RANK (yesterday) |
NAME | HEAT SCORE | DESCRIPTION |
---|---|---|---|
ðŸ‘‘âž¡ï¸ (1) | CVE-2022-21907 | 111 | HTTP Protocol Stack Remote Code Execution Vulnerability. |
2â¬†ï¸ (6) | CVE-2022-21969 | 99 | Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855. |
3âž¡ï¸ (3) | CVE-2021-44228 | 77 | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". |
4â¬‡ï¸ (2) | CVE-2021-20038 | 55 | A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions. |
5 (-) | CVE-2022-20657 | 30 | N/A |
6 (-) | CVE-2022-20656 | 30 | N/A |
7 (-) | CVE-2021-43297 | 23 | A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5. |
8 (-) | CVE-2022-0197 | 22 | phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) |
9 (-) | CVE-2021-35211 | 18 | Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability. |
10 (-) | CVE-2022-0196 | 17 | phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) |
11 (-) | CVE-2021-23514 | 16 | This affects the package Crow before 0.3+4. It is possible to traverse directories to fetch arbitrary files from the server. |
12 (-) | CVE-2022-0198 | 14 | corenlp is vulnerable to Improper Restriction of XML External Entity Reference |
13â¬‡ï¸ (5) | CVE-2022-21849 | 13 | Windows IKE Extension Remote Code Execution Vulnerability. |
14 (-) | CVE-2022-0178 | 13 | snipe-it is vulnerable to Improper Access Control |
15 (-) | CVE-2021-42287 | 13 | Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291. |
16 (-) | CVE-2021-38642 | 11 | Microsoft Edge for iOS Spoofing Vulnerability |
17â¬‡ï¸ (9) | CVE-2021-41577 | 11 | N/A |
18 (-) | CVE-2022-22113 | 11 | In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. |
19 (-) | CVE-2021-30353 | 11 | Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables |
20 (-) | CVE-2022-23133 | 11 | An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. |