Updates January 2022

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Type

Not Defined1327
Operating System183
Cloud Software158
Database Software92
Content Management System75

The moderation team is working with the threat intelligence team to categorize software that is affected by security vulnerabilities. This helps to illustrate the assignment of these categories to determine the most affected software types.

Product

Microsoft Windows100
Bentley View74
Linux Kernel48
Oracle MySQL Cluster44
Huawei Smartphone44

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix2089
Temporary Fix0
Workaround7
Unavailable0
Not Defined894

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High84
Functional1
Proof-of-Concept140
Unproven134
Not Defined2631

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

CVSSv3 Base

≤10
≤24
≤347
≤4387
≤5466
≤6675
≤7485
≤8533
≤9247
≤10146

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤26
≤350
≤4396
≤5488
≤6815
≤7484
≤8420
≤9201
≤10130

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

Exploit 0-day

<1k488
<2k355
<5k807
<10k403
<25k555
<50k226
<100k109
≥100k47

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k1770
<2k364
<5k350
<10k263
<25k167
<50k76
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

UpdatedBaseTempVulnerabilityChangeExpRemCTICVE
01/27/20226.36.0Google Chrome Push Message Remote Code Execution(1): source_cve_assignedNot DefinedOfficial Fix0.04CVE-2022-0294
01/27/20226.36.0Google Chrome Web Packaging use after free(1): source_cve_assignedNot DefinedOfficial Fix0.14CVE-2022-0293
01/26/20228.17.8McAfee Agent Installation openssl.cnf access control(15): vulnerability_cvss2_vuldb_e, vulnerability_cvss3_meta_basescore, vulnerability_cvss3_meta_tempscore, vulnerability_cvss3_vendor_basescore, vulnerability_cvss3_vendor_av, vulnerability_cvss3_vendor_ac, vulnerability_cvss3_vendor_pr, vulnerability_cvss3_vendor_ui, vulnerability_cvss3_vendor_s, vulnerability_cvss3_vendor_c, vulnerability_cvss3_vendor_i, vulnerability_cvss3_vendor_a, vulnerability_cvss3_vendor_e, vulnerability_cvss3_vendor_rl, vulnerability_cvss3_vendor_rcNot DefinedOfficial Fix1.37CVE-2022-0166
01/26/20228.17.5McAfee Agent Deployment cleanup.exe code injection(5): vulnerability_cvss2_vuldb_tempscore, vulnerability_cvss3_meta_basescore, vulnerability_cvss3_meta_tempscore, vulnerability_cvss3_vuldb_tempscore, vulnerability_cvss3_vendor_basescoreProof-of-ConceptOfficial Fix1.44CVE-2021-31854
01/26/20226.36.0Google Chrome Fenced Frames Remote Code Execution(1): source_cve_assignedNot DefinedOfficial Fix0.79CVE-2022-0292
01/26/20226.36.0Google Chrome Storage Remote Code Execution(1): source_cve_assignedNot DefinedOfficial Fix0.68CVE-2022-0291
01/26/20226.36.0Google Chrome Site Isolation use after free(1): source_cve_assignedNot DefinedOfficial Fix0.68CVE-2022-0290
01/26/20226.36.0Google Chrome Safe Browsing use after free(1): source_cve_assignedNot DefinedOfficial Fix0.93CVE-2022-0289
01/26/20226.76.6Asus VivoMini/Mini PC SMI input validation(1): source_cve_nvd_summaryNot DefinedNot Defined0.48CVE-2022-21933
01/26/20224.44.3mruby null pointer dereference(3): advisory_identifier, advisory_confirm_url, source_cve_nvd_summaryNot DefinedOfficial Fix0.41CVE-2022-0326
01/26/20223.53.5AFI WebACMS index.html cross site scripting(1): source_cve_nvd_summaryNot DefinedNot Defined0.51CVE-2021-44829
01/26/20225.05.0pimcore cross site scripting(3): advisory_identifier, advisory_confirm_url, source_cve_nvd_summaryNot DefinedOfficial Fix0.48CVE-2022-0285
01/26/20223.53.5JerryScript ecma-builtin-date-prototype.c ecma_builtin_date_prototype_dispatch_set assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.55CVE-2021-46351
01/26/20223.53.5JerryScript ecma-builtin-date-prototype.c ecma_builtin_date_prototype_dispatch_set assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.55CVE-2021-46346
01/26/20223.53.5Jerryscript ecma-helpers-value.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.51CVE-2022-22892
01/26/20223.53.5Jerryscript js-scanner-util.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.61CVE-2022-22890
01/26/20223.53.5JerryScript ecma-helpers-value.c ecma_is_value_object assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.48CVE-2021-46350
01/26/20223.53.5JerryScript ecma-literal-storage.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.41CVE-2021-46348
01/26/20223.53.5JerryScript lit-strings.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.44CVE-2021-46345
01/26/20223.53.5JerryScript js-parser-expr.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.41CVE-2021-46344
01/26/20223.53.5JerryScript js-parser-expr.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2021-46343
01/26/20223.53.5JerryScript ecma-helpers.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.42CVE-2021-46342
01/26/20223.53.5JerryScript js-scanner.c scanner_scan_statement_end assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.31CVE-2021-46340
01/26/20223.53.5JerryScript ecma-helpers-string.c ecma_new_ecma_string_from_utf8 assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.34CVE-2021-46339
01/26/20223.53.5JerryScript ecma-helpers.c ecma_get_lex_env_type assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2021-46338
01/26/20223.53.5JerryScript js-parser-mem.c parser_list_get assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2021-46337
01/26/20223.53.5JerryScript js-parser-expr.c parser_parse_class_body assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.48CVE-2021-46336
01/26/20226.36.1code-projects Pharmacy Management Administer Login Form sql injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.51CVE-2021-44092
01/26/20225.15.0skylot jadx xml external entity reference(3): advisory_identifier, advisory_confirm_url, source_cve_nvd_summaryNot DefinedOfficial Fix0.41CVE-2022-0219
01/26/20224.64.6Lexmark Device Configuration File pathname traversal(1): source_cve_nvd_summaryNot DefinedNot Defined0.55CVE-2021-44737
01/26/20227.17.1Lexmark Device Initial Admin Account Setup Wizard access control(1): source_cve_nvd_summaryNot DefinedNot Defined0.62CVE-2021-44736
01/26/20225.55.5Lexmark Device Embedded Web Server command injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.48CVE-2021-44735
01/26/20225.55.3Lexmark Device Postscript Interpreter buffer overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.83CVE-2021-44738
01/26/20224.44.3VS Code Extension Binary File insufficiently protected credentials(1): source_cve_nvd_summaryNot DefinedOfficial Fix0.42CVE-2021-32039
01/26/20225.55.5mingSoft MCMS writeFileContent.do unrestricted upload(1): source_cve_nvd_summaryNot DefinedNot Defined0.31CVE-2022-23315
01/26/20226.36.3mingSoft MCMS importJson.do sql injection(1): source_cve_nvd_summaryNot DefinedNot Defined0.31CVE-2022-23314
01/26/20225.55.5mingSoft MCMS New Template Module unrestricted upload(1): source_cve_nvd_summaryNot DefinedNot Defined0.31CVE-2022-22929
01/26/20225.55.5mingsoft MCMS hard-coded credentials(1): source_cve_nvd_summaryNot DefinedNot Defined0.28CVE-2022-22928
01/26/20227.87.5AIDE File Metadata Parser heap-based overflow(1): advisory_identifierNot DefinedOfficial Fix0.52CVE-2021-45417
01/26/20225.55.5JerryScript ecma-helpers-conversion.c ecma_utf8_string_to_number_by_radix heap-based overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.32CVE-2022-22895
01/26/20225.55.5JerryScript ecma-lcache.c ecma_lcache_lookup stack-based overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.48CVE-2022-22894
01/26/20225.55.5JerryScript vm.c vm_loop.lto_priv.304 stack-based overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2022-22893
01/26/20223.53.5JerryScript ecma-gc.c ecma_ref_object_inline memory corruption(1): source_cve_nvd_summaryNot DefinedNot Defined0.41CVE-2022-22891
01/26/20223.53.4JerryScript ecma-objects.c assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.46CVE-2021-46349
01/26/20223.53.4JerryScript ecma-objects.c ecma_object_check_class_name_is_object assertion(1): source_cve_nvd_summaryNot DefinedNot Defined0.45CVE-2021-46347
01/26/20223.53.5Moddable SDK fx_Function_prototype_hasInstance null pointer dereference(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2021-46335
01/26/20225.55.5Moddable SDK __asan_memmove memory corruption(1): source_cve_nvd_summaryNot DefinedNot Defined0.32CVE-2021-46333
01/26/20225.55.5Moddable SDK _fini memory corruption(1): source_cve_nvd_summaryNot DefinedNot Defined0.37CVE-2021-46329
01/26/20225.55.5Moddable SDK __libc_start_main heap-based overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.38CVE-2021-46328
01/26/20225.55.5Moddable SDK __asan_memcpy heap-based overflow(1): source_cve_nvd_summaryNot DefinedNot Defined0.41CVE-2021-46326

2940 more entries are not shown

Interested in the pricing of exploits?

See the underground prices here!