The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-45007 | Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | MEDIUM | Feb 20, 2022 | n/a |
| CVE-2021-44960 | In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-44731 | A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap\'s private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | MEDIUM | Feb 20, 2022 | n/a |
| CVE-2021-44730 | snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | MEDIUM | Feb 20, 2022 | n/a |
| CVE-2021-44302 | BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection vulnerabilities via the tongji and baidu_map parameters in /user/ztconfig.php. | MEDIUM | Feb 19, 2022 | n/a |
| CVE-2021-43953 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43952 | Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43950 | Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view import source configuration information via a Broken Access Control vulnerability in the Insight Import Source feature. The affected versions are before version 4.21.0. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43948 | Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the Move objects feature. The affected versions are before version 4.21.0. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43941 | Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43940 | Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43734 | kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-43302 | Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled \'filename\' argument may cause an out-of-bounds read when the filename is shorter than 4 characters. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-43106 | A Header Injection vulnerability exists in Compass Plus TranzWare Online FIMI Web Interface Tranzware Online (TWO) 5.3.33.3 F38 and FIMI 4.2.19.4 25.The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would just cause the request to be sent to a completely different Domain/IP address. This is due to that the server implicitly trusts the Host header, and fails to validate or escape it properly. An attacker can use this input to redirect target users to a malicious domain/web page. This would result in expanding the potential to further attacks and malicious actions. | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-41599 | A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.21, 3.1.13, 3.2.5. This vulnerability was reported via the GitHub Bug Bounty program. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-41552 | CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection. | MEDIUM | Feb 17, 2022 | n/a |
| CVE-2021-40841 | A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-39080 | Due to weak obfuscation, IBM Cognos Analytics Mobile for Android application prior to version 1.1.14 , an attacker could be able to reverse engineer the codebase to gain knowledge about the programming technique, interface, class definitions, algorithms and functions used. IBM X-Force ID: 215593. | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-39034 | IBM MQ 9.1 LTS is vulnerable to a denial of service attack caused by an issue within the channel process. IBM X-Force ID: 213964. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-39026 | IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 213964. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-38935 | IBM Maximo Asset Management 7.6.1.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 210892. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-35380 | A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore). | MEDIUM | Feb 15, 2022 | n/a |
| CVE-2021-30650 | A reflected cross-site scripting (XSS) vulnerability in the Symantec Layer7 API Management OAuth Toolkit (OTK) allows a remote attacker to craft a malicious URL for the OTK web UI and target OTK users with phishing attacks or other social engineering techniques. A successful attack allows injecting malicious code into the OTK web UI client application. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-26619 | An path traversal vulnerability leading to delete arbitrary files was discovered in BigFileAgent. Remote attackers can use this vulnerability to delete arbitrary files of unspecified number of users. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-25110 | The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user\'s email address. | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-25109 | The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link. | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-25107 | The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-25033 | The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-24874 | The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | MEDIUM | Feb 14, 2022 | n/a |
| CVE-2021-24446 | The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation | MEDIUM | Feb 19, 2022 | n/a |
| CVE-2021-22050 | ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-22043 | VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-22042 | VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-22041 | VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine\'s VMX process running on the host. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-22040 | VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine\'s VMX process running on the host. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-21966 | An information disclosure vulnerability exists in the HTTP Server /ping.html functionality of Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0. A specially-crafted HTTP request can lead to an uninitialized read. An attacker can send an HTTP request to trigger this vulnerability. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-21958 | A heap-based buffer overflow vulnerability exists in the Hword HwordApp.dll functionality of Hancom Office 2020 11.0.0.2353. A specially-crafted malformed file can lead to memory corruption and potential arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-21708 | In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-4219 | A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the system. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-4134 | The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-4120 | snapd 2.54.2 fails to perform sufficient validation of snap content interface and layout paths, resulting in the ability for snaps to inject arbitrary AppArmor policy rules via malformed content interface and layout declarations and hence escape strict snap confinement. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | MEDIUM | Feb 20, 2022 | n/a |
| CVE-2021-4091 | A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-3948 | An incorrect default permissions vulnerability was found in the mig-controller. Due to an incorrect cluster namespaces handling an attacker may be able to migrate a malicious workload to the target cluster, impacting confidentiality, integrity, and availability of the services located on that cluster. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2021-3596 | A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2\'s xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault. | MEDIUM | Feb 17, 2022 | n/a |
| CVE-2021-3557 | A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest threat from this vulnerability is to data confidentiality. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2021-3551 | A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2020-8242 | Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2020-8107 | A Process Control vulnerability in ProductAgentUI.exe as used in Bitdefender Antivirus Plus allows an attacker to tamper with product settings via a specially crafted DLL file. This issue affects: Bitdefender Antivirus Plus versions prior to 24.0.26.136. Bitdefender Internet Security versions prior to 24.0.26.136. Bitdefender Total Security versions prior to 24.0.26.136. | MEDIUM | Feb 18, 2022 | n/a |
| CVE-2020-6922 | Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software. | MEDIUM | Feb 16, 2022 | n/a |
| CVE-2020-6921 | Potential security vulnerabilities including compromise of integrity, and allowed communication with untrusted clients has been identified in HP Support Assistant software. | MEDIUM | Feb 16, 2022 | n/a |
