Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-22 | CVE-2022-33012 | Injection vulnerability in Microweber 1.2.15 Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack. | 8.8 |
| 2022-11-19 | CVE-2022-4064 | Injection vulnerability in Dalli Project Dalli A vulnerability was found in Dalli. | 3.7 |
| 2022-11-18 | CVE-2021-33621 | Injection vulnerability in multiple products The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. | 8.8 |
| 2022-11-04 | CVE-2022-43562 | Injection vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning. | 5.4 |
| 2022-11-04 | CVE-2022-20772 | Injection vulnerability in Cisco products A vulnerability in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to the failure of the application or its environment to properly sanitize input values. | 5.3 |
| 2022-11-03 | CVE-2022-39382 | Injection vulnerability in Keystonejs Keystone 3.0.0/3.0.1 Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/[email protected] || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"development"` for user code, irrespective of what your environment variables. | 9.8 |
| 2022-11-01 | CVE-2022-31777 | Injection vulnerability in Apache Spark A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI. | 5.4 |
| 2022-10-31 | CVE-2022-39016 | Injection vulnerability in M-Files Hubshare Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. | 8.8 |
| 2022-10-28 | CVE-2021-38395 | Injection vulnerability in Honeywell products Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. | 9.8 |
| 2022-10-26 | CVE-2022-42468 | Injection vulnerability in Apache Flume Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. | 9.8 |