Archive 04/06/2022

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Microsoft Edge9
Fortinet FortiWan5
OrangeHRM4
Fortinet FortiClient3
Fortinet FortiEDR3

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix36
Temporary Fix0
Workaround0
Unavailable0
Not Defined23

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High0
Functional0
Proof-of-Concept7
Unproven0
Not Defined52

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤20
≤30
≤44
≤58
≤610
≤717
≤814
≤95
≤101

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤30
≤45
≤57
≤619
≤711
≤813
≤93
≤101

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k7
<2k24
<5k17
<10k1
<25k0
<50k0
<100k10
≥100k0

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k37
<2k10
<5k2
<10k0
<25k10
<50k0
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

IDBaseTempVulnerability0dayTodayExpRemCTICVE
1966083.53.5OrangeHRM Share Video cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2022-27107
1966075.55.3Async mapValues access control$0-$5k$0-$5kNot DefinedOfficial Fix0.21CVE-2021-43138
1966065.55.5OrangeHRM Host Header injection$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2022-27110
1966054.94.9OrangeHRM Referer Header injection$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-27109
1966048.58.4PJSIP RTCP Feedback RPSI Packet pjmedia_rtcp_fb_parse_rpsi out-of-bounds write$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-24786
1966036.46.3PJSIP DNS Resolution buffer overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-24793
1966025.75.6Fortinet FortiWAN HTTP Request cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2021-32585
1966015.45.4Fortinet FortiWeb path traversal$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2021-41026
1966007.87.6Fortinet FortiAuthenticator Command Line Interpreter os command injection$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-26116
1965994.64.6Fortinet FortiWan Password File inadequate encryption$0-$5k$0-$5kNot DefinedOfficial Fix0.06CVE-2021-26113
1965988.38.3Fortinet FortiManager/FortiAnalyzer/FortiPortal Command Line Interface os command injection$0-$5k$0-$5kNot DefinedNot Defined0.00CVE-2021-26104
1965977.16.9Fortinet FortiClient input validation$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2021-22127
1965964.14.0IBM Watson Query information disclosure$5k-$25k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-22410
1965955.55.5OrangeHRM createTimesheet authorization$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-27108
1965946.86.7libde265 heap-based overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-1253
1965937.87.8Fortinet FortiEDR hard-coded key$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-23440
1965929.39.1Fortinet FortiWan HTTP sql injection$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-26114
1965918.17.9Fortinet FortiWan Network Daemon stack-based overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.06CVE-2021-26112
1965907.27.0Fortinet FortiWan Web GUI os command injection$0-$5k$0-$5kNot DefinedOfficial Fix0.06CVE-2021-24009
1965896.96.8radare2 mach0.c r_str_ncpy heap-based overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.07CVE-2022-1240
1965886.96.8radare2 ne.c heap-based overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-1238
1965877.47.3radare2 array index$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-1237
1965868.18.1Fortinet FortiClient initialization$0-$5k$0-$5kNot DefinedNot Defined0.12CVE-2021-44169
1965854.34.3Fortinet FortiClient information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2021-43205
1965846.56.3Fortinet FortiWan Dynamic Tunnel Protocol risky encryption$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-32593
1965836.36.0Google Chrome V8 type confusion$25k-$100k$5k-$25kNot DefinedOfficial Fix0.15CVE-2022-1232
1965828.28.0Fortinet FortiEDR hard-coded key$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-23441
1965814.84.7Fortinet FortiSandbox Sniffer Interface denial of service$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2020-29013
1965803.53.5Fortinet FortiEDR permission$0-$5k$0-$5kNot DefinedOfficial Fix0.09CVE-2022-23446
1965796.56.4livehelperchat cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.06CVE-2022-1234
1965786.36.0Digi Passport Location Header improper authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.07CVE-2022-26952
1965773.53.4Apperta OpenEyes cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.00CVE-2021-40374
1965766.36.0Digi Passport reboot.asp buffer overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.07CVE-2022-26953
1965755.55.5Synametrics Synaman HTTP Interface access control$0-$5k$0-$5kNot DefinedNot Defined0.00CVE-2022-26251
1965745.55.5Synametrics Synaman permission$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-26250
1965735.55.3HTCondor CLAIMTOBE Method improper authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-26110
1965725.04.8HTCondor Network Data channel accessible$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-45104
1965715.55.3HTCondor S3 Cloud Storage access control$0-$5k$0-$5kNot DefinedOfficial Fix0.07CVE-2021-45103
1965705.35.3Ivanti Avalanche image information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2021-30497
1965694.34.2Apperta OpenEyes Server Response information exposure$0-$5k$0-$5kNot DefinedNot Defined0.07CVE-2021-40375
1965686.35.7Payroll Management System sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.06CVE-2022-28468
1965676.35.7Online Student Admission sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.08CVE-2022-28467
1965666.35.7Online Banking System sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.04CVE-2022-28116
1965656.35.7Online Sports Complex Booking sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.00CVE-2022-28115
1965646.35.7Student Grading System sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.04CVE-2022-27304
1965636.35.7Insurance Management System sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined0.03CVE-2022-27124
1965626.36.1Employee Performance Evaluation sql injection$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-27123
1965616.36.1Matrimony sql injection$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-26628
1965603.53.4Apache Pinot Pinot Table recursion$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-23974
1965597.37.1Microsoft Edge Remote Code Execution$25k-$100k$5k-$25kNot DefinedOfficial Fix0.00CVE-2022-26912

9 more entries are not shown

Do you know our Splunk app?

Download it now for free!