CVE STALKER

DAILY RANKING 2022-01-13

RANK
(yesterday)
NAME HEAT SCORE DESCRIPTION
👑➡️
(1)
CVE-2022-21907111HTTP Protocol Stack Remote Code Execution Vulnerability.
2⬆️
(6)
CVE-2022-2196999Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.
3➡️
(3)
CVE-2021-4422877Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
4⬇️
(2)
CVE-2021-2003855A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
5
(-)
CVE-2022-2065730N/A
6
(-)
CVE-2022-2065630N/A
7
(-)
CVE-2021-4329723A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
8
(-)
CVE-2022-019722phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
9
(-)
CVE-2021-3521118Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
10
(-)
CVE-2022-019617phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
11
(-)
CVE-2021-2351416This affects the package Crow before 0.3+4. It is possible to traverse directories to fetch arbitrary files from the server.
12
(-)
CVE-2022-019814corenlp is vulnerable to Improper Restriction of XML External Entity Reference
13⬇️
(5)
CVE-2022-2184913Windows IKE Extension Remote Code Execution Vulnerability.
14
(-)
CVE-2022-017813snipe-it is vulnerable to Improper Access Control
15
(-)
CVE-2021-4228713Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.
16
(-)
CVE-2021-3864211Microsoft Edge for iOS Spoofing Vulnerability
17⬇️
(9)
CVE-2021-4157711N/A
18
(-)
CVE-2022-2211311In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
19
(-)
CVE-2021-3035311Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables
20
(-)
CVE-2022-2313311An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.