Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-41756 dynamicMarkt <= 3.10 is affected by SQL injection in the kat parameter of index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-33198 Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-41755 dynamicMarkt <= 3.10 is affected by SQL injection in the kat1 parameter of index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-23247 A command injection vulerability found in quick game engine allows arbitrary remote code in quick app. Allows remote attacke0rs to gain arbitrary code execution in quick game engine | 9.8 | CRITICAL | β | 0 |
| CVE-2022-20160 Product: AndroidVersions: Android kernelAndroid ID: A-210083655References: N/A | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27434 UNIT4 TETA Mobile Edition (ME) before 29.5.HF17 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-41754 dynamicMarkt <= 3.10 is affected by SQL injection in the parent parameter of index.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-34635 The mstatus.sd field in CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a does not update when the mstatus.fs field is set to Dirty. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-41419 QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40874 An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) an... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31794 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is ab... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32985 libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31788 IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31211 An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31210 An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/set_param.cgi contains hardcoded credentials to the web application. Because these accounts cannot be d... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31209 An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32337 Hospital's Patient Records Management System v1.0 is vulnerable to SQL Injection via /hprms/admin/patients/manage_patient.php?id=. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-20171 Product: AndroidVersions: Android kernelAndroid ID: A-215565667References: N/A | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26479 An issue was discovered in Poly EagleEye Director II before 2.2.2.1. Existence of a certain file (which can be created via an rsync backdoor) causes all API calls to execute as admin without authentic... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32563 An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sy... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-1556 The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Inje... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32092 D-Link DIR-645 v1.03 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter at __ajax_explorer.sgi. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-4575 IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.2.0 through 3.2.9 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27668 Depending on the configuration of the route permission table in file 'saprouttab', it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32994 Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32995 Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-33107 ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers t... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-42675 Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36711 WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29875 A vulnerability has been identified in Biograph Horizon PET/CT Systems (All VJ30 versions < VJ30C-UD01), MAGNETOM Family (NUMARIS X: VA12M, VA12S, VA10B, VA20A, VA30A, VA31A), MAMMOMAT Revelation (All... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-1986 OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31056 GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Pr... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31061 GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31795 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to in... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-35890 An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were ge... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-2023 Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-12349 An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-12350 An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma. | 9.8 | CRITICAL | β | 0 |
| CVE-2019-12351 An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-28246 A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was r... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26634 SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code exec... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32352 Hospital's Patient Records Management System v1.0 is vulnerable to SQL Injection via /hprms/classes/Master.php?f=delete_patient_admission. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31885 Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-19896 File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34079 OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml fi... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34080 OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34082 OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix func... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31887 Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Pr... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34084 OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-32073 WolfSSH v1.4.7 was discovered to contain an integer overflow via the function wolfSSH_SFTP_RecvRMDIR. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.