Security Vulnerabilities - Known exploited
CVE-2021-35587
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Known exploited
CVSS Score
9.8
EPSS Score
0.943
Published
2022-01-19
CVE-2022-23227
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
Known exploited
CVSS Score
9.8
EPSS Score
0.47
Published
2022-01-14
CVE-2022-23131
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).
Known exploited
CVSS Score
9.1
EPSS Score
0.943
Published
2022-01-13
CVE-2022-23134
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Known exploited
CVSS Score
3.7
EPSS Score
0.931
Published
2022-01-13
CVE-2022-21919
Windows User Profile Service Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.0
EPSS Score
0.003
Published
2022-01-11
CVE-2022-21882
Win32k Elevation of Privilege Vulnerability
Known exploited
CVSS Score
7.0
EPSS Score
0.894
Published
2022-01-11
CVE-2022-22265
An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution.
Known exploited
CVSS Score
5.0
EPSS Score
0.002
Published
2022-01-10
CVE-2021-35247
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
Known exploited
CVSS Score
4.3
EPSS Score
0.029
Published
2022-01-10
CVE-2021-44168
A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.
Known exploited
CVSS Score
3.3
EPSS Score
0.014
Published
2022-01-04
CVE-2021-44207
Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials.
Known exploited
CVSS Score
8.1
EPSS Score
0.091
Published
2021-12-21