Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2021-42576 The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0318 Heap-based Buffer Overflow in vim/vim prior to 8.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24306 Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0845 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-23449 This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24305 Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26255 Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35003 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. Authentication is not required to exp... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35004 This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link TL-WA1201 1.0.1 Build 20200709 rel.66244(5553) wireless access points. Authentication is not r... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40855 The EU Technical Specifications for Digital COVID Certificates before 1.1 mishandle certificate governance. A non-production public key certificate could have been used in production. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46198 An SQL Injection vulnerability exists in Sourceodester Courier Management System 1.0 via the email parameter in /cms/ajax.php app. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46201 An SQL Injection vulnerability exists in Sourcecodester Online Resort Management System 1.0 via the id parameterv in /orms/ node. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-39384 DWSurvey v3.2.0 was discovered to contain an arbitrary file write vulnerability via the component /utils/ToHtmlServlet.java. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46307 An SQL Injection vulnerability exists in Projectworlds Online Examination System 1.0 via the eid parameter in account.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-22724 A remote command execution vulnerability exists in add_server_service of PPTP_SERVER in Mercury Router MER1200 v1.0.1 and Mercury Router MER1200G v1.0.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46308 An SQL Injection vulnerability exists in Sourcecodester Online Railway Reservation Sysytem 1.0 via the sid parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46309 An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-41472 SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-41471 SQL injection vulnerability in Sourcecodester South Gate Inn Online Reservation System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the email and Password parameters. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-4877 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. IBM X-Force ID: 190843. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-4879 IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. IBM X-Force ID: 190847. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-25404 Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete.php via the DELETE_STR parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0658 The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamica... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46386 File upload vulnerability in mingSoft MCMS through 5.2.5, allows remote attackers to execute arbitrary code via a crafted jspx webshell to net.mingsoft.basic.action.web.FileAction#upload. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0254 The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0169 The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-44127 In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25007 The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection | 9.8 | CRITICAL | β | 0 |
| CVE-2021-25003 The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0362 SQL Injection in Packagist showdoc/showdoc prior to 2.10.3. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40997 A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-39708 In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution pri... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40247 SQL injection vulnerability in Sourcecodester Budget and Expense Tracker System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username field. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36294 Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authentication bypass vulnerability. A remote unauthenticated attacker may exploit this vulnerability by forging a cookie to login as ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-22720 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46703 In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template con... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40908 SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40907 SQL injection vulnerability in Sourcecodester Storage Unit Rental Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /storage/classes/L... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-36548 A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafte... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26495 In nbd-server in nbd before 3.24, there is an integer overflow with a resultant heap-based buffer overflow. A value of 0xffffffff in the name length field will cause a zero-sized buffer to be allocate... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23128 Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper H... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-38297 Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-25398 Auto Spare Parts Management v1.0 was discovered to contain a SQL injection vulnerability via the user parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23884 Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overflow leading to a bound check bypass caused by PurchaseReceiptPacket::_read (packet deserializer). | 9.8 | CRITICAL | β | 0 |
| CVE-2022-0342 An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versi... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26496 In nbd-server in nbd before 3.24, there is a stack-based buffer overflow. An attacker can cause a buffer overflow in the parsing of the name field by sending a crafted NBD_OPT_INFO or NBD_OPT_GO messa... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-40595 SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Log... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-46704 In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from ins... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-35498 The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, and TIBCO Product and Service Catalog powered by TIBCO EBX contains a vulnerability that under certain spec... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26245 Falcon-plus v0.3 was discovered to contain a SQL injection vulnerability via the parameter grpName in /config/service/host.go. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.