Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2021-46007 — Totolink Ar3100r_firmware: a3100r V5.9c.4577 is vulnerable to os command injection.
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile
CVE-2022-25521 — Nuuo Network_video_recorder_firmware: v03.11.00 was discovered to contain access control issue.
NUUO v03.11.00 was discovered to contain access control issue. CVSSv3.1 9.8 (CRITICAL) · EPSS 74th percentile
CVE-2022-26258 — Dlink Dir-820l_firmware: D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2021-40905 — Checkmk Checkmk: The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute c CVSSv3.1 8.8 (HIGH) · EPSS 85th percentile
CVE-2021-40904 — Checkmk Checkmk: The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator. CVSSv3.1 8.8 (HIGH) · EPSS 89th percentile
CVE-2022-25523 — Typesettercms Typesetter: v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited
TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. CVSSv3.1 8.8 (HIGH) · EPSS 46th percentile
CVE-2022-26263 — Yonyou U8\+: u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via
Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp. CVSSv3.1 6.1 (MEDIUM) · EPSS 98th percentile
CVE-2018-25032 — Nokogiri Nokogiri: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile
CVE-2022-24293 — Hp Laserjet_pro_m453-m454_w1y40a_firmware: Certain HP Print devices may be vulnerable to potential information disclosure, denial of service
Certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile
CVE-2022-24292 — Hp Laserjet_pro_m453-m454_w1y40a_firmware: Certain HP Print devices may be vulnerable to potential information disclosure, denial of service
Certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile
CVE-2022-0888 — Ninjaforms Ninja_forms_file_uploads: The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0 CVSSv3.1 9.8 (CRITICAL) · EPSS 93th percentile
CVE-2021-45756 — Asus Rt-ac68u_firmware: RT-AC68U <3.0.0.4.385.20633 and RT-AC5300 <3.0.0.4.384.82072 are affected by a buffer overflow in blocking_request.cgi.
Asus RT-AC68U <3.0.0.4.385.20633 and RT-AC5300 <3.0.0.4.384.82072 are affected by a buffer overflow in blocking_request.cgi. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile
CVE-2022-23349 — Bigantsoft Bigant_server: BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF).
BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF). CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile
CVE-2022-23347 — Bigantsoft Bigant_server: BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks.
BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks. CVSSv3.1 7.5 (HIGH) · EPSS 96th percentile
CVE-2022-23346 — Bigantsoft Bigant_server: BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues.
BigAnt Software BigAnt Server v5.6.06 was discovered to contain incorrect access control issues. CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile
CVE-2022-25578 — Taogogo Taocms: v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file.
taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile
CVE-2022-27245 — Misp-project Misp: This could lead to SSRF.
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. CVSSv3.1 8.8 (HIGH) · EPSS 53th percentile
CVE-2021-45834 — Opendocman Opendocman: An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile
CVE-2021-44088 — Attendance_and_payroll_system_project Attendance_and_payroll_system: An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters. CVSSv3.1 9.8 (CRITICAL) · EPSS 87th percentile
CVE-2021-44087 — Attendance_and_payroll_system_project Attendance_and_payroll_system: A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload. CVSSv3.1 9.8 (CRITICAL) · EPSS 91th percentile
CVE-2021-44620 — Totolink A3100r_firmware: A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime
A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile
CVE-2022-25090 — Kofax Printix: Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a
Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition. CVSSv3.1 8.1 (HIGH) · EPSS 95th percentile
CVE-2022-24644 — Zzinc Keymouse_firmware: KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during
ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse. CVSSv3.1 8.8 (HIGH) · EPSS 80th percentile
CVE-2022-23383 — Yzmcms Yzmcms: Without login, unauthorized access to the user's personal home page can be realized.
YzmCMS v6.3 is affected by broken access control. Without login, unauthorized access to the user's personal home page can be realized. It is necessary to judge the user's login status before accessing the personal home page, but the vulnerability can access other users' home pages through the non login status because real authentication is not carried out. CVSSv3.1 9.1 (CRITICAL) · EPSS 70th percentile
CVE-2022-0715 — Schneider-electric Smt_series_1015_ups_firmware: A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change
A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware. Affected Product: APC Smart-UPS Family: SMT Series (SMT Series ID=18: UPS 09.8 and prior / SMT Series ID=1040: UPS 01.2 and prior / SMT Series ID=1031: UPS 03.1 and prior), SMC Series (SMC Series ID=1005: UPS 14.1 and prior / SMC Series ID=1007: UPS 11.0 and prior / SMC Series ID=1041: UP CVSSv3.1 9.1 (CRITICAL) · EPSS 78th percentile