Updates December 2021

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Google Android114
Netgear RBR85090
Netgear RBS85090
Netgear RBK85288
Linux Kernel85

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix2619
Temporary Fix0
Workaround23
Unavailable5
Not Defined1044

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High84
Functional6
Proof-of-Concept133
Unproven69
Not Defined3399

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤22
≤345
≤4395
≤5655
≤6864
≤7693
≤8623
≤9186
≤10228

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤22
≤359
≤4414
≤5649
≤61124
≤7627
≤8460
≤9188
≤10168

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k668
<2k591
<5k1087
<10k374
<25k648
<50k192
<100k98
≥100k33

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k2443
<2k363
<5k471
<10k229
<25k166
<50k18
<100k1
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

UpdatedBaseTempVulnerabilityChangeExpRemCTICVE
12/31/20214.74.6ForeScout SecureConnector Installation buffer overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2021-36724
12/31/20214.44.4Wiki.js SVG File cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.05CVE-2021-25993
12/31/20214.84.7livehelperchat Web Page Generation cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.05CVE-2021-4176
12/31/20214.54.4livehelperchat Web Page Generation cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.02CVE-2021-4175
12/31/20216.56.4vim use after free(3): advisory_identifier, advisory_confirm_url, source_cve_nvd_summaryNot DefinedOfficial Fix0.16CVE-2021-4187
12/31/20217.57.3celery Task Metadata command injection(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.07CVE-2021-23727
12/31/20214.74.6eNvoice information disclosure(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedNot Defined0.10CVE-2021-36723
12/31/20212.62.5Stormshield Network Security SSH Password Change credentials management(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedOfficial Fix0.09CVE-2021-45885
12/31/20216.76.6eNvoice sql injection(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2021-36722
12/31/20218.88.6Microsoft SharePoint Privilege Escalation(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.05CVE-2021-43876
12/31/20215.85.7QNAP Qfile App improper authentication(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.00CVE-2021-38688
12/31/20217.87.6QNAP QTS Surveillance Station stack-based overflow(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.04CVE-2021-38687
12/31/20214.84.7QNAP Kazoo Server cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.03CVE-2021-38680
12/31/20213.83.8ZyXEL NBG6604 Configuration File cleartext storage(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedNot Defined0.08CVE-2021-35035
12/31/20216.56.5ZyXEL NBG6604 CGI Program session expiration(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedNot Defined0.05CVE-2021-35034
12/31/20217.57.4Panorama MOTP sql injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.04CVE-2021-44161
12/31/20214.44.4ifme iFrame cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.03CVE-2021-25990
12/31/20214.44.4ifme Notification Section cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.00CVE-2021-25988
12/31/20214.24.1ifme access control(2): advisory_identifier, source_cve_nvd_summaryNot DefinedOfficial Fix0.08CVE-2021-25991
12/31/20214.44.3ifme Markdown Editor cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.08CVE-2021-25989
12/31/20217.37.2Carinal Tien Hospital Health Report System Login Page authorization(1): source_cve_nvd_summaryNot DefinedNot Defined0.08CVE-2021-44160
12/31/20213.53.4Max Mazurov Maddy risky encryption(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.04CVE-2021-42583
12/31/20215.55.3VideoOffice integrity check(1): source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2020-7878
12/31/20215.55.3SUPERAntispyware IOCTL saskutil64.sys Privilege Escalation(1): source_cve_nvd_summaryNot DefinedNot Defined0.05CVE-2020-22061
12/31/20215.55.0EVGA Precision XOC Low-Level Driver WinRin0x64.sys config(1): source_cve_nvd_summaryProof-of-ConceptNot Defined0.03CVE-2020-22057
12/31/20213.13.0OSIsoft PI Vision AF Attribute authorization(1): source_cve_nvd_summaryNot DefinedNot Defined0.00CVE-2021-3090
12/31/20214.34.3Printchaser activeX module code download(1): source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2020-7883
12/31/20216.46.3Apache Log4j Logging Configuration File injection(18): vulnerability_cvss2_nvd_basescore, vulnerability_cvss2_nvd_av, vulnerability_cvss2_nvd_ac, vulnerability_cvss2_nvd_au, vulnerability_cvss2_nvd_ci, vulnerability_cvss2_nvd_ii, vulnerability_cvss2_nvd_ai, vulnerability_cvss3_meta_basescore, vulnerability_cvss3_meta_tempscore, vulnerability_cvss3_nvd_basescore, vulnerability_cvss3_nvd_av, vulnerability_cvss3_nvd_ac, vulnerability_cvss3_nvd_pr, vulnerability_cvss3_nvd_ui, vulnerability_cvss3_nvd_s, vulnerability_cvss3_nvd_c, vulnerability_cvss3_nvd_i, vulnerability_cvss3_nvd_aNot DefinedOfficial Fix0.04CVE-2021-44832
12/31/20214.14.0OSIsoft PI Vision authorization(1): source_cve_nvd_summaryNot DefinedNot Defined0.11CVE-2021-3095
12/31/20213.53.5SLICAN WebCTI cross site scripting(1): source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2021-45813
12/31/20213.53.5NUUO Network Video Recorder NVRsolo cross site scripting(1): source_cve_nvd_summaryNot DefinedNot Defined0.04CVE-2021-45812
12/31/20216.36.3Nettmp NNT 5.1 Panel sql injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.05CVE-2021-45814
12/31/20213.53.4SuiteCRM Web Interface cross site scripting(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.08CVE-2021-45903
12/31/20213.53.5Libraryvideocompany SAFARI Montage cross site scripting(1): source_cve_nvd_summaryNot DefinedNot Defined0.04CVE-2021-45425
12/31/20214.34.1IDEC MICROSmart All-in-One CPU ZLD File credentials storage(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.00CVE-2021-37401
12/31/20213.73.6IDEC MICROSmart All-in-One CPU cleartext transmission(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.04CVE-2021-37400
12/31/20215.55.3Asus RT-N53 Parameter Advanced_LAN_Content.asp buffer overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.03CVE-2019-20082
12/31/20216.36.3Polycom Poly Trio 8800 Ping Command Privilege Escalation(1): source_cve_nvd_summaryNot DefinedNot Defined0.04CVE-2018-17875
12/31/20217.67.6ZyXEL GS1900 Function Call libsal.so os command injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.04CVE-2021-35032
12/31/20217.47.4ZyXEL GS1900 os command injection(2): advisory_confirm_url, source_cve_nvd_summaryNot DefinedNot Defined0.00CVE-2021-35031

3651 more entries are not shown

Do you know our Splunk app?

Download it now for free!