Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-30301 | 1 Qualcomm | 100 Ar8035, Ar8035 Firmware, Qca6390 and 97 more | 2022-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| Possible denial of service due to out of memory while processing RRC and NAS OTA message in Snapdragon Auto, Snapdragon Industrial IOT, Snapdragon Mobile | |||||
| CVE-2021-30307 | 1 Qualcomm | 172 Ar8035, Ar8035 Firmware, Csrb31024 and 169 more | 2022-01-14 | 5.0 MEDIUM | 7.5 HIGH |
| Possible denial of service due to improper validation of DNS response when DNS client requests with PTR, NAPTR or SRV query type in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT | |||||
| CVE-2022-22268 | 1 Google | 1 Android | 2022-01-14 | 3.6 LOW | 6.1 MEDIUM |
| Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode. | |||||
| CVE-2021-36417 | 1 Gpac | 1 Gpac | 2022-01-14 | 6.8 MEDIUM | 7.8 HIGH |
| A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in the gf_isom_dovi_config_get function in MP4Box, which causes a denial of service or execute arbitrary code via a crafted file. | |||||
| CVE-2021-38674 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later | |||||
| CVE-2021-25043 | 1 Pluginus | 1 Woocommerce Currency Switcher | 2022-01-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24042 | 1 Whatsapp | 1 Whatsapp | 2022-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor. | |||||
| CVE-2022-22116 | 1 Rangerstudio | 1 Directus | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL. | |||||
| CVE-2022-22117 | 1 Rangerstudio | 1 Directus | 2022-01-14 | 3.5 LOW | 5.4 MEDIUM |
| In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered. | |||||
| CVE-2021-45912 | 1 Controlup | 1 Real-time Agent | 2022-01-14 | 4.6 MEDIUM | 7.8 HIGH |
| An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cuAgent.exe) before 8.5 potentially allows an attacker to run OS commands via the ProcessActionRequest WCF method. | |||||
| CVE-2021-25052 | 1 Wow-company | 1 Button Generator | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25053 | 1 Wow-company | 1 Wp Coder | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25051 | 1 Wow-company | 1 Modal Window | 2022-01-14 | 5.1 MEDIUM | 8.8 HIGH |
| The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25054 | 1 Wow-company | 1 Wpcalc | 2022-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. | |||||
| CVE-2022-20658 | 1 Cisco | 2 Unified Contact Center Express, Unified Contact Center Management Portal | 2022-01-14 | 8.5 HIGH | 9.6 CRITICAL |
| A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This vulnerability is due to the lack of server-side validation of user permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to a vulnerable system. A successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated to the vulnerable Cisco Unified CCMP. To successfully exploit this vulnerability, an attacker would need valid Advanced User credentials. | |||||
| CVE-2020-28103 | 1 Chshcms | 1 Cscms | 2022-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| cscms v4.1 allows for SQL injection via the "page_del" function. | |||||
| CVE-2020-28102 | 1 Chshcms | 1 Cscms | 2022-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| cscms v4.1 allows for SQL injection via the "js_del" function. | |||||
| CVE-2021-25981 | 1 Talkyard | 1 Talkyard | 2022-01-14 | 10.0 HIGH | 9.8 CRITICAL |
| In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks) | |||||
| CVE-2021-36736 | 2022-01-14 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none. | |||||
| CVE-2021-36735 | 2022-01-14 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none. | |||||