Weekly CVE Roundup — 2026-05-15 to 2026-05-22
Week of 2026-05-15 — 2026-05-22 · 95 CVEs analyzed
Summary
This week's critical vulnerabilities include CVE-2008-4250, CVE-2020-28271, CVE-2022-0664, CVE-2022-2807, CVE-2022-3792, with CVSS scores at or above 9.0. High-severity findings cover CVE-2009-1537, CVE-2009-3459, CVE-2010-0249. The most severe vulnerability this week is CVE-2008-4250 (CVSS 9.8) affecting The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gol... Full technical analysis, proof-of-concept demonstrations, and remediation guidance provided for each vulnerability.
CVE Details
CVE-2008-4250 CRITICAL
CVSS: 9.8
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
CWE: CWE-94
CVE-2020-28271 CRITICAL
CVSS: 9.8
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
CWE: CWE-1321
⚠ Proof of Concept / Exploit
CVE-2022-0664 CRITICAL
CVSS: 9.8
Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
CWE: CWE-321
⚠ Proof of Concept / Exploit
CVE-2022-2807 CRITICAL
CVSS: 9.8
SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection.
This issue affects Prens Student Information System: before 2.1.11.
CWE: CWE-89
CVE-2022-3792 CRITICAL
CVSS: 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GullsEye GullsEye terminal operating system allows SQL Injection.
This issue affects GullsEye terminal operating system: from unspecified before 5.0.13.
CWE: CWE-89
CVE-2022-4422 CRITICAL
CVSS: 9.8
Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated Sql Injection vulnerability. This has been fixed in the version 3.0
CWE: CWE-89
CVE-2022-45088 CRITICAL
CVSS: 9.8
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows PHP Local File Inclusion.
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-20
CVE-2022-4557 CRITICAL
CVSS: 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection.
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-89
CVE-2022-2504 CRITICAL
CVSS: 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection.
This issue affects SDD-Baro: before 2.8.432.
CWE: CWE-89
CVE-2021-4105 CRITICAL
CVSS: 9.8
Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion.
This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727.
CWE: CWE-755
CVE-2021-3854 CRITICAL
CVSS: 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.
CWE: CWE-89
CVE-2021-3825 CRITICAL
CVSS: 9.6
On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP credentials.
CWE: CWE-306
CVE-2022-1277 CRITICAL
CVSS: 9.4
Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability.
CWE: CWE-89
CVE-2022-2177 CRITICAL
CVSS: 9.4
Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
CWE: CWE-89
CVE-2022-2315 CRITICAL
CVSS: 9.4
Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.
CWE: CWE-89
CVE-2022-0495 CRITICAL
CVSS: 9.4
The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.
CWE: CWE-89
CVE-2009-1537 HIGH
CVSS: 8.8
Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."
CWE: NVD-CWE-noinfo
CVE-2009-3459 HIGH
CVSS: 8.8
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption, as exploited in the wild in October 2009. NOTE: some of these details are obtained from third party information.
CWE: CWE-119
CVE-2010-0249 HIGH
CVSS: 8.8
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Opera
CWE: CWE-416
CVE-2010-0806 HIGH
CVSS: 8.8
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka "Uninitialized Memory Corruption Vulnerability."
CWE: CWE-399
CVE-2022-21840 HIGH
CVSS: 8.8
Microsoft Office Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-23302 HIGH
CVSS: 8.8
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSS
CWE: CWE-502
CVE-2022-23307 HIGH
CVSS: 8.8
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CWE: CWE-502
CVE-2022-36110 HIGH
CVSS: 8.8
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.
CWE: CWE-285 | CWE-1220
⚠ Proof of Concept / Exploit
CVE-2022-41106 HIGH
CVSS: 8.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-2808 HIGH
CVSS: 8.8
Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection.
This issue affects Prens Student Information System: before 2.1.11.
CWE: CWE-639
CVE-2022-45089 HIGH
CVSS: 8.8
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection.
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-89
CVE-2022-45090 HIGH
CVSS: 8.8
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection.
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-89
CVE-2023-26314 HIGH
CVSS: 8.8
The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter.
CWE: NVD-CWE-noinfo
CVE-2021-3855 HIGH
CVSS: 8.8
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Command Injection.
This issue affects Liman Central Management System: from 1.7.0 before 1.8.3-462.
CWE: CWE-77
CVE-2021-44793 HIGH
CVSS: 8.6
Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.
CWE: CWE-862
CVE-2022-24036 HIGH
CVSS: 8.6
Karmasis Informatics Infraskope SIEM+ has an unauthenticated access vulnerability which could allow an unauthenticated attacker to modificate logs.
CWE: CWE-284
CVE-2022-24037 HIGH
CVSS: 8.2
Karmasis Informatics Infraskope SIEM+
has an unauthenticated access vulnerability which could allow an unauthenticated attacker to obtain critical information.
CWE: CWE-20
CVE-2015-8325 HIGH
CVSS: 7.8
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
CWE: CWE-264
CVE-2021-42296 HIGH
CVSS: 7.8
Microsoft Word Remote Code Execution Vulnerability
CWE: CWE-94
CVE-2021-43256 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2021-43875 HIGH
CVSS: 7.8
Microsoft Office Graphics Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-21841 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-22709 HIGH
CVSS: 7.8
VP9 Video Extensions Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-23282 HIGH
CVSS: 7.8
Paint 3D Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24451 HIGH
CVSS: 7.8
VP9 Video Extensions Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24457 HIGH
CVSS: 7.8
HEIF Image Extensions Remote Code Execution Vulnerability
CWE: CWE-787
CVE-2022-24461 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24501 HIGH
CVSS: 7.8
VP9 Video Extensions Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24509 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24510 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24473 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-26901 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-29109 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41061 HIGH
CVSS: 7.8
Microsoft Word Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41063 HIGH
CVSS: 7.8
Microsoft Excel Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41107 HIGH
CVSS: 7.8
Microsoft Office Graphics Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-44694 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-44695 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-44696 HIGH
CVSS: 7.8
Microsoft Office Visio Remote Code Execution Vulnerability
CWE: NVD-CWE-noinfo
CVE-2021-45031 HIGH
CVSS: 7.7
A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.
CWE: CWE-305
CVE-2022-25647 HIGH
CVSS: 7.7
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CWE: CWE-502
⚠ Proof of Concept / Exploit
CVE-2022-0778 HIGH
CVSS: 7.5
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to veri
CWE: CWE-835
⚠ Proof of Concept / Exploit
CVE-2022-2265 HIGH
CVSS: 7.5
The Identity and Directory Management System developed by Çekino Bilgi Teknolojileri before version 2.1.25 has an unauthenticated Path traversal vulnerability. This has been fixed in the version 2.1.25
CWE: CWE-35
CVE-2022-3693 HIGH
CVSS: 7.5
Path Traversal vulnerability in Deytek Informatics FileOrbis File Management System allows Path Traversal.
This issue affects FileOrbis File Management System: from unspecified before 10.6.3.
CWE: CWE-35
CVE-2022-23650 HIGH
CVSS: 7.2
Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds.
CWE: CWE-321
⚠ Proof of Concept / Exploit
CVE-2022-27224 HIGH
CVSS: 7.2
An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address).
CWE: CWE-78
⚠ Proof of Concept / Exploit
CVE-2020-17103 HIGH
CVSS: 7.0
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CWE: NVD-CWE-noinfo
CVE-2018-10622 MEDIUM
CVSS: 6.8
Medtronic MyCareLink Patient Monitor uses per-product credentials that
are stored in a recoverable format. An attacker can use these
credentials to modify encrypted drive data.
CWE: CWE-313
⚠ Proof of Concept / Exploit
CVE-2021-42293 MEDIUM
CVSS: 6.5
Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-26934 MEDIUM
CVSS: 6.5
Windows Graphics Component Information Disclosure Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24038 MEDIUM
CVSS: 6.5
Karmasis Informatics Infraskope SIEM+
has an unauthenticated access vulnerability which could allow an unauthenticated attacker to damage the page where the agents are listed.
CWE: CWE-284
CVE-2022-45085 MEDIUM
CVSS: 6.5
Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery.
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-918
CVE-2021-45477 MEDIUM
CVSS: 6.5
Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.
This issue affects Library Automation System: before 19.2.
CWE: CWE-233
CVE-2021-45478 MEDIUM
CVSS: 6.5
Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users.
This issue affects Library Automation System: before 19.2.
CWE: CWE-233
CVE-2022-2266 MEDIUM
CVSS: 6.1
University Library Automation System developed by Yordam Bilgi Teknolojileri before version 19.2 has an unauthenticated Reflected XSS vulnerability. This has been fixed in the version 19.2
CWE: CWE-79
CVE-2022-45087 MEDIUM
CVSS: 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-79
CVE-2022-2178 MEDIUM
CVSS: 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saysis Computer Starcities allows Cross-Site Scripting (XSS).
This issue affects Starcities: before 1.1.
CWE: CWE-79
CVE-2013-2566 MEDIUM
CVSS: 5.9
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
CWE: CWE-326
CVE-2005-4900 MEDIUM
CVSS: 5.9
SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.
CWE: CWE-326
CVE-2019-11840 MEDIUM
CVSS: 5.9
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystre
CWE: CWE-330
⚠ Proof of Concept / Exploit
CVE-2021-42295 MEDIUM
CVSS: 5.5
Visual Basic for Applications Information Disclosure Vulnerability
CWE: NVD-CWE-noinfo
CVE-2021-43255 MEDIUM
CVSS: 5.5
Microsoft Office Trust Center Spoofing Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24462 MEDIUM
CVSS: 5.5
Microsoft Word Security Feature Bypass Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-24511 MEDIUM
CVSS: 5.5
Microsoft Office Word Tampering Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-29107 MEDIUM
CVSS: 5.5
Microsoft Office Security Feature Bypass Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41060 MEDIUM
CVSS: 5.5
Microsoft Word Information Disclosure Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41103 MEDIUM
CVSS: 5.5
Microsoft Word Information Disclosure Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41104 MEDIUM
CVSS: 5.5
Microsoft Excel Security Feature Bypass Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-41105 MEDIUM
CVSS: 5.5
Microsoft Excel Information Disclosure Vulnerability
CWE: NVD-CWE-noinfo
CVE-2022-0900 MEDIUM
CVSS: 5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NetDataSoft DivvyDrive allows Stored XSS.
This issue affects DivvyDrive: from unspecified before v.4.6.2.0.
CWE: CWE-79
CVE-2022-4554 MEDIUM
CVSS: 5.4
B2B Customer Ordering System developed by ID Software Project and Consultancy Services before version 1.0.0.347 has an authenticated Reflected XSS vulnerability. This has been fixed in the version 1.0.0.347.
CWE: CWE-79
CVE-2022-45086 MEDIUM
CVSS: 5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS). This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-79
CVE-2022-45091 MEDIUM
CVSS: 5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows Cross-Site Scripting (XSS).
This issue affects Smartpower Web: before 23.01.01.
CWE: CWE-79
CVE-2021-45479 MEDIUM
CVSS: 5.4
Improper Neutralization of Input During Web Page Generation vulnerability in Yordam Information Technologies Library Automation System allows Stored XSS.
This issue affects Library Automation System: before 19.2.
CWE: CWE-79
CVE-2021-3806 MEDIUM
CVSS: 5.3
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CWE: CWE-22
CVE-2021-44792 MEDIUM
CVSS: 5.3
Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
CWE: CWE-862
CVE-2021-44794 MEDIUM
CVSS: 5.3
Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.
CWE: CWE-862
CVE-2021-44795 MEDIUM
CVSS: 5.3
Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users without authenticating.
CWE: CWE-862
CVE-2021-45475 MEDIUM
CVSS: 5.3
Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability.
CWE: CWE-200