Recent 02/17/2022

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Linux Kernel6
PJSIP5
JQueryForm.com5
Backdoor.Win32.Zombam.b3
pcf2bdf2

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix23
Temporary Fix0
Workaround3
Unavailable0
Not Defined23

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High0
Functional0
Proof-of-Concept9
Unproven0
Not Defined40

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤20
≤30
≤44
≤55
≤617
≤713
≤88
≤92
≤100

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤30
≤45
≤56
≤622
≤710
≤84
≤92
≤100

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k8
<2k13
<5k20
<10k3
<25k3
<50k2
<100k0
≥100k0

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k31
<2k13
<5k2
<10k2
<25k1
<50k0
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

CreatedBaseTempVulnerability0dayTodayExpRemCTICVE
07:11 PM6.36.3mingSoft MCMS list.do sql injection$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2021-44868
07:11 PM6.56.4Traefik TLS Configuration certificate validation$0-$5k$0-$5kNot DefinedOfficial Fix0.06CVE-2022-23632
07:10 PM5.25.1Cisco Prime Infrastructure Web-based Management Interface cross site scripting$5k-$25k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-20659
07:09 PM5.35.2Cisco StarOS Redundancy Configuration Manager denial of service$5k-$25k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-20750
07:06 PM7.57.3Cisco Email Security Appliance DANE Email Verification resource management$5k-$25k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-20653
05:16 PM3.53.5pcf2bdf PCF Font File denial of service$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-23319
05:16 PM5.55.5pcf2bdf PCF Font File out-of-bounds read$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-23318
05:15 PM5.35.3Core FTP Server/SFTP Server SSH Service denial of service$0-$5k$0-$5kNot DefinedNot Defined0.13CVE-2022-22899
03:55 PM7.37.2vim stack-based overflow$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-0629
03:53 PM6.35.7TRIGONE Remote System Monitor unquoted search path$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.04CVE-2021-46368
01:14 PM6.96.8mruby out-of-bounds read$0-$5k$0-$5kNot DefinedOfficial Fix0.02CVE-2022-0623
08:58 AM6.35.7Trojan-Spy.Win32.Zbot.aawo.Zeus-Builder permission$0-$5k$0-$5kProof-of-ConceptNot Defined0.03
08:48 AM6.35.7Backdoor.Win32.Prosti.b permission$0-$5k$0-$5kProof-of-ConceptNot Defined0.03
08:47 AM6.35.7Email-Worm.Win32.Lama permission$0-$5k$0-$5kProof-of-ConceptNot Defined0.05
08:43 AM5.34.7Backdoor.Win32.Prorat.lkt Service Port 2121 hard-coded password$0-$5k$0-$5kProof-of-ConceptWorkaround0.03
08:42 AM5.34.7Backdoor.Win32.Zombam.b Service Port 80 information disclosure$0-$5k$0-$5kProof-of-ConceptWorkaround0.00
08:41 AM4.33.9Backdoor.Win32.Zombam.b Service Port 80 cross site scripting$0-$5k$0-$5kProof-of-ConceptNot Defined0.02
08:29 AM7.36.4Backdoor.Win32.Zombam.b Service Port 80 stack-based overflow$0-$5k$0-$5kProof-of-ConceptWorkaround0.05
08:28 AM5.35.2snipe-it information exposure$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-0622
08:28 AM5.35.3Drupal Quick Edit Module permission$0-$5k$0-$5kNot DefinedNot Defined0.13CVE-2022-25270
08:27 AM5.55.5PJSIP PJSUA API pjsua_call_dump buffer overflow$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2021-43303
08:27 AM3.53.5PJSIP PJSUA API pjsua_recorder_create out-of-bounds read$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2021-43302
08:26 AM5.55.5PJSIP PJSUA API pjsua_playlist_create stack-based overflow$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2021-43301
08:26 AM5.55.5PJSIP PJSUA API pjsua_recorder_create stack-based overflow$0-$5k$0-$5kNot DefinedNot Defined0.04CVE-2021-43300
08:24 AM5.55.5PJSIP PJSUA API pjsua_player_create stack-based overflow$0-$5k$0-$5kNot DefinedNot Defined0.07CVE-2021-43299
08:24 AM5.55.5Ghostscript sandbox$0-$5k$0-$5kNot DefinedNot Defined0.00CVE-2021-3781
08:23 AM3.53.5Linux Kernel Netfilter information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.13CVE-2021-3773
08:21 AM7.57.4BookWyrm server-side request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.08CVE-2022-23644
08:20 AM6.36.0polkit D-Bus Request authorization$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-3560
08:19 AM6.36.3DuxCMS index sql injection$0-$5k$0-$5kNot DefinedNot Defined0.05CVE-2021-3242
08:18 AM5.55.5JerryScript js-parser.c parser_parse_function_arguments assertion$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-22901
08:17 AM7.37.0JQueryForm.com improper authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2022-24985
08:17 AM5.05.0Hutool HttpRequest certificate validation$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-22885
08:16 AM6.36.3Jeecg-boot queryUserComponentData sql injection$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-22881
08:15 AM6.36.3Jeecg-boot queryUserByDepId sql injection$0-$5k$0-$5kNot DefinedNot Defined0.03CVE-2022-22880
08:14 AM6.36.0Qt QProcess Privilege Escalation$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-25255
08:12 AM5.55.4Wasmtime/WASI uninitialized pointer$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-23636
08:11 AM7.37.0JQueryForm.com unrestricted upload$0-$5k$0-$5kNot DefinedOfficial Fix0.04CVE-2022-24983
08:09 AM6.36.0mbsync type conversion$0-$5k$0-$5kNot DefinedOfficial Fix0.03CVE-2021-3578
08:08 AM5.55.5Drupal Form API injection$0-$5k$0-$5kNot DefinedNot Defined0.25CVE-2022-25271
08:06 AM5.55.3Crypt_GPG GPG Call Privilege Escalation$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-24953
08:00 AM5.04.5Linux Kernel Binary File memory corruption$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.03CVE-2022-25265
07:59 AM3.53.4JQueryForm.com admin.php cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.05CVE-2022-24981
07:58 AM7.57.5Linux Kernel NFC Stack use after free$5k-$25k$5k-$25kNot DefinedNot Defined0.16CVE-2021-3760
07:57 AM4.34.1Linux Kernel vt vt_ioctl.c vt_k_ioctl out-of-bounds read$5k-$25k$0-$5kNot DefinedOfficial Fix0.06CVE-2021-3753
07:45 AM4.34.1JQueryForm.com Base64-Encode missing encryption$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-24982
07:44 AM8.88.4Linux Kernel Bluetooth Subsystem lock_sock_nested use after free$25k-$100k$5k-$25kNot DefinedOfficial Fix0.03CVE-2021-3752
07:42 AM8.88.4Linux Kernel USB Gadget Subsystem memory corruption$25k-$100k$5k-$25kNot DefinedOfficial Fix0.03CVE-2022-25258
07:27 AM7.37.0JQueryForm.com Executable Files Parser unrestricted upload$0-$5k$0-$5kNot DefinedOfficial Fix0.00CVE-2022-24984

Do you need the next level of professionalism?

Upgrade your account now!