Vulnerabilities (CVE)

Filtered by CWE-20
Total 9125 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-22589 1 Apple 6 Ipados, Iphone Os, Macos and 3 more 2022-05-17 4.3 MEDIUM 6.1 MEDIUM
A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing a maliciously crafted mail message may lead to running arbitrary javascript.
CVE-2022-22727 1 Schneider-electric 1 Ecostruxure Power Monitoring Expert 2022-05-16 9.3 HIGH 8.8 HIGH
A CWE-20: Improper Input Validation vulnerability exists that could allow an unauthenticated attacker to view data, change settings, impact availability of the software, or potentially impact a user?s local machine when the user clicks a specially crafted link. Affected Product: EcoStruxure Power Monitoring Expert (Versions 2020 and prior)
CVE-2021-36741 2 Microsoft, Trendmicro 5 Windows, Apex One, Officescan and 2 more 2022-05-16 6.5 MEDIUM 8.8 HIGH
An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product?s management console in order to exploit this vulnerability.
CVE-2021-22827 1 Schneider-electric 1 Ecostruxure Power Monitoring Expert 2022-05-16 6.8 MEDIUM 8.8 HIGH
A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22826. Affected Product: EcoStruxure? Power Monitoring Expert 9.0 and prior versions
CVE-2021-22826 1 Schneider-electric 1 Ecostruxure Power Monitoring Expert 2022-05-16 6.8 MEDIUM 8.8 HIGH
A CWE-20: Improper Input Validation vulnerability exists that could cause arbitrary code execution when the user visits a page containing the injected payload. This CVE is unique from CVE-2021-22827. Affected Product: EcoStruxure? Power Monitoring Expert 9.0 and prior versions
CVE-2021-29629 1 Freebsd 1 Freebsd 2022-05-16 5.0 MEDIUM 7.5 HIGH
In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing message validation in libradius(3) could allow malicious clients or servers to trigger denial of service in vulnerable servers or clients respectively.
CVE-2021-25745 1 Kubernetes 1 Ingress-nginx 2022-05-16 5.5 MEDIUM 8.1 HIGH
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
CVE-2022-1053 2 Fedoraproject, Keylime 2 Fedora, Keylime 2022-05-16 6.4 MEDIUM 9.1 CRITICAL
Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the verifier. This issue is worse if the validation happens first and then the agent gets added to the verifier because the timing is easier and the verifier does not validate the regcount entry being equal to 1,
CVE-2022-22433 2 Ibm, Microsoft 3 Robotic Process Automation, Robotic Process Automation As A Service, Windows 2022-05-16 5.0 MEDIUM 7.5 HIGH
IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 224156.
CVE-2020-26145 2 Samsung, Siemens 26 Galaxy I9305, Galaxy I9305 Firmware, 6gk5763-1al00-3aa0 and 23 more 2022-05-13 3.3 LOW 6.5 MEDIUM
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2021-25746 1 Kubernetes 1 Ingress-nginx 2022-05-13 5.5 MEDIUM 7.1 HIGH
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
CVE-2022-24098 3 Adobe, Apple, Microsoft 3 Photoshop, Macos, Windows 2022-05-13 9.3 HIGH 7.8 HIGH
Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by an improper input validation vulnerability when parsing a PCX file that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PCX file.
CVE-2020-8700 2 Intel, Netapp 546 Bios, Core I3-l13g4, Core I5-l16g7 and 543 more 2022-05-13 4.6 MEDIUM 6.7 MEDIUM
Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2022-20715 1 Cisco 2 Adaptive Security Appliance Software, Firepower Threat Defense 2022-05-13 7.8 HIGH 7.5 HIGH
A vulnerability in the remote access SSL VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of errors that are logged as a result of client connections that are made using remote access VPN. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to cause the affected device to restart, resulting in a DoS condition.
CVE-2022-28708 1 F5 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more 2022-05-13 4.3 MEDIUM 5.9 MEDIUM
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP DNS resolver-enabled, HTTP-Explicit or SOCKS profile is configured on a virtual server, an undisclosed DNS response can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2022-27634 1 F5 1 Big-ip Access Policy Manager 2022-05-13 6.5 MEDIUM 7.2 HIGH
On 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, BIG-IP APM does not properly validate configurations, allowing an authenticated attacker with high privileges to manipulate the APM policy leading to privilege escalation/remote code execution. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2022-20745 1 Cisco 2 Adaptive Security Appliance Software, Firepower Threat Defense 2022-05-13 7.8 HIGH 7.5 HIGH
A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper input validation when parsing HTTPS requests. An attacker could exploit this vulnerability by sending a crafted HTTPS request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
CVE-2022-29479 1 F5 12 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 9 more 2022-05-12 5.0 MEDIUM 5.3 MEDIUM
On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, when an IPv6 self IP address is configured and the ipv6.strictcompliance database key is enabled (disabled by default) on a BIG-IP system, undisclosed packets may cause decreased performance. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2017-12652 2 Libpng, Netapp 2 Libpng, Active Iq Unified Manager 2022-05-12 7.5 HIGH 9.8 CRITICAL
libpng before 1.6.32 does not properly check the length of chunks against the user limit.
CVE-2021-21408 2 Debian, Smarty 2 Debian Linux, Smarty 2022-05-12 6.5 MEDIUM 8.8 HIGH
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.