Total
981 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-43350 | 1 Apache | 1 Traffic Control | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. | |||||
| CVE-2022-33011 | 1 Withknown | 1 Known | 2022-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header injection attack. | |||||
| CVE-2021-36668 | 1 Druva | 1 Insync Client | 2022-07-20 | 4.6 MEDIUM | 7.8 HIGH |
| URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App. | |||||
| CVE-2020-35669 | 1 Dart | 1 Http | 2022-07-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request. | |||||
| CVE-2021-39028 | 3 Ibm, Linux, Microsoft | 3 Engineering Lifecycle Optimization Publishing, Linux Kernel, Windows | 2022-07-18 | N/A | 5.4 MEDIUM |
| IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213866. | |||||
| CVE-2022-31593 | 1 Sap | 1 Business One | 2022-07-16 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2022-34914 | 1 Webswing | 1 Webswing | 2022-07-16 | 6.8 MEDIUM | 9.8 CRITICAL |
| Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3. | |||||
| CVE-2020-5323 | 1 Dell | 2 Emc Openmanage Enterprise, Emc Openmanage Enterprise-modular | 2022-07-15 | 5.5 MEDIUM | 8.1 HIGH |
| Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain an injection vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability to gain access to sensitive information or cause denial-of-service. | |||||
| CVE-2022-31126 | 1 Roxy-wi | 1 Roxy-wi | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-41282 | 1 Pfsense | 1 Pfsense | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. | |||||
| CVE-2021-45655 | 1 Netgear | 2 R6400, R6400 Firmware | 2022-07-12 | 5.2 MEDIUM | 6.8 MEDIUM |
| NETGEAR R6400 devices before 1.0.1.70 are affected by server-side injection. | |||||
| CVE-2021-45659 | 1 Netgear | 20 Rbk20, Rbk20 Firmware, Rbk40 and 17 more | 2022-07-12 | 4.6 MEDIUM | 7.8 HIGH |
| Certain NETGEAR devices are affected by server-side injection. This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 2.6.1.40. | |||||
| CVE-2021-21141 | 2 Google, Microsoft | 2 Chrome, Edge | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page. | |||||
| CVE-2021-44550 | 1 Stanford | 1 Corenlp | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159). | |||||
| CVE-2021-0553 | 1 Google | 1 Android | 2022-07-12 | 4.4 MEDIUM | 7.3 HIGH |
| In onBindViewHolder of AppSwitchPreference.java, there is a possible bypass of device admin setttings due to unclear UI. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-169936038 | |||||
| CVE-2021-3154 | 1 Solarwinds | 1 Serv-u | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481. | |||||
| CVE-2021-0594 | 1 Google | 1 Android | 2022-07-12 | 7.9 HIGH | 8.0 HIGH |
| In onCreate of ConfirmConnectActivity, there is a possible remote bypass of user consent due to improper input validation. This could lead to remote (proximal, NFC) escalation of privilege allowing an attacker to deceive a user into allowing a Bluetooth connection with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176445224 | |||||
| CVE-2021-42561 | 1 Mitre | 1 Caldera | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands. | |||||
| CVE-2021-0551 | 1 Google | 1 Android | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| In bind of MediaControlPanel.java, there is a possible way to lock up the system UI using a malicious media file due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-180518039 | |||||
| CVE-2021-33668 | 1 Sap | 1 Infrabox | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Due to improper input sanitization, specially crafted LDAP queries can be injected by an unauthenticated user. This could partially impact the confidentiality of the application. | |||||