Recent 09/14/2022

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Google Android19
Apple iOS11
Apple iPadOS11
Apple macOS8
Nokia 1350 OMS6

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix75
Temporary Fix0
Workaround0
Unavailable0
Not Defined54

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High1
Functional0
Proof-of-Concept3
Unproven1
Not Defined124

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤20
≤31
≤424
≤520
≤636
≤728
≤814
≤95
≤101

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤31
≤425
≤520
≤647
≤718
≤813
≤94
≤101

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k19
<2k25
<5k31
<10k11
<25k18
<50k19
<100k5
≥100k1

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k42
<2k39
<5k20
<10k18
<25k9
<50k1
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

CreatedBaseTempVulnerability0dayTodayExpRemCTIEPSSCVE
22:234.64.5Cargo .cargo path traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.050.01689CVE-2022-36113
22:215.15.0GLPI Plugin Controller plugin.form.php sql injection$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2022-35946
20:305.35.1Google Android sysmmu_unmap out-of-bounds write$25k-$100k$5k-$25kNot DefinedOfficial Fix0.210.01036CVE-2022-20364
20:294.24.0Google Android arm_gic.c smc_intc_request_fiq out-of-bounds write$5k-$25k$5k-$25kNot DefinedOfficial Fix0.160.01036CVE-2022-20231
20:294.34.3Palo Alto Cortex XDR Agent Tech Support File link following$0-$5k$0-$5kNot DefinedNot Defined0.050.00885CVE-2022-0029
20:296.46.3axum-core Request Body allocation of resources$0-$5k$0-$5kNot DefinedNot Defined0.060.00885CVE-2022-3212
20:275.35.1IBM Maximo Asset Management information exposure$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.01055CVE-2021-38924
20:195.04.7Nintendo Game Boy Color Mobile Adapter GB Tetsuji memory corruption$0-$5k$0-$5kProof-of-ConceptNot Defined0.160.00885CVE-2022-3216
20:055.55.5Feehi CMS Header password recovery$0-$5k$0-$5kNot DefinedNot Defined0.320.00885CVE-2022-38796
20:056.46.4MB Connect Line mymbCONNECT24/mbCONNECT24 Webservice observable response discrepancy$0-$5k$0-$5kNot DefinedNot Defined0.040.01055CVE-2022-22520
19:347.16.8Linux Kernel Journaled File System inode.c diFree null pointer dereference$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00885CVE-2022-3202
17:056.36.1SmartRG SR506n/SR510n Ping Host Privilege Escalation$0-$5k$0-$5kNot DefinedNot Defined0.000.05634CVE-2022-37661
14:493.53.4PayMoney Ticket cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2022-37137
14:493.53.4SourceCodester Garage Management System cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2022-36668
14:483.53.4SourceCodester Loan Management System cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2022-37139
14:488.28.0ionicabizau parse-url server-side request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00885CVE-2022-2900
14:485.55.3libexpat xmlparse.c doContent use after free$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01108CVE-2022-40674
14:474.54.5Zabbix Frontend cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2022-40626
14:467.37.1Loan Management System Login Page sql injection$0-$5k$0-$5kNot DefinedNot Defined0.020.00885CVE-2022-37138
14:453.53.4Yellowfin Business Intelligence MIAdminStyles.i4 Admin UI cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.000.01055CVE-2020-19587
14:457.37.3Hospital Information System improper authentication$0-$5k$0-$5kNot DefinedNot Defined0.040.01213CVE-2022-36669
14:446.36.1Yellowfin Business Intelligence MIAdminStyles.i4 Admin UI access control$0-$5k$0-$5kNot DefinedNot Defined0.050.01055CVE-2020-19586
14:245.55.3KDiskMark D-Bus Method flushPageCache improper authorization$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00950CVE-2022-40673
14:236.36.0Keyfactor PrimeKey EJBCA ACME Order certificate validation$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2022-34831
14:216.36.1PayMoney unrestricted upload$0-$5k$0-$5kNot DefinedNot Defined0.050.01689CVE-2022-37140
14:217.37.0OSU Open Source Lab VNCAuthProxy VNCServerAuthenticator protocol.py improper authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01213CVE-2022-36436
14:206.36.1SourceCodester Garage Management System unrestricted upload$0-$5k$0-$5kNot DefinedNot Defined0.040.02432CVE-2022-36667
13:077.37.3Google Go URL.JoinPath path traversal$5k-$25k$5k-$25kNot DefinedNot Defined0.090.01108CVE-2022-32190
13:076.56.5Crafter CMS Groovy Sandbox dynamically-managed code resources$0-$5k$0-$5kNot DefinedNot Defined0.040.00885CVE-2022-40635
13:066.56.5Crafter CMS Studio dynamically-managed code resources$0-$5k$0-$5kNot DefinedNot Defined0.040.00885CVE-2022-40634
13:067.37.2Onedev HTTP Header git-prereceive-callback improper authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.000.02509CVE-2022-39205
13:054.44.4Onedev Web UI cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.000.02199CVE-2022-39207
13:006.45.5Microsoft Windows SPNEGO Extended Negotiation information disclosure$25k-$100k$5k-$25kUnprovenOfficial Fix0.000.02251CVE-2022-37958
12:546.46.3Onedev Project File file access$0-$5k$0-$5kNot DefinedOfficial Fix0.070.00954CVE-2022-39208
12:537.57.4matrix-appservice-irc Channel privileges management$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2022-39203
12:514.54.4matrix-appservice-irc IRC Protocol privileges management$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00954CVE-2022-39202
12:508.88.8Crestron AirMedia Installation permission$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2022-34100
12:499.39.1Onedev Docker Socket docker.sock external reference$0-$5k$0-$5kNot DefinedOfficial Fix0.030.01061CVE-2022-39206
12:475.04.9TYPO3 View Help f:asset.css cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.040.00954CVE-2022-36108
12:465.04.9TYPO3 FileDumpController cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00890CVE-2022-36107
12:455.55.4TYPO3 Password Reset Link improper authentication$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00890CVE-2022-36106
12:445.35.2TYPO3 User Authentication information exposure$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00954CVE-2022-36105
12:424.84.7TYPO3 Error Message allocation of resources$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.00954CVE-2022-36104
12:423.53.5ThingsBoard IoT Platform Audit Log cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2022-31861
12:394.34.1Unisys Data Exchange Management Studio POST Request cross-site request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.080.00885CVE-2022-32555
12:384.34.1SAP BusinessObjects Business Intelligence Platform access control$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00885CVE-2022-32244
12:355.35.1Google Android ParsedPermissionUtils.java declareDuplicatePermission permission$25k-$100k$5k-$25kNot DefinedOfficial Fix0.160.01036CVE-2022-20392
12:343.53.5Controller Project Name cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.080.00885CVE-2022-3205
12:335.35.1Google Android Wi-Fi WifiServiceImpl.java addOrUpdateNetwork permission$25k-$100k$5k-$25kNot DefinedOfficial Fix0.160.01036CVE-2022-20398
12:324.44.2Google Android MediaProvider.java checkAccess path traversal$5k-$25k$0-$5kNot DefinedOfficial Fix0.130.01036CVE-2022-20395

79 more entries are not shown

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!