2022-04-28
2022-04-28 14:15Z
CRIT

CVE-2021-41945 — Encode Httpx: OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client`

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41945

Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. CVSSv3.1 9.1 (CRITICAL) · EPSS 80th percentile

CWECWE 20VNDEncodeTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2022-04-26
2022-04-26 14:15Z
CRIT

CVE-2022-27985 — Cuppacms Cuppacms: v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27985

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile

CWECWE 89VNDCuppacmsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-26
2022-04-26 14:15Z
CRIT

CVE-2022-27984 — Cuppacms Cuppacms: v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27984

CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile

CWECWE 89VNDCuppacmsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-25
2022-04-25 15:15Z
CRIT

CVE-2022-28093 — Online_sports_complex_booking_system_project Online_sports_complex_booking_system: SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28093

SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file. CVSSv3.1 9.8 (CRITICAL) · EPSS 80th percentile

VNDOnline Sports Complex Booking System ProjectVNDScbsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-20
2022-04-20 23:15Z
CRIT

CVE-2022-29528 — Misp-project Misp: PHAR deserialization can occur.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-29528

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur. CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 502VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-19
2022-04-19 21:15Z
HIGH

CVE-2022-1119 — Simplefilelist Simple-file-list: The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-1119

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7. CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile

CWECWE 22VNDSimplefilelistVNDSimpleTYPVulnerability
7.5
CVSS v3.1
100
Edit Score
2022-04-19
2022-04-19 21:15Z
HIGH

CVE-2022-0993 — Siteground Siteground_security: The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-0993

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5. CVSSv3.1 8.1 (HIGH) · EPSS 87th percentile

CWECWE 306CWECWE 285VNDSitegroundTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2022-04-19
2022-04-19 21:15Z
CRIT

CVE-2022-0992 — Siteground Security_optimizer: The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-0992

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects v CVSSv3.1 9.8 (CRITICAL) · EPSS 89th percentile

CWECWE 288CWECWE 306VNDSitegroundTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-12
2022-04-12 17:15Z
CRIT

CVE-2022-28397 — Ghost Ghost: An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-28397

An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this is intentional. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 434VNDGhostTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-12
2022-04-12 17:15Z
CRIT

CVE-2022-27262 — Sailsjs Skipper: An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27262

An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows attackers to execute arbitrary code via a crafted file. CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 434VNDSailsjsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-12
2022-04-12 17:15Z
CRIT

CVE-2022-27260 — Buttercms Buttercms: An arbitrary file upload vulnerability in the file upload component of ButterCMS v1.2.8 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27260

An arbitrary file upload vulnerability in the file upload component of ButterCMS v1.2.8 allows attackers to execute arbitrary code via a crafted SVG file. CVSSv3.1 9.8 (CRITICAL) · EPSS 85th percentile

CWECWE 434VNDButtercmsTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-11
2022-04-11 19:15Z
CRIT

CVE-2021-37291 — Kevinlab 4st_l-bems: An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-37291

An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the input_id POST parameter in index.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile

CWECWE 89VNDKevinlabTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-04-11
2022-04-11 17:15Z
HIGH

CVE-2021-40219 — Bolt Bolt_cms: CMS <= 4.2 is vulnerable to Remote Code Execution.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-40219

Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution. CVSSv3.1 8.8 (HIGH) · EPSS 87th percentile

CWECWE 94VNDBoltTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2022-04-08
2022-04-08 16:15Z
HIGH

CVE-2021-40656 — Libsixel Libsixel: before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-40656

libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. CVSSv3.1 8.8 (HIGH)

CWECWE 787VNDLibsixelTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-04-08
2022-04-08 15:15Z
HIGH

CVE-2022-27046 — Saitoha Libsixel: 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27046

libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in in libsixel/src/dither.c:388. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDSaitohaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-04-08
2022-04-08 15:15Z
HIGH

CVE-2022-27044 — Saitoha Libsixel: 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-27044

libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. CVSSv3.1 8.8 (HIGH)

CWECWE 787VNDSaitohaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-04-08
2022-04-08 15:15Z
HIGH

CVE-2021-41715 — Libsixel Libsixel: 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-41715

libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither.c:379. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDLibsixelTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-04-07
2022-04-07 11:15Z
HIGH

CVE-2021-46416 — Sma Sunny_tripower_firmware: Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-46416

Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling. CVSSv3.1 8.1 (HIGH) · EPSS 93th percentile

CWECWE 639VNDSmaVNDSunnyTYPVulnerability
8.1
CVSS v3.1
93
Edit Score
2022-04-07
2022-04-07 02:15Z
HIGH

CVE-2020-27376 — Drtrustusa Icheck_connect_bp_monitor_bp_testing_118_firmware: Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-27376

Dr Trust USA iCheck Connect BP Monitor BP Testing 118 version 1.2.1 is vulnerable to Missing Authentication. CVSSv3.1 8.8 (HIGH) · EPSS 60th percentile

CWECWE 306VNDDrtrustusaVNDTrustTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-04-07
2022-04-07 02:15Z
HIGH

CVE-2020-27373 — Drtrustusa Icheck_connect_bp_monitor_bp_testing_118_firmware: Dr Trust USA iCheck Connect BP Monitor BP Testing 118 1.2.1 is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-27373

Dr Trust USA iCheck Connect BP Monitor BP Testing 118 1.2.1 is vulnerable to Plain text command over BLE. CVSSv3.1 8.8 (HIGH) · EPSS 60th percentile

CWECWE 78VNDDrtrustusaVNDTrustTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-03-30
2022-03-30 23:15Z
CRIT

CVE-2022-26646 — Oretnom23 Banking_system: Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-26646

Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile

VNDOnlineVNDOretnom23TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-03-30
2022-03-30 23:15Z
CRIT

CVE-2022-26645 — Oretnom23 Banking_system: A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-26645

A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function. CVSSv3.1 9.8 (CRITICAL) · EPSS 84th percentile

CWECWE 434VNDRceVNDOretnom23TYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-03-30
2022-03-30 23:15Z
HIGH

CVE-2021-46010 — Totolink A3100r_firmware: A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-46010

Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations. CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile

CWECWE 330VNDTotolinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-03-30
2022-03-30 23:15Z
CRIT

CVE-2021-46009 — Totolink A3100r_firmware: In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-46009

In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-03-30
2022-03-30 23:15Z
HIGH

CVE-2021-46008 — Totolink A3100r_firmware: In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-46008

In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on. CVSSv3.1 8.8 (HIGH) · EPSS 64th percentile

CWECWE 798VNDTotolinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score