CVE List - 2022 / January
Showing 901 - 1000 of 1988 CVEs for January 2022 (Page 10 of 20)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2021-39679 | 2022-01-14 | In init of vendor_graphicbuffer_meta.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed.... |
| CVE-2021-39680 | 2022-01-14 | In sec_SHA256_Transform of sha256_core.c, there is a possible way to read heap data due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User... |
| CVE-2021-39681 | 2022-01-14 | In delete_protocol of main.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges... |
| CVE-2021-39682 | 2022-01-14 | In mgm_alloc_page of memory_group_manager.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution... |
| CVE-2021-45773 | 2022-01-14 | A NULL pointer dereference in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c of lib60870 commit 0d5e76e can lead to a segmentation fault or application crash. |
| CVE-2021-39683 | 2022-01-14 | In copy_from_mbox of sss_ice_util.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2021-39684 | 2022-01-14 | In target_init of gs101/abl/target/slider/target.c, there is a possible allocation of RWX memory due to a logic error in the code. This could lead to local escalation of privilege with no... |
| CVE-2021-1035 | 2022-01-14 | In setLaunchIntent of BluetoothDevicePickerPreferenceController.java, there is a possible way to invoke an arbitrary broadcast receiver due to a confused deputy. This could lead to local escalation of privilege with no... |
| CVE-2021-1036 | 2022-01-14 | In LocationSettingsActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2021-1037 | 2022-01-14 | The broadcast that DevicePickerFragment sends when a new device is paired doesn't have any permission checks, so any app can register to listen for it. This lets apps keep track... |
| CVE-2022-22530 | 2022-01-14 | The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with... |
| CVE-2021-44234 | 2022-01-14 | SAP Business One - version 10.0, extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
| CVE-2022-22531 | 2022-01-14 | The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with... |
| CVE-2022-22529 | 2022-01-14 | SAP Enterprise Threat Detection (ETD) - version 2.0, does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly exploit XSS vulnerability. The UIs in ETD are... |
| CVE-2021-42067 | 2022-01-14 | In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a... |
| CVE-2021-38126 | 2022-01-14 | Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS). |
| CVE-2021-38127 | 2022-01-14 | Potential vulnerabilities have been identified in Micro Focus ArcSight Enterprise Security Manager, affecting versions 7.4.x and 7.5.x. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (XSS). |
| CVE-2022-0130 | 2022-01-14 | Tenable.sc versions 5.14.0 through 5.19.1 were found to contain a remote code execution vulnerability which could allow a remote, unauthenticated attacker to execute code under special circumstances. An attacker would... |
| CVE-2021-28500 | 2022-01-14 | An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. |
| CVE-2022-22290 | 2022-01-14 | Incorrect download source UI in Downloads in Samsung Internet prior to 16.0.6.23 allows attackers to perform domain spoofing via a crafted HTML page. |
| CVE-2021-36920 | 2022-01-14 | WordPress plugin Download Monitor <= 4.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability |
| CVE-2021-3965 | 2022-01-14 | Certain HP DesignJet products may be vulnerable to unauthenticated HTTP requests which allow viewing and downloading of print job previews. |
| CVE-2021-44530 | 2022-01-14 | An injection vulnerability exists in a third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application. |
| CVE-2021-46195 | 2022-01-14 | GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory... |
| CVE-2021-45406 | 2022-01-14 | In SalonERP 3.0.1, a SQL injection vulnerability allows an attacker to inject payload using 'sql' parameter in SQL query while generating a report. Upon successfully discovering the login admin password... |
| CVE-2021-44828 | 2022-01-14 | Arm Mali GPU Kernel Driver (Midgard r26p0 through r30p0, Bifrost r0p0 through r34p0, and Valhall r19p0 through r34p0) allows a non-privileged user to achieve write access to read-only memory, and... |
| CVE-2021-46020 | 2022-01-14 | An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can lead to a segmentation fault or application crash. |
| CVE-2021-46021 | 2022-01-14 | An Use-After-Free vulnerability in rec_record_destroy() at rec-record.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash. |
| CVE-2021-46168 | 2022-01-14 | Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() at spinlex.c. |
| CVE-2021-46169 | 2022-01-14 | Modex v2.11 was discovered to contain an Use-After-Free vulnerability via the component tcache. |
| CVE-2021-23567 | 2022-01-14 | Denial of Service (DoS) |
| CVE-2021-46170 | 2022-01-14 | An issue was discovered in JerryScript commit a6ab5e9. There is an Use-After-Free in lexer_compare_identifier_to_string in js-lexer.c file. |
| CVE-2021-46171 | 2022-01-14 | Modex v2.11 was discovered to contain a NULL pointer dereference in set_create_id() at xtract.c. |
| CVE-2021-23566 | 2022-01-14 | Information Exposure |
| CVE-2021-24044 | 2022-01-15 | By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This... |
| CVE-2022-23094 | 2022-01-15 | Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a... |
| CVE-2021-33963 | 2022-01-15 | China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the... |
| CVE-2021-44049 | 2022-01-15 | CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory. |
| CVE-2022-23095 | 2022-01-15 | Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this... |
| CVE-2022-23178 | 2022-01-15 | An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate... |
| CVE-2021-32545 | 2022-01-15 | Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation. |
| CVE-2021-33498 | 2022-01-15 | Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2). |
| CVE-2021-33499 | 2022-01-15 | Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2). |
| CVE-2021-35969 | 2022-01-15 | Pexip Infinity before 26 allows temporary remote Denial of Service (abort) because of missing call-setup input validation. |
| CVE-2021-42555 | 2022-01-15 | Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation. |
| CVE-2020-28919 | 2022-01-15 | A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title. |
| CVE-2021-44537 | 2022-01-15 | ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution. |
| CVE-2021-33828 | 2022-01-15 | The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection. |
| CVE-2021-33827 | 2022-01-15 | The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings. |
| CVE-2022-0235 | 2022-01-16 | Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch |
| CVE-2022-0238 | 2022-01-16 | Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite |
| CVE-2021-4170 | 2022-01-16 | Cross-site Scripting (XSS) - Stored in janeczku/calibre-web |
| CVE-2021-25025 | 2022-01-17 | Event Calendar < 1.1.51 - Subscriber+ Event Creation |
| CVE-2022-23303 | 2022-01-17 | The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because... |
| CVE-2022-23304 | 2022-01-17 | The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of... |
| CVE-2022-0239 | 2022-01-17 | Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp |
| CVE-2022-0131 | 2022-01-17 | Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained... |
| CVE-2022-0180 | 2022-01-17 | Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a... |
| CVE-2022-0181 | 2022-01-17 | Reflected cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to inject an arbitrary script via unspecified vectors. |
| CVE-2022-0182 | 2022-01-17 | Stored cross-site scripting vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote authenticated attacker to inject an arbitrary script via an website that uses Quiz And... |
| CVE-2022-0183 | 2022-01-17 | Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the... |
| CVE-2022-0184 | 2022-01-17 | Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR5900P Ver.1.080 and earlier and 'TEPRA' PRO SR-R7900P Ver.1.030 and earlier allows an attacker on the adjacent network to obtain credentials for connecting... |
| CVE-2021-4171 | 2022-01-17 | Business Logic Errors in janeczku/calibre-web |
| CVE-2021-3853 | 2022-01-17 | Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq |
| CVE-2021-3857 | 2022-01-17 | Cross-site Scripting (XSS) - Stored in chaskiq/chaskiq |
| CVE-2021-4164 | 2022-01-17 | Cross-Site Request Forgery (CSRF) in janeczku/calibre-web |
| CVE-2021-24838 | 2022-01-17 | AnyComment < 0.3.5 - Open Redirect |
| CVE-2021-24909 | 2022-01-17 | ACF Photo Gallery Field < 1.7.5 - Reflected Cross-Site Scripting |
| CVE-2021-25005 | 2022-01-17 | SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting |
| CVE-2021-25024 | 2022-01-17 | Event Calendar < 1.1.51 - Reflected Cross-Site Scripting |
| CVE-2021-25036 | 2022-01-17 | All In One SEO < 4.1.5.3 - Authenticated Privilege Escalation |
| CVE-2021-25037 | 2022-01-17 | All In One SEO < 4.1.5.3 - Authenticated SQL Injection |
| CVE-2021-25046 | 2022-01-17 | Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS |
| CVE-2021-25061 | 2022-01-17 | WP Booking System – Booking Calendar < 2.0.15 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-25065 | 2022-01-17 | Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2021-25067 | 2022-01-17 | Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS) |
| CVE-2022-0253 | 2022-01-17 | Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat |
| CVE-2022-0240 | 2022-01-17 | NULL Pointer Dereference in mruby/mruby |
| CVE-2021-3862 | 2022-01-17 | Cross-site Scripting (XSS) - Reflected in icecoder/icecoder |
| CVE-2022-0256 | 2022-01-17 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2022-0258 | 2022-01-17 | SQL Injection in pimcore/pimcore |
| CVE-2022-0257 | 2022-01-17 | Cross-site Scripting (XSS) - Stored in pimcore/pimcore |
| CVE-2021-33040 | 2022-01-17 | managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS. |
| CVE-2021-38965 | 2022-01-17 | IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID:... |
| CVE-2022-0242 | 2022-01-17 | Unrestricted Upload of File with Dangerous Type in crater-invoice/crater |
| CVE-2021-42357 | 2022-01-17 | DOM based XSS Vulnerability in Apache Knox |
| CVE-2022-22703 | 2022-01-17 | In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer. |
| CVE-2022-0261 | 2022-01-18 | Heap-based Buffer Overflow in vim/vim |
| CVE-2022-0245 | 2022-01-18 | Cross-Site Request Forgery (CSRF) in livehelperchat/livehelperchat |
| CVE-2021-44757 | 2022-01-18 | Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. |
| CVE-2021-45394 | 2022-01-18 | An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document. |
| CVE-2021-33964 | 2022-01-18 | China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can... |
| CVE-2021-33965 | 2022-01-18 | China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability. An... |
| CVE-2021-38783 | 2022-01-18 | There is a Out-of-Bound Write in the Allwinner R818 SoC Android Q SDK V1.0 camera driver "/dev/cedar_dev" through iotcl cmd IOCTL_SET_PROC_INFO and IOCTL_COPY_PROC_INFO, which could cause a system crash or... |
| CVE-2021-38784 | 2022-01-18 | There is a NULL pointer dereference in the syscall open_exec function of Allwinner R818 SoC Android Q SDK V1.0 that could executable a malicious file to cause a system crash. |
| CVE-2021-38785 | 2022-01-18 | There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash. |
| CVE-2021-38694 | 2022-01-18 | SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection. |
| CVE-2021-38695 | 2022-01-18 | SoftVibe SARABAN for INFOMA 1.1 is vulnerable to stored cross-site scripting (XSS) that allows users to store scripts in certain fields (e.g. subject, description) of the document form. |
| CVE-2021-22566 | 2022-01-18 | Incorrect mapping of Executable bits in Fuchsia Kernel |
| CVE-2021-38696 | 2022-01-18 | SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication. |