to Fleet, and When removing access to Fleet in the IdP, delete the Fleet user from Fleet as well. | |||||
| CVE-2021-25096 | 1 Ip2location | 1 Country Blocker | 2022-02-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URL | |||||
| CVE-2021-25103 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2022-02-10 | 2.6 LOW | 4.7 MEDIUM |
| The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY | |||||
| CVE-2021-25106 | 1 Wpeka | 1 Wplegalpages | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting | |||||
| CVE-2021-24880 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-46389 | 1 High Resolution Streaming Image Server Project | 1 High Resolution Streaming Image Server | 2022-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| IIPImage High Resolution Streaming Image Server prior to commit 882925b295a80ec992063deffc2a3b0d803c3195 is affected by an integer overflow in iipsrv.fcgi through malformed HTTP query parameters. | |||||
| CVE-2021-25105 | 1 Ivorysearch | 1 Ivory Search | 2022-02-10 | 3.5 LOW | 4.8 MEDIUM |
| The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-0148 | 1 Premio | 1 Mystickyelements | 2022-02-10 | 3.5 LOW | 5.4 MEDIUM |
| The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. | |||||
| CVE-2021-25114 | 1 Strangerstudios | 1 Paid Memberships Pro | 2022-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection | |||||
| CVE-2021-24843 | 1 Supportcandy | 1 Supportcandy | 2022-02-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | |||||
| CVE-2021-46359 | 1 Fisco-bcos | 1 Fisco-bcos | 2022-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| FISCO-BCOS release-3.0.0-rc2 contains a denial of service vulnerability. Some transactions may not be committed successfully, and malicious users may use this to achieve double-spending attacks. | |||||
| CVE-2022-0149 | 1 Visser | 1 Store Exporter For Woocommerce | 2022-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page. | |||||
| CVE-2022-22679 | 1 Synology | 1 Diskstation Manager | 2022-02-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors. | |||||
| CVE-2021-43929 | 1 Synology | 1 Diskstation Manager | 2022-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||