Archive April 2022

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Microsoft Windows99
CGAL38
Google Chrome37
Oracle Communications Cloud Native Core Policy32
Oracle MySQL Server26

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix1642
Temporary Fix0
Workaround31
Unavailable1
Not Defined850

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High2
Functional3
Proof-of-Concept153
Unproven107
Not Defined2259

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤22
≤352
≤4317
≤5336
≤6521
≤7660
≤8352
≤9181
≤10103

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤22
≤358
≤4334
≤5336
≤6698
≤7526
≤8351
≤9123
≤1096

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k524
<2k493
<5k591
<10k266
<25k377
<50k62
<100k126
≥100k85

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k1257
<2k453
<5k482
<10k98
<25k187
<50k46
<100k1
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

PublishedBaseTempVulnerability0dayTodayExpRemCTICVE
04/30/20223.53.4MediaWiki SecurePoll Extension information disclosure$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-28323
04/30/20225.55.3Apache NiFi Standard Content Viewer Service xml external entity reference$5k-$25k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-29265
04/30/20226.56.5One Click Demo Import Plugin cross-site request forgery$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-29451
04/30/20224.84.8WPKube Subscribe To Comments Reloaded Plugin Log Archive cross-site request forgery$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-29414
04/30/20226.66.4NVIDIA Omniverse Nucleus/Omniverse Cache OpenSSL Configuration name resolution$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-28198
04/30/20224.84.7IBM UrbanCode Deploy inadequate encryption$5k-$25k$0-$5kNot DefinedOfficial Fix0.04CVE-2021-39082
04/30/20225.55.0USU Oracle Optimization os command injection$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.02CVE-2022-29937
04/30/20223.53.2USU Oracle Optimization Agent-Installer information disclosure$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.35CVE-2022-29935
04/30/20228.07.2USU Oracle Optimization Polkit Authentication improper authentication$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.02CVE-2022-29934
04/30/20226.35.7USU Oracle Optimization Java Deserialization save-data-upload-big-file deserialization$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.02CVE-2022-29936
04/30/20223.53.4Woodpecker Build Log BuildLog.vue cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-29947
04/30/20224.84.7yaireo tagify Field cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-25854
04/30/20223.53.5pesign pwdata Invocation cms_common.c cms_set_pw_data null pointer dereference$0-$5k$0-$5kNot DefinedNot Defined0.16CVE-2022-1249
04/30/20225.55.3Glewlwyd static_compressed_inmemory_website_callback.c pathname traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-29967
04/30/20227.37.2erudika scoold Text Size resource consumption$0-$5k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-1543
04/30/20223.53.5Automation Anywhere Automation 360 RPA Package hard-coded key$0-$5k$0-$5kNot DefinedNot Defined0.35CVE-2022-29856
04/30/20225.55.0ALLPlayer ALLMediaServer MediaServer.exe buffer overflow$0-$5k$0-$5kProof-of-ConceptNot Defined0.02CVE-2022-28480
04/30/20227.06.9Delta Electronics ASDA-Soft Project File out-of-bounds write$0-$5k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-1403
04/30/20227.06.9Delta Electronics ASDA-Soft Project File out-of-bounds$0-$5k$0-$5kNot DefinedOfficial Fix0.12CVE-2022-1402
04/30/20226.36.3Moodle improper authentication$5k-$25k$5k-$25kNot DefinedNot Defined0.05CVE-2022-0985
04/30/20225.55.5Moodle Badge Criteria access control$5k-$25k$5k-$25kNot DefinedNot Defined0.02CVE-2022-0984
04/30/20225.95.8Elcomplus SmartPTT SCADA Server information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2021-43938
04/30/20228.08.0QEMU QXL Display Device Emulation heap-based overflow$5k-$25k$5k-$25kNot DefinedNot Defined0.02CVE-2021-4207
04/30/20228.08.0QEMU QXL Display Device Emulation cursor_alloc heap-based overflow$5k-$25k$5k-$25kNot DefinedNot Defined0.02CVE-2021-4206
04/30/20227.57.4Johnson Controls Metasys ADS/Metasys ADX/Metasys OAS privileges management$0-$5k$0-$5kNot DefinedOfficial Fix0.13CVE-2021-36207
04/30/20223.53.5DJI Drone AeroScope Protocol information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-29945
04/30/20227.36.6Max Feoktistov Small HTTP Server GET Request buffer overflow$0-$5k$0-$5kProof-of-ConceptNot Defined0.02CVE-2022-28994
04/30/20225.55.5Podman Image permissions$0-$5k$0-$5kNot DefinedNot Defined0.07CVE-2022-1227
04/30/20226.36.3ImageMagick DICOM Image dcm.c RelinquishDCMInfo use after free$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-1114
04/30/20225.95.8Elcomplus SmartPTT SCADA Server Web Application cross-site request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.02CVE-2021-43937
04/30/20226.36.3GNOME gnome-shell CAP_SYS_NICE dropped privileges$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2021-3982
04/30/20226.36.0Linux Kernel Kernel Memory af_key.c pfkey_register information disclosure$5k-$25k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-1353
04/30/20226.36.0Linux Kernel Sound Subsystem hw_params use after free$5k-$25k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-1048
04/30/20226.36.1Linux Kernel Netfilter Subsystem nf_tables_api.c nft_do_chain out-of-bounds write$5k-$25k$5k-$25kNot DefinedNot Defined0.06CVE-2022-1015
04/30/20223.33.2Linux Kernel Device hamradio use after free$5k-$25k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-1195
04/29/20223.53.5Intelliants Subrion CMS List of Subjects cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2021-41948
04/29/20225.55.3Red Planet Laundry Management System sql injection$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2022-28452
04/29/20228.68.4onlaj Piano LED Visualizer os.path.join file inclusion$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-24900
04/29/20227.37.1MSVOD sql injection$0-$5k$0-$5kNot DefinedNot Defined0.06CVE-2021-41942
04/29/20229.89.6Wondershare Dr. Fone ElevationService.exe access control$0-$5k$0-$5kNot DefinedWorkaround0.02CVE-2021-44595
04/29/20229.89.6Wondershare Dr. Fone InstallAssistService.exe Remote Code Execution$0-$5k$0-$5kNot DefinedWorkaround0.00CVE-2021-44596
04/29/20225.95.8bfabiszewski libmobi parse_rawml.c buffer overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-1534
04/29/20225.95.8bfabiszewski libmobi buffer overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.08CVE-2022-1533
04/29/20223.13.0livehelperchat cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-1530
04/29/20228.68.5RTX ARAX-UI Synonym Lookup sql injection$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-1531
04/29/20223.53.3automad Dashboard cross site scripting$0-$5k$0-$5kProof-of-ConceptNot Defined0.05CVE-2022-1536
04/29/20223.53.3Emlog Pro POST Parameter cross site scripting$0-$5k$0-$5kProof-of-ConceptNot Defined0.02CVE-2022-1526
04/29/20223.53.4WBCE CMS cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-28477
04/29/20223.53.5Limbas cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.02CVE-2022-28454
04/29/20223.53.4Nimbus Skin Advertise Link Message cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.11CVE-2022-29907

2474 more entries are not shown

Interested in the pricing of exploits?

See the underground prices here!