Recent 11/24/2022

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

GE CIMPLICITY5
Foxit PDF Reader5
AVEVA Edge3
rickxy Stock Management System3
SolarWinds Network Performance Monitor3

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix29
Temporary Fix0
Workaround1
Unavailable0
Not Defined23

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High0
Functional0
Proof-of-Concept6
Unproven0
Not Defined47

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤20
≤30
≤44
≤512
≤610
≤711
≤85
≤910
≤101

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤30
≤48
≤58
≤615
≤710
≤82
≤99
≤101

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k1
<2k41
<5k10
<10k1
<25k0
<50k0
<100k0
≥100k0

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k39
<2k14
<5k0
<10k0
<25k0
<50k0
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

CreatedBaseTempVulnerability0dayTodayExpRemCTIEPSSCVE
22:276.16.0wger excessive authentication$0-$5k$0-$5kNot DefinedOfficial Fix0.350.00885CVE-2022-2650
22:264.33.7BeCustom Plugin cross-site request forgery$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.760.00000CVE-2022-3747
19:493.53.4Apache DolphinScheduler Config File information disclosure$5k-$25k$0-$5kNot DefinedOfficial Fix0.500.00885CVE-2022-26885
15:328.88.4Moxa UC-8100A-ME-T unnecessary privileges$0-$5k$0-$5kNot DefinedOfficial Fix0.300.00000CVE-2022-3088
14:538.88.8GE CIMPLICITY out-of-bounds write$0-$5k$0-$5kNot DefinedNot Defined0.560.00000CVE-2022-3092
14:488.88.8GE CIMPLICITY CGmmiOptionContainer untrusted pointer dereference$0-$5k$0-$5kNot DefinedNot Defined0.710.00000CVE-2022-2002
14:478.88.8GE CIMPLICITY heap-based overflow$0-$5k$0-$5kNot DefinedNot Defined0.350.00000CVE-2022-2948
14:468.88.8GE CIMPLICITY CGmmiOptionContainer uninitialized pointer$0-$5k$0-$5kNot DefinedNot Defined0.300.00000CVE-2022-2952
14:448.88.8GE CIMPLICITY CGmmiRootOptionTable uninitialized pointer$0-$5k$0-$5kNot DefinedNot Defined0.300.00000CVE-2022-3084
14:193.53.4Digital Alert Systems DASDEC Header cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.200.00000CVE-2022-40204
14:194.34.1Digital Alert Systems DASDEC Login Page cross site scripting$0-$5k$0-$5kNot DefinedOfficial Fix0.300.00000CVE-2019-18265
14:165.35.1AVEVA Edge path traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.350.00000CVE-2021-42797
14:159.89.4AVEVA Edge StADOSvr.exe access control$0-$5k$0-$5kNot DefinedOfficial Fix0.600.00000CVE-2021-42796
14:144.34.1AVEVA Edge information disclosure$0-$5k$0-$5kNot DefinedOfficial Fix0.250.00000CVE-2021-42794
13:144.33.9rickxy Stock Management System cross-site request forgery$0-$5k$0-$5kProof-of-ConceptNot Defined1.620.00885CVE-2022-4090
13:085.95.9Pilz PAScal/PASconnect/PASmotion/PNOZmulti Configurator ZIP Configuration File path traversal$0-$5k$0-$5kNot DefinedNot Defined0.350.00885CVE-2022-40976
13:076.36.3KNIME Analytics Platform ZIP Archive Extraction path traversal$0-$5k$0-$5kNot DefinedNot Defined0.350.01103CVE-2022-44749
13:067.47.2Pilz PASvisu Server ZIP Configuration File path traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.200.01055CVE-2022-40977
13:055.35.3Mitsubishi Electric GOT2000 denial of service$0-$5k$0-$5kNot DefinedNot Defined0.250.01055CVE-2022-40266
13:046.76.5KNIME Server ZIP Archive Extraction path traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.200.01156CVE-2022-44748
13:027.37.0qmpaas leadshop routine$0-$5k$0-$5kNot DefinedOfficial Fix0.250.00885CVE-2022-4136
10:234.33.9rickxy Stock Management System processlogin.php cross site scripting$0-$5k$0-$5kProof-of-ConceptNot Defined0.910.00885CVE-2022-4089
10:177.36.4Backdoor.Win32.Serman.a Service Port 21422 backdoor$0-$5k$0-$5kProof-of-ConceptWorkaround0.500.00000
10:157.36.6rickxy Stock Management System processlogin.php sql injection$0-$5k$0-$5kProof-of-ConceptNot Defined1.670.00885CVE-2022-4088
09:574.34.2YJCMS user_edit.html information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.100.00885CVE-2022-45276
09:565.55.5Jizhicms memberedit.html sql injection$0-$5k$0-$5kNot DefinedNot Defined0.150.00885CVE-2022-44140
09:413.53.5EyouCMS login.php cross site scripting$0-$5k$0-$5kNot DefinedNot Defined0.150.00885CVE-2022-45280
09:415.55.3iTerm2 DECRQSS Response Privilege Escalation$0-$5k$0-$5kNot DefinedOfficial Fix0.200.00885CVE-2022-45872
09:405.55.3Boa sql injection$0-$5k$0-$5kNot DefinedNot Defined0.150.00885CVE-2022-44117
09:398.88.4SolarWinds Network Performance Monitor WebUserSettingsCrudHandler input validation$0-$5k$0-$5kNot DefinedOfficial Fix0.200.00000CVE-2022-36960
09:395.55.3qpress qp File pathname traversal$0-$5k$0-$5kNot DefinedOfficial Fix0.200.00950CVE-2022-45866
09:374.34.1Foxit PDF Reader PDF File Parser out-of-bounds$0-$5k$0-$5kNot DefinedOfficial Fix0.250.00000CVE-2022-43640
09:374.34.1Foxit PDF Reader U3D File Parser use after free$0-$5k$0-$5kNot DefinedOfficial Fix0.340.00000CVE-2022-43641
09:335.85.7XWiki Platform cross-site request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.150.00885CVE-2022-41927
09:046.36.0Foxit PDF Reader U3D File Parser use after free$0-$5k$0-$5kNot DefinedOfficial Fix0.100.00000CVE-2022-43637
09:036.36.0Foxit PDF Reader U3D File Parser use after free$0-$5k$0-$5kNot DefinedOfficial Fix0.380.00000CVE-2022-43638
09:026.36.0Foxit PDF Reader U3D File Parser use after free$0-$5k$0-$5kNot DefinedOfficial Fix0.150.00000CVE-2022-43639
08:597.26.9SolarWinds Network Performance Monitor GetPdf command injection$0-$5k$0-$5kNot DefinedOfficial Fix0.150.00000CVE-2022-36962
08:568.88.4SolarWinds Network Performance Monitor DeserializeFromStrippedXml deserialization$0-$5k$0-$5kNot DefinedOfficial Fix0.150.00000CVE-2022-36964
08:513.33.2systemd elf-util.c parse_elf_object deadlock$0-$5k$0-$5kNot DefinedOfficial Fix0.200.00890CVE-2022-45873
08:464.34.2JIZHI CMS adminadd.html cross-site request forgery$0-$5k$0-$5kNot DefinedNot Defined0.150.00885CVE-2021-29334
08:446.36.3H2 Database Engine CLI information disclosure$0-$5k$0-$5kNot DefinedNot Defined0.430.00885CVE-2022-45868
08:426.96.8Tailscale tailscaled cross-site request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.100.02509CVE-2022-41924
08:378.28.0Grails Spring Security Core Plugin privileges management$0-$5k$0-$5kNot DefinedOfficial Fix0.470.00954CVE-2022-41923
08:344.14.0Tailscale cross-site request forgery$0-$5k$0-$5kNot DefinedOfficial Fix0.420.00954CVE-2022-41925
08:335.55.5Jizhicms get_fields.html sql injection$0-$5k$0-$5kNot DefinedNot Defined0.150.00885CVE-2022-45278
08:326.36.1Artifex MuJS JavaScript File O_getOwnPropertyDescriptor memory corruption$0-$5k$0-$5kNot DefinedNot Defined0.420.04428CVE-2022-44789
08:325.55.3dedecmdv6 sys_sql_query.php sql injection$0-$5k$0-$5kNot DefinedNot Defined0.100.00885CVE-2022-44120
08:324.64.5dedecmdv6 file_manage_control.php denial of service$0-$5k$0-$5kNot DefinedNot Defined0.100.00885CVE-2022-43196
08:308.68.5Optica JSON oj.safe_load deserialization$0-$5k$0-$5kNot DefinedOfficial Fix0.100.05634CVE-2022-41875

3 more entries are not shown

Want to stay up to date on a daily basis?

Enable the mail alert feature now!