Weekly Vulnerabilities Reports > May 16 to 22, 2022

Overview

467 new vulnerabilities reported during this period, including 53 critical vulnerabilities and 112 high severity vulnerabilities. This weekly summary report vulnerabilities in 639 products from 219 vendors including Jenkins, Siemens, Google, Arubanetworks, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Input Validation", "OS Command Injection", and "Unrestricted Upload of File with Dangerous Type".

  • 374 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 179 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 294 reported vulnerabilities are exploitable by an anonymous user.
  • Jenkins has the most reported vulnerabilities, with 28 reported vulnerabilities.
  • Arubanetworks has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

53 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-20 CVE-2022-29165 Argoproj Authentication Bypass by Spoofing vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

10.0
2022-05-20 CVE-2021-34111 Thecus OS Command Injection vulnerability in Thecus N4800Eco Firmware

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

10.0
2022-05-19 CVE-2020-16209 Fieldcommgroup Stack-based Buffer Overflow vulnerability in Fieldcommgroup Hart-Ip Developer KIT Firmware and Hipserver

A malicious attacker could exploit the interface of the Fieldcomm Group HART-IP (release 1.0.0.0) by constructing messages with sufficiently large payloads to overflow the internal buffer and crash the device, or obtain control of the device.

10.0
2022-05-19 CVE-2022-28349 ARM Use After Free vulnerability in ARM products

Arm Mali GPU Kernel Driver has a use-after-free: Midgard r28p0 through r29p0 before r30p0, Bifrost r17p0 through r23p0 before r24p0, and Valhall r19p0 through r23p0 before r24p0.

10.0
2022-05-19 CVE-2022-28350 ARM Use After Free vulnerability in ARM Valhall GPU Kernel Driver R34P0

Arm Mali GPU Kernel Driver allows improper GPU operations in Valhall r29p0 through r36p0 before r37p0 to reach a use-after-free situation.

10.0
2022-05-18 CVE-2022-30105 Belkin OS Command Injection vulnerability in Belkin N300 Firmware 1.00.08

In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities.

10.0
2022-05-18 CVE-2022-29516 Fujitsu OS Command Injection vulnerability in Fujitsu products

The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.

10.0
2022-05-18 CVE-2022-29644 Totolink Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini.

10.0
2022-05-18 CVE-2022-29645 Totolink Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample.

10.0
2022-05-16 CVE-2022-23657 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

10.0
2022-05-16 CVE-2022-23658 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

10.0
2022-05-16 CVE-2022-23660 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

10.0
2022-05-16 CVE-2021-27446 Weintek Code Injection vulnerability in Weintek products

The Weintek cMT product line is vulnerable to code injection, which may allow an unauthenticated remote attacker to execute commands with root privileges on the operation system.

10.0
2022-05-17 CVE-2022-28181 Nvidia Out-of-bounds Write vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

9.9
2022-05-21 CVE-2022-31259 Beego Unspecified vulnerability in Beego

The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control.

9.8
2022-05-20 CVE-2022-22972 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

9.8
2022-05-20 CVE-2022-29186 Pagerduty Use of Hard-coded Credentials vulnerability in Pagerduty Rundeck

Rundeck is an open source automation service with a web console, command line tools and a WebAPI.

9.8
2022-05-20 CVE-2022-28995 Yogeshojha Unspecified vulnerability in Yogeshojha Rengine 1.0.2

Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function.

9.8
2022-05-20 CVE-2022-28660 Grafana Missing Authentication for Critical Function vulnerability in Grafana 1.1.0/1.2.0/1.3.0

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used.

9.8
2022-05-20 CVE-2022-28993 Bdtask Missing Authorization vulnerability in Bdtask Multi Store Inventory Management System 1.0

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

9.8
2022-05-20 CVE-2022-29021 Openrazer Project Classic Buffer Overflow vulnerability in Openrazer Project Openrazer

A buffer overflow vulnerability exists in the razerkbd driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device.

9.8
2022-05-20 CVE-2022-29022 Openrazer Project Classic Buffer Overflow vulnerability in Openrazer Project Openrazer

A buffer overflow vulnerability exists in the razeraccessory driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device.

9.8
2022-05-20 CVE-2022-29023 Openrazer Project Classic Buffer Overflow vulnerability in Openrazer Project Openrazer

A buffer overflow vulnerability exists in the razermouse driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device.

9.8
2022-05-19 CVE-2022-28962 Online Sports Complex Booking System Project SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.

9.8
2022-05-19 CVE-2022-22978 Vmware
Oracle
Netapp
Incorrect Authorization vulnerability in multiple products

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.

9.8
2022-05-19 CVE-2022-28348 ARM Use After Free vulnerability in ARM products

Arm Mali GPU Kernel Driver (Midgard r4p0 through r31p0, Bifrost r0p0 through r36p0 before r37p0, and Valhall r19p0 through r36p0 before r37p0) allows improper GPU memory operations to reach a use-after-free situation.

9.8
2022-05-18 CVE-2022-30599 Moodle
Redhat
Fedoraproject
SQL Injection vulnerability in multiple products

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

9.8
2022-05-18 CVE-2022-30600 Moodle
Redhat
Fedoraproject
Incorrect Calculation vulnerability in multiple products

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

9.8
2022-05-18 CVE-2022-1795 Gpac Use After Free vulnerability in Gpac

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV.

9.8
2022-05-17 CVE-2022-28617 HP Unspecified vulnerability in HP Oneview

A remote bypass security restrictions vulnerability was discovered in HPE OneView version(s): Prior to 7.0.

9.8
2022-05-16 CVE-2021-33318 Watsonwebserver Project
Ipmatcher Project
Incorrect Type Conversion or Cast vulnerability in multiple products

An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.

9.8
2022-05-16 CVE-2022-1386 Fusion Builder Project
Theme Fusion
Server-Side Request Forgery (SSRF) vulnerability in multiple products

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests.

9.8
2022-05-16 CVE-2022-29351 Tiddlywiki Unrestricted Upload of File with Dangerous Type vulnerability in Tiddlywiki Tiddlywiki5 5.2.2

An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file.

9.8
2022-05-16 CVE-2022-29622 Formidable Project Unrestricted Upload of File with Dangerous Type vulnerability in Formidable Project Formidable 3.1.4

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename.

9.8
2022-05-16 CVE-2022-30011 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

In HMS 1.0 when requesting appointment.php through POST, multiple parameters can lead to a SQL injection vulnerability.

9.8
2022-05-16 CVE-2022-30767 Denx
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow.

9.8
2022-05-17 CVE-2022-1362 Cambiumnetworks OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise cnMaestro is vulnerable inside a specific route where a user can upload a crafted package to the system.

9.3
2022-05-16 CVE-2022-1586 Pcre
Fedoraproject
Redhat
Netapp
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file.

9.1
2022-05-16 CVE-2022-1587 Pcre
Redhat
Fedoraproject
Netapp
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file.

9.1
2022-05-16 CVE-2022-23662 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.1
2022-05-20 CVE-2022-31245 Mailcow OS Command Injection vulnerability in Mailcow Mailcow: Dockerized

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

9.0
2022-05-19 CVE-2022-30617 Strapi Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user.

9.0
2022-05-17 CVE-2022-24388 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components.

9.0
2022-05-17 CVE-2022-24389 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components.

9.0
2022-05-17 CVE-2022-24392 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter.

9.0
2022-05-17 CVE-2022-24393 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter.

9.0
2022-05-17 CVE-2022-24394 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter.

9.0
2022-05-16 CVE-2022-23661 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.0
2022-05-16 CVE-2022-23663 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.0
2022-05-16 CVE-2022-23664 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.0
2022-05-16 CVE-2022-23665 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.0
2022-05-16 CVE-2022-23666 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

9.0
2022-05-16 CVE-2021-23267 Craftercms Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

9.0

112 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-20 CVE-2022-28992 Phpgurukul Cross-Site Request Forgery (CSRF) vulnerability in PHPgurukul Online Banquet Booking System 1.0

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

8.8
2022-05-19 CVE-2022-28960 Spip Improper Encoding or Escaping of Output vulnerability in Spip

A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.

8.8
2022-05-19 CVE-2022-29304 Online Sports Complex Booking System Project SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.

8.8
2022-05-19 CVE-2022-1423 Gitlab Missing Authorization vulnerability in Gitlab

Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches

8.8
2022-05-19 CVE-2022-30018 Mobotix Insufficiently Protected Credentials vulnerability in Mobotix Mxcontrolcenter 2.5.4.5

Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file.

8.8
2022-05-18 CVE-2022-1727 Diagrams Improper Input Validation vulnerability in Diagrams Drawio

Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.

8.8
2022-05-17 CVE-2022-29429 Code Snippets Extended Project Cross-Site Request Forgery (CSRF) vulnerability in Code Snippets Extended Project Code Snippets Extended

Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery.

8.8
2022-05-17 CVE-2022-30950 Jenkins Classic Buffer Overflow vulnerability in Jenkins WMI Windows Agents

Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library which has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.

8.8
2022-05-17 CVE-2022-30951 Jenkins Missing Authorization vulnerability in Jenkins WMI Windows Agents

Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in.

8.8
2022-05-17 CVE-2022-30958 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins SSH

A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-05-17 CVE-2022-30969 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter 1.0/1.1

A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

8.8
2022-05-17 CVE-2022-30971 Jenkins XXE vulnerability in Jenkins Storable Configs 1.0

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.8
2022-05-17 CVE-2022-30972 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Storage Configs

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

8.8
2022-05-20 CVE-2022-29170 Grafana Open Redirect vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

8.5
2022-05-17 CVE-2022-30945 Jenkins Unspecified vulnerability in Jenkins Pipeline: Groovy

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

8.5
2022-05-20 CVE-2022-29181 Nokogiri
Apple
Improper Handling of Unexpected Data Type vulnerability in multiple products

Nokogiri is an open source XML and HTML library for Ruby.

8.2
2022-05-18 CVE-2022-29639 Totolink Unspecified vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a command injection vulnerability via the magicid parameter in the function uci_cloudupdate_config.

8.1
2022-05-20 CVE-2022-22973 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability.

7.8
2022-05-20 CVE-2022-24287 Siemens Insecure Default Initialization of Resource vulnerability in Siemens products

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC06), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1 UC01), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions < V17 Upd4), SIMATIC WinCC V7.3 (All versions), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 21), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 8).

7.8
2022-05-20 CVE-2022-26634 HMA Unquoted Search Path or Element vulnerability in HMA Hidemyass 5.3.5913.0

HMA VPN v5.3.5913.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

7.8
2022-05-19 CVE-2022-1796 VIM Use After Free vulnerability in VIM

Use After Free in GitHub repository vim/vim prior to 8.2.4979.

7.8
2022-05-19 CVE-2022-1785 VIM
Debian
Out-of-bounds Write vulnerability in multiple products

Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.

7.8
2022-05-18 CVE-2022-30138 Microsoft Unspecified vulnerability in Microsoft products

Windows Print Spooler Elevation of Privilege Vulnerability

7.8
2022-05-18 CVE-2022-30033 Tenda Classic Buffer Overflow vulnerability in Tenda TX9 PRO Firmware 22.03.02.10

Tenda TX9 Pro V22.03.02.10 is vulnerable to Buffer Overflow via the functtion setIPv6Status() in httpd module.

7.8
2022-05-18 CVE-2021-42704 Inkscape Out-of-bounds Write vulnerability in Inkscape 0.91

Inkscape version 0.91 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code.

7.8
2022-05-18 CVE-2022-25161 Mitsubishielectric
Mitsubhishielectric
Improper Input Validation vulnerability in multiple products

Improper Input Validation vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior and versions prior to 1.073, MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 179**** and prior and versions prior to 1.073, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DSS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MR/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/z(x=24,40,60, y=T,R, z=ES,ESS) versions prior to 1.030, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/ES-A(x=24,40,60, y=T,R) versions prior to 1.031 and Mitsubishi Electric MELSEC iQ-F series FX5S-xMy/z(x=30,40,60,80, y=T,R, z=ES,ESS) version 1.000 allows a remote unauthenticated attacker to cause a DoS condition for the product's program execution or communication by sending specially crafted packets.

7.8
2022-05-18 CVE-2022-28917 Tenda Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn

Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp.

7.8
2022-05-18 CVE-2022-30065 Busybox
Siemens
Use After Free vulnerability in multiple products

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

7.8
2022-05-18 CVE-2022-29638 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setIpQosRules.

7.8
2022-05-18 CVE-2022-29640 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setPortForwardRules.

7.8
2022-05-18 CVE-2022-29641 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the startTime and endTime parameters in the function setParentalRules.

7.8
2022-05-18 CVE-2022-29642 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the url parameter in the function setUrlFilterRules.

7.8
2022-05-18 CVE-2022-29643 Totolink Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the macAddress parameter in the function setMacQos.

7.8
2022-05-17 CVE-2022-29162 Linuxfoundation
Fedoraproject
Incorrect Default Permissions vulnerability in multiple products

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

7.8
2022-05-17 CVE-2022-28184 Nvidia Unspecified vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering.

7.8
2022-05-17 CVE-2022-1735 VIM
Apple
Classic Buffer Overflow vulnerability in multiple products

Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.

7.8
2022-05-17 CVE-2022-30688 Needrestart Project
Debian
needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation.
7.8
2022-05-17 CVE-2022-1116 Linux
Netapp
Integer Overflow or Wraparound vulnerability in multiple products

Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root.

7.8
2022-05-17 CVE-2022-1733 VIM
Fedoraproject
Apple
Heap-based Buffer Overflow vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.

7.8
2022-05-17 CVE-2022-1769 VIM
Fedoraproject
Apple
Buffer Over-read vulnerability in multiple products

Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.

7.8
2022-05-17 CVE-2022-29581 Linux
Debian
Canonical
Netapp
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root.
7.8
2022-05-16 CVE-2022-1679 Linux
Debian
Netapp
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages.

7.8
2022-05-18 CVE-2021-42852 Lenovo OS Command Injection vulnerability in Lenovo products

A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.

7.7
2022-05-22 CVE-2022-1813 Rengine Project OS Command Injection vulnerability in Rengine Project Rengine

OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.

7.5
2022-05-21 CVE-2022-31264 Solanalabs Integer Overflow or Wraparound vulnerability in Solanalabs Rbpf

Solana solana_rbpf before 0.2.29 has an addition integer overflow via invalid ELF program headers.

7.5
2022-05-21 CVE-2022-31267 Gitblit Improper Privilege Management vulnerability in Gitblit 1.9.2

Gitblit 1.9.2 allows privilege escalation via the Config User Service: a control character can be placed in a profile data field, such as an emailAddress%3Atext '[email protected]\n\trole = "#admin"' value.

7.5
2022-05-20 CVE-2022-1775 Trudesk Project Weak Password Requirements vulnerability in Trudesk Project Trudesk

Weak Password Requirements in GitHub repository polonel/trudesk prior to 1.2.2.

7.5
2022-05-20 CVE-2022-28618 HPE Command Injection vulnerability in HPE Nimbleos

A command injection security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays and HPE Nimble Storage Secondary Flash Arrays that could allow an attacker to execute arbitrary commands on a Nimble appliance.

7.5
2022-05-20 CVE-2022-21195 URL Regex Project Unspecified vulnerability in Url-Regex Project Url-Regex

All versions of package url-regex are vulnerable to Regular Expression Denial of Service (ReDoS) which can cause the CPU usage to crash.

7.5
2022-05-20 CVE-2022-28531 Covid 19 Directory ON Vaccination System Project SQL Injection vulnerability in Covid-19 Directory on Vaccination System Project Covid-19 Directory on Vaccination System 1.0

Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field.

7.5
2022-05-20 CVE-2022-24290 Siemens Stack-based Buffer Overflow vulnerability in Siemens Teamcenter

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9), Teamcenter V13.1 (All versions), Teamcenter V13.2 (All versions < V13.2.0.8), Teamcenter V13.3 (All versions < V13.3.0.3), Teamcenter V14.0 (All versions < V14.0.0.2).

7.5
2022-05-20 CVE-2022-26632 Multi Vendor Online Groceries Management System Project SQL Injection vulnerability in Multi-Vendor Online Groceries Management System Project Multi-Vendor Online Groceries Management System 1.0

Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php.

7.5
2022-05-20 CVE-2022-26633 Simple Student Quarterly Result Grade System Project SQL Injection vulnerability in Simple Student Quarterly Result/Grade System Project Simple Student Quarterly Result/Grade System 1.0

Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php.

7.5
2022-05-20 CVE-2022-28104 Foxit Unrestricted Upload of File with Dangerous Type vulnerability in Foxit PDF Editor 11.3.1

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

7.5
2022-05-20 CVE-2022-28105 Online Sports Complex Booking System Project SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0

Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php.

7.5
2022-05-20 CVE-2022-28106 Online Sports Complex Booking System Project Improper Authentication vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0

Online Sports Complex Booking System v1.0 was discovered to allow attackers to take over user accounts via a crafted POST request.

7.5
2022-05-20 CVE-2022-28991 Bdtask Forced Browsing vulnerability in Bdtask Multi Store Inventory Management System 1.0

Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.

7.5
2022-05-20 CVE-2022-29801 Siemens XXE vulnerability in Siemens Teamcenter 12.4/13.0

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9).

7.5
2022-05-20 CVE-2022-29873 Siemens Unspecified vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

7.5
2022-05-20 CVE-2022-30518 Chatbot Application With A Suggestion Feature Project SQL Injection vulnerability in Chatbot Application With a Suggestion Feature Project Chatbot Application With a Suggestion Feature 1.0

ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php.

7.5
2022-05-20 CVE-2022-30886 School Dormitory Management System Project SQL Injection vulnerability in School Dormitory Management System Project School Dormitory Management System 1.0

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

7.5
2022-05-20 CVE-2022-30887 Pharmacy Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Pharmacy Management System Project Pharmacy Management System 1.0

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php.

7.5
2022-05-20 CVE-2022-21500 Oracle Unspecified vulnerability in Oracle E-Business Suite and User Management

Vulnerability in Oracle E-Business Suite (component: Manage Proxies).

7.5
2022-05-19 CVE-2022-28948 Yaml Project
Netapp
Deserialization of Untrusted Data vulnerability in multiple products

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

7.5
2022-05-19 CVE-2020-14496 Mitsubishielectric Unspecified vulnerability in Mitsubishielectric products

Successful exploitation of this vulnerability for multiple Mitsubishi Electric Factory Automation Engineering Software Products of various versions could allow an attacker to escalate privilege and execute malicious programs, which could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.

7.5
2022-05-19 CVE-2022-1413 Gitlab Insufficiently Protected Credentials vulnerability in Gitlab

Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface

7.5
2022-05-19 CVE-2022-28927 Subconverter Project Unrestricted Upload of File with Dangerous Type vulnerability in Subconverter Project Subconverter 0.7.2

A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows attackers to execute arbitrary code via crafted config and url parameters.

7.5
2022-05-19 CVE-2021-26630 Handysoft Improper Input Validation vulnerability in Handysoft Groupware

Improper input validation vulnerability in HANDY Groupware’s ActiveX moudle allows attackers to download or execute arbitrary files.

7.5
2022-05-19 CVE-2021-37413 Grandcom SQL Injection vulnerability in Grandcom Dynweb

GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface.

7.5
2022-05-19 CVE-2022-1183 ISC
Netapp
Reachable Assertion vulnerability in multiple products

On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure.

7.5
2022-05-18 CVE-2022-30990 Acronis Incorrect Permission Assignment for Critical Resource vulnerability in Acronis Agent and Cyber Protect

Sensitive information disclosure due to insecure folder permissions.

7.5
2022-05-18 CVE-2022-1767 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

7.5
2022-05-18 CVE-2022-28956 Dlink Unspecified vulnerability in Dlink Dir-816L Firmware 206B01

An issue in the getcfg.php component of D-Link DIR816L_FW206b01 allows attackers to access the device via a crafted payload.

7.5
2022-05-17 CVE-2022-1357 Cambiumnetworks OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise cnMaestro allows an unauthenticated attacker to access the cnMaestro server and execute arbitrary code in the privileges of the web server.

7.5
2022-05-17 CVE-2022-1360 Cambiumnetworks OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server.

7.5
2022-05-17 CVE-2022-28616 HP Server-Side Request Forgery (SSRF) vulnerability in HP Oneview

A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0.

7.5
2022-05-17 CVE-2022-30052 Home Clean Service System Project SQL Injection vulnerability in Home Clean Service System Project Home Clean Service System 1.0

In Home Clean Service System 1.0, the password parameter is vulnerable to SQL injection attacks.

7.5
2022-05-17 CVE-2022-30053 Toll TAX Management System Project SQL Injection vulnerability in Toll TAX Management System Project Toll TAX Management System 1.0

In Toll Tax Management System 1.0, the id parameter appears to be vulnerable to SQL injection attacks.

7.5
2022-05-17 CVE-2022-30054 Covid 19 Travel Pass Management Project SQL Injection vulnerability in Covid 19 Travel Pass Management Project Covid 19 Travel Pass Management 1.0

In Covid 19 Travel Pass Management 1.0, the code parameter is vulnerable to SQL injection attacks.

7.5
2022-05-17 CVE-2022-23671 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

7.5
2022-05-17 CVE-2022-24108 Skyoftech Deserialization of Untrusted Data vulnerability in Skyoftech SO Listing Tabs 2.2.0

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

7.5
2022-05-17 CVE-2022-30947 Jenkins Unspecified vulnerability in Jenkins GIT

Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

7.5
2022-05-17 CVE-2022-30948 Jenkins Unspecified vulnerability in Jenkins Mercurial

Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

7.5
2022-05-17 CVE-2022-26650 Apache Unspecified vulnerability in Apache Shenyu 2.4.0/2.4.1/2.4.2

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user.

7.5
2022-05-16 CVE-2021-27444 Weintek Unspecified vulnerability in Weintek products

The Weintek cMT product line is vulnerable to various improper access controls, which may allow an unauthenticated attacker to remotely access and download sensitive information and perform administrative actions on behalf of a legitimate administrator.

7.5
2022-05-16 CVE-2022-30055 Mersenne Classic Buffer Overflow vulnerability in Mersenne Prime95 30.7

Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution.

7.5
2022-05-16 CVE-2022-0867 Reputeinfosystems SQL Injection vulnerability in Reputeinfosystems Pricing Table

The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users

7.5
2022-05-16 CVE-2022-1713 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4.

7.5
2022-05-16 CVE-2022-1721 Diagrams Path Traversal vulnerability in Diagrams Drawio

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5.

7.5
2022-05-16 CVE-2021-42897 Feminer WMS Project OS Command Injection vulnerability in Feminer WMS Project Feminer WMS 1.0

A remote command execution (RCE) vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php.

7.5
2022-05-16 CVE-2022-29353 Graphql Upload Project Unrestricted Upload of File with Dangerous Type vulnerability in Graphql-Upload Project Graphql-Upload 13.0.0

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename.

7.5
2022-05-16 CVE-2022-29354 Keystonejs Unrestricted Upload of File with Dangerous Type vulnerability in Keystonejs Keystone 4.2.1

An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file.

7.5
2022-05-16 CVE-2022-30781 Gitea Improper Encoding or Escaping of Output vulnerability in Gitea

Gitea before 1.16.7 does not escape git fetch remote.

7.5
2022-05-16 CVE-2022-30763 Janet Lang Improper Validation of Array Index vulnerability in Janet-Lang Janet

Janet before 1.22.0 mishandles arrays.

7.5
2022-05-16 CVE-2022-30765 Calibre WEB Project SQL Injection vulnerability in Calibre-Web Project Calibre-Web 0.6.18

Calibre-Web before 0.6.18 allows user table SQL Injection.

7.5
2022-05-16 CVE-2022-29586 Konicaminolta Unspecified vulnerability in Konicaminolta products

Konica Minolta bizhub MFP devices before 2022-04-14 allow a Sandbox Escape.

7.4
2022-05-20 CVE-2022-29179 Cilium Improper Privilege Management vulnerability in Cilium

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads.

7.2
2022-05-20 CVE-2021-30028 Sooteway WI FI Range Extender Project Improper Authentication vulnerability in Sooteway Wi-Fi Range Extender Project Sooteway Wi-Fi Range Extender 1.5

SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use default credentials (the admin password for the admin account) to access the TELNET service, allowing attackers to erase/read/write the firmware remotely.

7.2
2022-05-20 CVE-2022-27094 Sony Unquoted Search Path or Element vulnerability in Sony Playmemories Home 6.0

Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

7.2
2022-05-20 CVE-2022-27095 Battleye Unquoted Search Path or Element vulnerability in Battleye 0.9

BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level.

7.2
2022-05-20 CVE-2022-29320 Minitool Unquoted Search Path or Element vulnerability in Minitool Partition Wizard 12.0

MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

7.2
2022-05-17 CVE-2022-1356 Cambiumnetworks OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

cnMaestro is vulnerable to a local privilege escalation.

7.2
2022-05-17 CVE-2022-0486 Fidelissecurity Incorrect Default Permissions vulnerability in Fidelissecurity Deception and Network

Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enable escalation of privileges equivalent to the root user.

7.2
2022-05-17 CVE-2022-0997 Fidelissecurity Incorrect Default Permissions vulnerability in Fidelissecurity Deception and Network

Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user.

7.2
2022-05-17 CVE-2022-23672 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

7.2
2022-05-17 CVE-2022-23673 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

7.2
2022-05-17 CVE-2022-30007 Gxcms Project Unrestricted Upload of File with Dangerous Type vulnerability in Gxcms Project Gxcms 1.5

GXCMS V1.5 has a file upload vulnerability in the background.

7.2
2022-05-16 CVE-2022-30523 Trendmicro Link Following vulnerability in Trendmicro Password Manager

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine.

7.2
2022-05-17 CVE-2022-28183 Nvidia Out-of-bounds Read vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.

7.1
2022-05-17 CVE-2022-28185 Nvidia Out-of-bounds Write vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering.

7.1
2022-05-18 CVE-2022-1734 Linux
Debian
Netapp
Use After Free vulnerability in multiple products

A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.

7.0
2022-05-18 CVE-2022-29518 Koyoele Unspecified vulnerability in Koyoele products

Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names.

7.0

234 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-21 CVE-2022-1809 Radare Access of Uninitialized Pointer vulnerability in Radare Radare2

Access of Uninitialized Pointer in GitHub repository radareorg/radare2 prior to 5.7.0.

6.8
2022-05-20 CVE-2022-29427 Disable Right Click FOR WP Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Disable Right Click for WP Wordpress Disable Right Click for WP

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress.

6.8
2022-05-20 CVE-2022-27653 Siemens Out-of-bounds Write vulnerability in Siemens Simcenter Femap

A vulnerability has been identified in Simcenter Femap (All versions < V2022.2).

6.8
2022-05-20 CVE-2022-29032 Siemens Double Free vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

6.8
2022-05-20 CVE-2022-29033 Siemens Access of Uninitialized Pointer vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

6.8
2022-05-20 CVE-2022-29878 Siemens Authentication Bypass by Capture-replay vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

6.8
2022-05-20 CVE-2022-25227 Cybelesoft Origin Validation Error vulnerability in Cybelesoft Thinfinity VNC 4.0.0.1

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

6.8
2022-05-18 CVE-2022-22778 Tibco Cross-Site Request Forgery (CSRF) vulnerability in Tibco Businessconnect Trading Community Management

The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system.

6.8
2022-05-18 CVE-2021-42849 Lenovo Improper Authentication vulnerability in Lenovo products

A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.

6.8
2022-05-18 CVE-2022-22786 Zoom Download of Code Without Integrity Check vulnerability in Zoom Meetings and Rooms

The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process.

6.8
2022-05-18 CVE-2022-27632 Meikyo Cross-Site Request Forgery (CSRF) vulnerability in Meikyo products

Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page.

6.8
2022-05-18 CVE-2022-23067 Tooljet Information Exposure vulnerability in Tooljet

ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover .

6.8
2022-05-17 CVE-2022-29174 Count Weak Password Recovery Mechanism for Forgotten Password vulnerability in Count Countly Server

countly-server is the server-side part of Countly, a product analytics solution.

6.8
2022-05-17 CVE-2022-1118 Rockwellautomation Deserialization of Untrusted Data vulnerability in Rockwellautomation products

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized.

6.8
2022-05-17 CVE-2022-28182 Nvidia Out-of-bounds Write vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering.

6.8
2022-05-16 CVE-2022-1731 Allgeier SQL Injection vulnerability in Allgeier Metasonic DOC Webclient 7.0.12.0/7.0.14.0/7.0.3.0

Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field.

6.8
2022-05-16 CVE-2022-29623 Connect Multiparty Project Unrestricted Upload of File with Dangerous Type vulnerability in Connect-Multiparty Project Connect-Multiparty 2.2.0

An arbitrary file upload vulnerability in the file upload module of Connect-Multiparty v2.2.0 allows attackers to execute arbitrary code via a crafted PDF file.

6.8
2022-05-20 CVE-2022-31258 Tribe29
Checkmk
Link Following vulnerability in multiple products

In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink.

6.7
2022-05-20 CVE-2022-29184 Thoughtworks Command Injection vulnerability in Thoughtworks Gocd

GoCD is a continuous delivery server.

6.5
2022-05-20 CVE-2022-1770 Trudesk Project Improper Privilege Management vulnerability in Trudesk Project Trudesk

Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.

6.5
2022-05-20 CVE-2022-24045 Siemens Missing Encryption of Sensitive Data vulnerability in Siemens products

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884).

6.5
2022-05-20 CVE-2022-29872 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

6.5
2022-05-20 CVE-2022-28965 Avast Uncontrolled Search Path Element vulnerability in Avast Premium Security 19.8.2393/20.8.2429

Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

6.5
2022-05-19 CVE-2022-28961 Spip SQL Injection vulnerability in Spip

Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.

6.5
2022-05-19 CVE-2020-16231 Bachmann Use of Password Hash With Insufficient Computational Effort vulnerability in Bachmann products

The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords.

6.5
2022-05-19 CVE-2021-41938 Shopxo Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 2.2.0

An issue was discovered in ShopXO CMS 2.2.0.

6.5
2022-05-18 CVE-2022-29229 Cassproject Unspecified vulnerability in Cassproject Competency and Skills System

CaSS is a Competency and Skills System.

6.5
2022-05-18 CVE-2022-29445 WOW Estore Use of Incorrectly-Resolved Name or Reference vulnerability in Wow-Estore Popup BOX

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress.

6.5
2022-05-17 CVE-2022-24390 Fidelissecurity Command Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components.

6.5
2022-05-17 CVE-2022-24391 Fidelissecurity SQL Injection vulnerability in Fidelissecurity Deception and Network

Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacker with user level access.

6.5
2022-05-17 CVE-2022-1706 Redhat
Fedoraproject
Incorrect Authorization vulnerability in multiple products

A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products.

6.5
2022-05-17 CVE-2022-23669 Arubanetworks Insufficient Session Expiration vulnerability in Arubanetworks Clearpass Policy Manager

A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

6.5
2022-05-17 CVE-2022-22475 IBM Unspecified vulnerability in IBM Open Liberty and Websphere Application Server

IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user.

6.5
2022-05-17 CVE-2022-30952 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Blue Ocean

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

6.5
2022-05-17 CVE-2022-30953 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Blue Ocean

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.

6.5
2022-05-17 CVE-2022-30954 Jenkins Missing Authorization vulnerability in Jenkins Blue Ocean

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

6.5
2022-05-17 CVE-2022-30955 Jenkins Missing Authorization vulnerability in Jenkins Gitlab

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

6.5
2022-05-17 CVE-2022-30959 Jenkins Missing Authorization vulnerability in Jenkins SSH

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-05-17 CVE-2021-42643 Cmseasy Path Traversal vulnerability in Cmseasy 7.7.520211012

cmseasy V7.7.5_20211012 is affected by an arbitrary file write vulnerability.

6.5
2022-05-16 CVE-2022-23667 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

6.5
2022-05-16 CVE-2021-25119 Wpsocket Unrestricted Upload of File with Dangerous Type vulnerability in Wpsocket Automatic Grid Image Listing

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type.

6.5
2022-05-16 CVE-2022-0573 Jfrog Deserialization of Untrusted Data vulnerability in Jfrog Artifactory

JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.

6.5
2022-05-16 CVE-2022-0578 Publify Project Unspecified vulnerability in Publify Project Publify

Code Injection in GitHub repository publify/publify prior to 9.2.8.

6.5
2022-05-16 CVE-2022-1103 Advanced Uploader Project Unrestricted Upload of File with Dangerous Type vulnerability in Advanced Uploader Project Advanced Uploader

The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE

6.5
2022-05-16 CVE-2022-1182 Visual Slide BOX Builder Project SQL Injection vulnerability in Visual Slide BOX Builder Project Visual Slide BOX Builder

The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections

6.5
2022-05-16 CVE-2022-1409 Vikwp Unrestricted Upload of File with Dangerous Type vulnerability in Vikwp Hotel Booking Engine & PMS

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

6.5
2022-05-16 CVE-2022-1560 Amministrazione Aperta Project Path Traversal vulnerability in Amministrazione Aperta Project Amministrazione Aperta

The Amministrazione Aperta WordPress plugin before 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue.

6.5
2022-05-21 CVE-2022-29188 Stripe Server-Side Request Forgery (SSRF) vulnerability in Stripe Smokescreen

Smokescreen is an HTTP proxy.

6.4
2022-05-20 CVE-2022-29877 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

6.4
2022-05-18 CVE-2022-22785 Zoom Reliance on Cookies without Validation and Integrity Checking vulnerability in Zoom Meetings

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains.

6.4
2022-05-16 CVE-2022-0574 Publify Project Incorrect Authorization vulnerability in Publify Project Publify

Improper Access Control in GitHub repository publify/publify prior to 9.2.8.

6.4
2022-05-20 CVE-2022-27640 Siemens Resource Exhaustion vulnerability in Siemens products

A vulnerability has been identified in SIMATIC CP 442-1 RNA (All versions < V1.5.18), SIMATIC CP 443-1 RNA (All versions < V1.5.18).

6.1
2022-05-19 CVE-2022-29652 Online Sports Complex Booking System Project SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

6.1
2022-05-18 CVE-2022-1774 Diagrams Open Redirect vulnerability in Diagrams Drawio

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.

6.1
2022-05-18 CVE-2022-30991 Acronis Cross-site Scripting vulnerability in Acronis Cyber Protect 15

HTML injection via report name.

6.1
2022-05-17 CVE-2022-24611 Silabs Unspecified vulnerability in Silabs products

Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs.

6.1
2022-05-16 CVE-2022-30776 Atmail Cross-site Scripting vulnerability in Atmail 6.5.0

atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter.

6.1
2022-05-16 CVE-2022-30777 Parallels Cross-site Scripting vulnerability in Parallels H-Sphere 3.6.2

Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.

6.1
2022-05-16 CVE-2022-30770 Terminalfour Cross-site Scripting vulnerability in Terminalfour

Terminalfour versions 8.3.7, 8.3.x versions prior to version 8.3.8 and r 8.2.x versions prior to version 8.2.18.5 or 8.2.18.2.1 are vulnerable to (XSS) vulnerability that could be exploited by an attacker to mislead an administrator and steal their credentials.

6.1
2022-05-21 CVE-2022-1752 Trudesk Project Unrestricted Upload of File with Dangerous Type vulnerability in Trudesk Project Trudesk

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.

6.0
2022-05-19 CVE-2022-30618 Strapi Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions).

6.0
2022-05-18 CVE-2022-22787 Zoom Improper Certificate Validation vulnerability in Zoom Meetings

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request.

6.0
2022-05-21 CVE-2022-29214 Nextauth JS Open Redirect vulnerability in Nextauth.Js Next-Auth

NextAuth.js (next-auth) is am open source authentication solution for Next.js applications.

5.8
2022-05-20 CVE-2022-29431 Kubiq Cross-Site Request Forgery (CSRF) vulnerability in Kubiq CPT Base

Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

5.8
2022-05-18 CVE-2022-30992 Acronis Open Redirect vulnerability in Acronis Cyber Protect 15

Open redirect via user-controlled query parameter.

5.8
2022-05-17 CVE-2022-29435 Code Snippets Extended Project Cross-Site Request Forgery (CSRF) vulnerability in Code Snippets Extended Project Code Snippets Extended

Cross-Site Request Forgery (CSRF) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress allows an attacker to delete or to turn on/off snippets.

5.8
2022-05-21 CVE-2022-29210 Google Out-of-bounds Write vulnerability in Google Tensorflow 2.8.0

TensorFlow is an open source platform for machine learning.

5.5
2022-05-21 CVE-2022-29213 Google Reachable Assertion vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

5.5
2022-05-20 CVE-2022-29201 Google Unspecified vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

5.5
2022-05-20 CVE-2022-29202 Google Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

5.5
2022-05-20 CVE-2022-29196 Google Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

5.5
2022-05-20 CVE-2022-29200 Google Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

5.5
2022-05-18 CVE-2022-1771 VIM Uncontrolled Recursion vulnerability in VIM

Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.

5.5
2022-05-18 CVE-2022-22784 Zoom XML Injection (aka Blind XPath Injection) vulnerability in Zoom Meetings

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages.

5.5
2022-05-18 CVE-2022-30974 Artifex
Debian
Fedoraproject
Uncontrolled Recursion vulnerability in multiple products

compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.

5.5
2022-05-18 CVE-2022-30975 Artifex
Debian
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.

5.5
2022-05-17 CVE-2022-30067 Gimp Classic Buffer Overflow vulnerability in Gimp 2.10.30/2.99.10

GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow.

5.5
2022-05-16 CVE-2022-25169 Apache
Oracle
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

5.5
2022-05-16 CVE-2022-30126 Apache
Oracle
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file.
5.5
2022-05-20 CVE-2022-28964 Avast Untrusted Search Path vulnerability in Avast Premium Security 19.8.2393/20.8.2429

An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file.

5.4
2022-05-18 CVE-2022-30596 Moodle
Redhat
Fedoraproject
Cross-site Scripting vulnerability in multiple products

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

5.4
2022-05-18 CVE-2022-23068 Tooljet Cross-site Scripting vulnerability in Tooljet

ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.

5.4
2022-05-17 CVE-2022-30956 Jenkins Cross-site Scripting vulnerability in Jenkins Rundeck

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

5.4
2022-05-17 CVE-2022-30960 Jenkins Cross-site Scripting vulnerability in Jenkins Application Detector

Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30961 Jenkins Cross-site Scripting vulnerability in Jenkins Autocomplete Parameter 1.0/1.1

Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30962 Jenkins Cross-site Scripting vulnerability in Jenkins Global Variable String Parameter 1.1/1.2

Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30963 Jenkins Cross-site Scripting vulnerability in Jenkins JDK Parameter 1.0

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30964 Jenkins Cross-site Scripting vulnerability in Jenkins Multiselect Parameter

Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30965 Jenkins Cross-site Scripting vulnerability in Jenkins Promoted Builds

Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30966 Jenkins Improper Encoding or Escaping of Output vulnerability in Jenkins Random String Parameter 1.0

Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30967 Jenkins Cross-site Scripting vulnerability in Jenkins Selection Tasks 1.0

Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30968 Jenkins Cross-site Scripting vulnerability in Jenkins Vboxwrapper

Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-17 CVE-2022-30970 Jenkins Cross-site Scripting vulnerability in Jenkins Autocomplete Parameter

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-05-20 CVE-2022-29883 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

5.3
2022-05-19 CVE-2022-22976 Vmware
Oracle
Netapp
Integer Overflow or Wraparound vulnerability in multiple products

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability.

5.3
2022-05-18 CVE-2022-30597 Moodle
Redhat
Fedoraproject
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
5.3
2022-05-17 CVE-2022-30689 Hashicorp Unspecified vulnerability in Hashicorp Vault 1.10.0/1.10.2

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts.

5.3
2022-05-17 CVE-2021-29726 IBM Improper Certificate Validation vulnerability in IBM products

IBM Sterling Secure Proxy 6.0.3 and IBM Secure External Authentication Server 6.0.3 does not properly ensure that a certificate is actually associated with the host due to improper validation of certificates.

5.3
2022-05-17 CVE-2022-30949 Jenkins Unspecified vulnerability in Jenkins Repo 1.14.0

Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

5.3
2022-05-18 CVE-2022-1430 Octoprint Cross-site Scripting vulnerability in Octoprint

Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.

5.1
2022-05-21 CVE-2022-31268 Gitblit Path Traversal vulnerability in Gitblit 1.9.3

A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).

5.0
2022-05-21 CVE-2022-29189 Pion Classic Buffer Overflow vulnerability in Pion Dtls

Pion DTLS is a Go implementation of Datagram Transport Layer Security.

5.0
2022-05-21 CVE-2022-29190 Pion Infinite Loop vulnerability in Pion Dtls

Pion DTLS is a Go implementation of Datagram Transport Layer Security.

5.0
2022-05-21 CVE-2022-29215 Regionprotect Project Argument Injection or Modification vulnerability in Regionprotect Project Regionprotect

RegionProtect is a plugin that allows users to manage certain events in certain regions of the world.

5.0
2022-05-21 CVE-2022-29222 Pion Improper Certificate Validation vulnerability in Pion Dtls

Pion DTLS is a Go implementation of Datagram Transport Layer Security.

5.0
2022-05-20 CVE-2022-24434 Dicer Project Unspecified vulnerability in Dicer Project Dicer

This affects all versions of package dicer.

5.0
2022-05-20 CVE-2022-1784 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.

5.0
2022-05-20 CVE-2022-24043 Siemens Information Exposure Through Discrepancy vulnerability in Siemens products

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884).

5.0
2022-05-20 CVE-2022-24044 Siemens Improper Restriction of Excessive Authentication Attempts vulnerability in Siemens products

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884).

5.0
2022-05-20 CVE-2022-29874 Siemens Cleartext Transmission of Sensitive Information vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

5.0
2022-05-20 CVE-2022-29881 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

5.0
2022-05-20 CVE-2022-30551 Opcfoundation Resource Exhaustion vulnerability in Opcfoundation Ua-Java 20220401

OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.

5.0
2022-05-20 CVE-2022-28987 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus 6.1

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

5.0
2022-05-19 CVE-2022-28946 Openpolicyagent Unspecified vulnerability in Openpolicyagent Open Policy Agent 0.39.0

An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.

5.0
2022-05-19 CVE-2021-32934 Throughtek Cleartext Transmission of Sensitive Information vulnerability in Throughtek Kalay P2P Software Development KIT

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers.

5.0
2022-05-19 CVE-2021-26631 Mangboard Improper Input Validation vulnerability in Mangboard Commerce

Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request.

5.0
2022-05-19 CVE-2022-1670 Octopus Unspecified vulnerability in Octopus Server

When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users.

5.0
2022-05-18 CVE-2022-30993 Acronis Cleartext Transmission of Sensitive Information vulnerability in Acronis Cyber Protect 15

Cleartext transmission of sensitive information.

5.0
2022-05-18 CVE-2022-30994 Acronis Cleartext Transmission of Sensitive Information vulnerability in Acronis Cyber Protect 15

Cleartext transmission of sensitive information.

5.0
2022-05-18 CVE-2022-25162 Mitsubishielectric
Mitsubhishielectric
Improper Input Validation vulnerability in multiple products

Improper Input Validation vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior and versions prior to 1.073, MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 179**** and prior and versions prior to 1.073, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DSS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MR/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/z(x=24,40,60, y=T,R, z=ES,ESS) versions prior to 1.030, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/ES-A(x=24,40,60, y=T,R) versions prior to 1.031 and Mitsubishi Electric MELSEC iQ-F series FX5S-xMy/z(x=30,40,60,80, y=T,R, z=ES,ESS) version 1.000 allows a remote unauthenticated attacker to cause a temporary DoS condition for the product's communication by sending specially crafted packets.

5.0
2022-05-18 CVE-2021-42848 Lenovo Missing Authorization vulnerability in Lenovo products

An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.

5.0
2022-05-18 CVE-2021-42851 Lenovo Unspecified vulnerability in Lenovo products

A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.

5.0
2022-05-18 CVE-2022-28955 Dlink Improper Authentication vulnerability in Dlink Dir-816L Firmware 206B01

An access control issue in D-Link DIR816L_FW206b01 allows unauthenticated attackers to access folders folder_view.php and category_view.php.

5.0
2022-05-18 CVE-2022-29646 Totolink Exposure of Resource to Wrong Sphere vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129

An access control issue in TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 allows attackers to obtain sensitive information via a crafted web request.

5.0
2022-05-18 CVE-2019-25061 Random Password Generator Project Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Random Password Generator Project Random Password Generator

The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.

5.0
2022-05-17 CVE-2022-1358 Cambiumnetworks SQL Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise is vulnerable to data exfiltration through improper neutralization of special elements used in an SQL command.

5.0
2022-05-17 CVE-2022-1359 Cambiumnetworks Path Traversal vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route.

5.0
2022-05-17 CVE-2022-1361 Cambiumnetworks SQL Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3

The affected On-Premise cnMaestro is vulnerable to a pre-auth data exfiltration through improper neutralization of special elements used in an SQL command.

5.0
2022-05-17 CVE-2020-4994 IBM Unspecified vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests.

5.0
2022-05-17 CVE-2021-38872 IBM Unspecified vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests.

5.0
2022-05-17 CVE-2020-4957 IBM Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.6

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information in URL parameters that could aid in future attacks against the system.

5.0
2022-05-17 CVE-2022-24856 Flyte Server-Side Request Forgery (SSRF) vulnerability in Flyte Console

FlyteConsole is the web user interface for the Flyte platform.

5.0
2022-05-17 CVE-2022-1711 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.

5.0
2022-05-17 CVE-2022-1723 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.

5.0
2022-05-16 CVE-2021-42870 Accel PPP Out-of-bounds Read vulnerability in Accel-Ppp 1.12.0

ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request.

5.0
2022-05-16 CVE-2022-30012 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

In the POST request of the appointment.php page of HMS v.0, there are SQL injection vulnerabilities in multiple parameters, and database information can be obtained through injection.

5.0
2022-05-16 CVE-2022-29588 Konicaminolta Insufficiently Protected Credentials vulnerability in Konicaminolta products

Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files.

5.0
2022-05-16 CVE-2022-30782 Openmoney API Project Use of Insufficiently Random Values vulnerability in Openmoney API Project Openmoney API

Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers.

5.0
2022-05-20 CVE-2022-1803 Trudesk Project Improper Restriction of Rendered UI Layers or Frames vulnerability in Trudesk Project Trudesk

Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2.

4.9
2022-05-18 CVE-2022-1110 Lenovo Classic Buffer Overflow vulnerability in Lenovo Smart Standby Driver

A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.

4.9
2022-05-17 CVE-2022-28187 Nvidia Missing Release of Resource after Effective Lifetime vulnerability in Nvidia GPU Display Driver

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where the memory management software does not release a resource after its effective lifetime has ended, which may lead to denial of service.

4.9
2022-05-17 CVE-2022-28188 Nvidia Improper Input Validation vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service.

4.9
2022-05-17 CVE-2022-28191 Nvidia Resource Exhaustion vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where uncontrolled resource consumption can be triggered by an unprivileged regular user, which may lead to denial of service.

4.9
2022-05-20 CVE-2021-36833 Mailchimp FOR Wordpress Project Cross-site Scripting vulnerability in Mailchimp for Wordpress Project Mailchimp for Wordpress

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

4.8
2022-05-21 CVE-2022-29216 Google Code Injection vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

4.6
2022-05-20 CVE-2022-28990 Wasm3 Project Out-of-bounds Write vulnerability in Wasm3 Project Wasm3 0.5.0

WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm.

4.6
2022-05-20 CVE-2022-29178 Cilium Incorrect Default Permissions vulnerability in Cilium

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads.

4.6
2022-05-19 CVE-2020-4107 Hcltech Unspecified vulnerability in Hcltech Domino 10.0/11.0/9.0

HCL Domino is affected by an Insufficient Access Control vulnerability.

4.6
2022-05-19 CVE-2022-1730 Diagrams Cross-site Scripting vulnerability in Diagrams Drawio

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.

4.6
2022-05-18 CVE-2022-30111 MCK Smartlock Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in MCK Smartlock Project MCK Smartlock 1.0

Due to the use of an insecure algorithm for rolling codes in MCK Smartlock 1.0, allows attackers to unlock the mechanism via replay attacks.

4.6
2022-05-18 CVE-2022-0883 Snowsoftware Unquoted Search Path or Element vulnerability in Snowsoftware Snow License Manager

SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue.

4.6
2022-05-18 CVE-2021-42850 Lenovo Use of Hard-coded Credentials vulnerability in Lenovo products

A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.

4.6
2022-05-18 CVE-2022-1432 Octoprint Cross-site Scripting vulnerability in Octoprint

Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.

4.6
2022-05-16 CVE-2021-33025 Xarrow Improper Input Validation vulnerability in Xarrow 7.2

xArrow SCADA versions 7.2 and prior permits unvalidated registry keys to be run with application-level privileges.

4.6
2022-05-16 CVE-2022-30695 Acronis Improper Privilege Management vulnerability in Acronis Snap Deploy 6

Local privilege escalation due to excessive permissions assigned to child processes.

4.6
2022-05-16 CVE-2022-30697 Acronis Unspecified vulnerability in Acronis Snap Deploy 6

Local privilege escalation due to insecure folder permissions.

4.6
2022-05-18 CVE-2021-3922 Lenovo Race Condition vulnerability in Lenovo System Interface Foundation

A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3 that could allow a local attacker to connect and interact with the IMController child process' named pipe.

4.4
2022-05-18 CVE-2021-3969 Lenovo Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Lenovo System Interface Foundation

A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges.

4.4
2022-05-16 CVE-2022-30696 Acronis Uncontrolled Search Path Element vulnerability in Acronis Snap Deploy 6

Local privilege escalation due to a DLL hijacking vulnerability.

4.4
2022-05-20 CVE-2022-29430 PNG TO JPG Project Cross-site Scripting vulnerability in PNG to JPG Project PNG to JPG

Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF).

4.3
2022-05-20 CVE-2022-29425 Wpwham Cross-site Scripting vulnerability in Wpwham Checkout Files Upload for Woocommerce

Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress.

4.3
2022-05-20 CVE-2022-29182 Thoughtworks Cross-site Scripting vulnerability in Thoughtworks Gocd

GoCD is a continuous delivery server.

4.3
2022-05-20 CVE-2022-29183 Thoughtworks Cross-site Scripting vulnerability in Thoughtworks Gocd

GoCD is a continuous delivery server.

4.3
2022-05-20 CVE-2022-22365 IBM Unspecified vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames.

4.3
2022-05-20 CVE-2022-29177 Ethereum Unspecified vulnerability in Ethereum GO Ethereum

Go Ethereum is the official Golang implementation of the Ethereum protocol.

4.3
2022-05-20 CVE-2022-24906 Nextcloud Information Exposure Through an Error Message vulnerability in Nextcloud Deck

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello.

4.3
2022-05-20 CVE-2022-24904 Argoproj Link Following vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

4.3
2022-05-20 CVE-2022-24905 Argoproj Unspecified vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

4.3
2022-05-20 CVE-2022-29028 Siemens Infinite Loop vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

4.3
2022-05-20 CVE-2022-29029 Siemens NULL Pointer Dereference vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

4.3
2022-05-20 CVE-2022-29030 Siemens Integer Overflow or Wraparound vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

4.3
2022-05-20 CVE-2022-29031 Siemens NULL Pointer Dereference vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1).

4.3
2022-05-20 CVE-2022-29876 Siemens Cross-site Scripting vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

4.3
2022-05-20 CVE-2022-29882 Siemens Cross-site Scripting vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

4.3
2022-05-20 CVE-2022-1806 RTX Project Cross-site Scripting vulnerability in RTX Project RTX

Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18.

4.3
2022-05-19 CVE-2022-28959 Spip Cross-site Scripting vulnerability in Spip

Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.

4.3
2022-05-19 CVE-2020-4970 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Security Identity Manager 5.2.4/5.2.5/5.2.6

IBM Security Identity Governance and Intelligence 5.2.4, 5.2.5, and 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

4.3
2022-05-18 CVE-2021-38944 IBM Cross-site Scripting vulnerability in IBM Datapower Gateway

IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

4.3
2022-05-18 CVE-2022-25617 Codesnippets Cross-site Scripting vulnerability in Codesnippets Code Snippets

Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.

4.3
2022-05-18 CVE-2022-28921 Blogengine Cross-Site Request Forgery (CSRF) vulnerability in Blogengine Blogengine.Net 3.3.8.0

A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server.

4.3
2022-05-18 CVE-2022-30598 Moodle
Redhat
Fedoraproject
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
4.3
2022-05-18 CVE-2021-42702 Inkscape Access of Uninitialized Pointer vulnerability in Inkscape 0.91

Inkscape version 0.91 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information.

4.3
2022-05-18 CVE-2022-22777 Tibco Cross-site Scripting vulnerability in Tibco Businessconnect Trading Community Management

The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow an unauthenticated attacker with network access to execute scripts targeting the affected system or the victim's local system.

4.3
2022-05-18 CVE-2021-3956 Lenovo Incorrect Authorization vulnerability in Lenovo Xclarity Controller

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory.

4.3
2022-05-18 CVE-2021-27548 Xpdfreader NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.03

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

4.3
2022-05-18 CVE-2022-1782 Erudika Cross-site Scripting vulnerability in Erudika Para

Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.

4.3
2022-05-17 CVE-2021-35249 Solarwinds Unspecified vulnerability in Solarwinds Serv-U

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to.

4.3
2022-05-17 CVE-2022-23706 HP Cross-site Scripting vulnerability in HP Oneview

A remote cross-site scripting (xss) vulnerability was discovered in HPE OneView version(s): Prior to 7.0.

4.3
2022-05-17 CVE-2022-29436 Code Snippets Extended Project Cross-site Scripting vulnerability in Code Snippets Extended Project Code Snippets Extended

Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code).

4.3
2022-05-17 CVE-2022-30045 Ezxml Project Out-of-bounds Read vulnerability in Ezxml Project Ezxml 0.8.6

An issue was discovered in libezxml.a in ezXML 0.8.6.

4.3
2022-05-17 CVE-2022-30946 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Script Security

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

4.3
2022-05-17 CVE-2022-30957 Jenkins Missing Authorization vulnerability in Jenkins SSH

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2022-05-17 CVE-2022-30110 Jirafeau Cross-site Scripting vulnerability in Jirafeau

The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting.

4.3
2022-05-17 CVE-2013-10001 HTC Improper Certificate Validation vulnerability in HTC Mail 5.2.2222282614.528614.528614/5.5.550363

A vulnerability was found in HTC One/Sense 4.x.

4.3
2022-05-16 CVE-2022-23659 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager

A remote reflected cross site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

4.3
2022-05-16 CVE-2021-27442 Weintek Cross-site Scripting vulnerability in Weintek products

The Weintek cMT product line is vulnerable to a cross-site scripting vulnerability, which could allow an unauthenticated remote attacker to inject malicious JavaScript code.

4.3
2022-05-16 CVE-2021-33001 Xarrow Cross-site Scripting vulnerability in Xarrow 7.2

xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code.

4.3
2022-05-16 CVE-2021-33021 Xarrow Cross-site Scripting vulnerability in Xarrow 7.2

xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘edate’ of the resource xhisalarm.htm, which may allow an unauthorized attacker to execute arbitrary code.

4.3
2022-05-16 CVE-2021-23266 Craftercms Improper Encoding or Escaping of Output vulnerability in Craftercms Crafter CMS

An anonymous user can craft a URL with text that ends up in the log viewer as is.

4.3
2022-05-16 CVE-2022-30050 SIR Cross-site Scripting vulnerability in SIR Gnuboard 5.55/5.56

Gnuboard 5.55 and 5.56 is vulnerable to Cross Site Scripting (XSS) via bbs/member_confirm.php.

4.3
2022-05-16 CVE-2022-1216 Advanced Image Sitemap Project Cross-site Scripting vulnerability in Advanced Image Sitemap Project Advanced Image Sitemap

The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHP_SELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

4.3
2022-05-16 CVE-2022-1217 Custom Tinymce Shortcode Button Project Cross-site Scripting vulnerability in Custom Tinymce Shortcode Button Project Custom Tinymce Shortcode Button

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

4.3
2022-05-16 CVE-2022-1267 BMI BMR Calculator Project Cross-site Scripting vulnerability in BMI BMR Calculator Project BMI BMR Calculator

The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting

4.3
2022-05-16 CVE-2022-1349 2Code Unspecified vulnerability in 2Code Wpqa Builder

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

4.3
2022-05-16 CVE-2022-1407 Vikwp Cross-Site Request Forgery (CSRF) vulnerability in Vikwp Hotel Booking Engine & PMS

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes.

4.3
2022-05-16 CVE-2022-1418 Pluginmirror Cross-site Scripting vulnerability in Pluginmirror Social Stickers

The Social Stickers WordPress plugin through 2.2.9 does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues.

4.3
2022-05-16 CVE-2022-1436 Wptaskforce Cross-site Scripting vulnerability in Wptaskforce Track & Trace

The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks.

4.3
2022-05-16 CVE-2022-1455 Callnowbutton Cross-site Scripting vulnerability in Callnowbutton Call NOW Button

The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled

4.3
2022-05-16 CVE-2022-1465 Wpclever Cross-site Scripting vulnerability in Wpclever WPC Smart Wishlist for Woocommerce

The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue.

4.3
2022-05-16 CVE-2022-29017 Axiosys Improper Handling of Exceptional Conditions vulnerability in Axiosys Bento4 1.6.0.0

Bento4 v1.6.0.0 was discovered to contain a segmentation fault via the component /x86_64/multiarch/strlen-avx2.S.

4.3
2022-05-16 CVE-2022-30775 Xpdfreader Allocation of Resources Without Limits or Throttling vulnerability in Xpdfreader Xpdf 4.04

xpdf 4.04 allocates excessive memory when presented with crafted input.

4.3
2022-05-20 CVE-2022-29434 Spiffyplugins Authorization Bypass Through User-Controlled Key vulnerability in Spiffyplugins Spiffy Calendar

Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events.

4.0
2022-05-20 CVE-2022-29447 WOW Company Files or Directories Accessible to External Parties vulnerability in Wow-Company Hover Effects

Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress.

4.0
2022-05-20 CVE-2022-29448 WOW Estore Use of Incorrectly-Resolved Name or Reference vulnerability in Wow-Estore Herd Effects

Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.

4.0
2022-05-20 CVE-2022-29159 Nextcloud Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Deck

Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud.

4.0
2022-05-20 CVE-2022-29163 Nextcloud Lack of Administrator Control over Security vulnerability in Nextcloud Server

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform.

4.0
2022-05-20 CVE-2022-29879 Siemens Missing Authentication for Critical Function vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

4.0
2022-05-20 CVE-2022-1754 Trudesk Project Integer Overflow or Wraparound vulnerability in Trudesk Project Trudesk

Integer Overflow or Wraparound in GitHub repository polonel/trudesk prior to 1.2.2.

4.0
2022-05-19 CVE-2022-29446 WOW Company Files or Directories Accessible to External Parties vulnerability in Wow-Company Counter BOX

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress.

4.0
2022-05-19 CVE-2021-45730 Jfrog Unspecified vulnerability in Jfrog Artifactory

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.

4.0
2022-05-18 CVE-2022-28924 Universis Exposure of Resource to Wrong Sphere vulnerability in Universis Universis-Students

An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.

4.0
2022-05-18 CVE-2022-30976 Gpac Out-of-bounds Read vulnerability in Gpac 2.0.0

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

4.0
2022-05-17 CVE-2022-22482 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow an authenticated user to upload files that could fill up the filesystem and cause a denial of service.

4.0
2022-05-17 CVE-2022-29332 Dlink Path Traversal vulnerability in Dlink Dir-825 Firmware 2022.01.1313.48

D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal.

4.0
2022-05-17 CVE-2021-42644 Cmseasy Files or Directories Accessible to External Parties vulnerability in Cmseasy 7.7.520211012

cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability.

4.0
2022-05-17 CVE-2022-1753 Wowonder Incorrect Authorization vulnerability in Wowonder

A vulnerability, which was classified as critical, was found in WoWonder.

4.0
2022-05-16 CVE-2022-23668 Arubanetworks Server-Side Request Forgery (SSRF) vulnerability in Arubanetworks Clearpass Policy Manager

A remote authenticated server-side request forgery (ssrf) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

4.0
2022-05-16 CVE-2022-23670 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

4.0
2022-05-16 CVE-2021-23265 Craftercms Unspecified vulnerability in Craftercms Crafter CMS

A logged-in and authenticated user with a Reviewer Role may lock a content item.

4.0
2022-05-16 CVE-2022-1398 External Media Without Import Project Server-Side Request Forgery (SSRF) vulnerability in External Media Without Import Project External Media Without Import

The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks

4.0
2022-05-16 CVE-2022-1425 2Code Authorization Bypass Through User-Controlled Key vulnerability in 2Code Wpqa Builder

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.

4.0
2022-05-16 CVE-2022-1553 Publify Project Incorrect Authorization vulnerability in Publify Project Publify

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8.

4.0
2022-05-16 CVE-2022-1728 Trudesk Project Integer Overflow or Wraparound vulnerability in Trudesk Project Trudesk

Allowing long password leads to denial of service in polonel/trudesk in GitHub repository polonel/trudesk prior to 1.2.2.

4.0
2022-05-16 CVE-2022-29587 Konicaminolta Improper Privilege Management vulnerability in Konicaminolta products

Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges.

4.0

68 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-20 CVE-2022-29208 Google Out-of-bounds Write vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

3.6
2022-05-17 CVE-2022-28186 Nvidia Improper Input Validation vulnerability in Nvidia GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service or data tampering.

3.6
2022-05-20 CVE-2022-29426 2Joomla Cross-site Scripting vulnerability in 2Joomla 2J Slideshow

Authenticated (contributor or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team's Slideshow, Image Slider by 2J plugin <= 1.3.54 at WordPress.

3.5
2022-05-20 CVE-2022-29428 Muneeb Cross-site Scripting vulnerability in Muneeb WP Slider

Cross-Site Scripting (XSS) vulnerability in Muneeb's WP Slider Plugin <= 1.4.5 at WordPress.

3.5
2022-05-20 CVE-2022-29432 TMS Outsource Cross-site Scripting vulnerability in Tms-Outsource Wpdatatables

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters.

3.5
2022-05-20 CVE-2022-29185 Totp RS Project Information Exposure Through Discrepancy vulnerability in Totp-Rs Project Totp-Rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP).

3.5
2022-05-20 CVE-2022-29424 Oxilab Cross-site Scripting vulnerability in Oxilab Image Hover Effects Ultimate

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress.

3.5
2022-05-20 CVE-2021-39043 IBM Cross-site Scripting vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to stored cross-site scripting.

3.5
2022-05-20 CVE-2021-43728 PIX Link Cross-site Scripting vulnerability in Pix-Link Lv-Wr09 Firmware 28K.Minirouter.20190211

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized SSID parameter.

3.5
2022-05-20 CVE-2021-43729 PIX Link Cross-site Scripting vulnerability in Pix-Link Lv-Wr09 Firmware 28K.Minirouter.20190211

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.

3.5
2022-05-20 CVE-2022-29880 Siemens Cross-site Scripting vulnerability in Siemens products

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00).

3.5
2022-05-20 CVE-2022-25224 Proton Project Cross-site Scripting vulnerability in Proton Project Proton 0.2.0

Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file.

3.5
2022-05-20 CVE-2022-31215 Goverlan Unspecified vulnerability in Goverlan Client Agent, Reach Console and Reach Server

In certain Goverlan products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation.

3.5
2022-05-20 CVE-2022-25229 Popcorn Time Project Cross-site Scripting vulnerability in Popcorn Time Project Popcorn Time 0.4.7

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page.

3.5
2022-05-20 CVE-2022-28985 Orangehrm Cross-site Scripting vulnerability in Orangehrm 4.10.1

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

3.5
2022-05-19 CVE-2022-1416 Gitlab Cross-site Scripting vulnerability in Gitlab

Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling

3.5
2022-05-19 CVE-2022-29449 Wpopal Cross-site Scripting vulnerability in Wpopal Opal Hotel Room Booking

Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress.

3.5
2022-05-18 CVE-2022-29230 Shopify Cross-site Scripting vulnerability in Shopify Hydrogen

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts.

3.5
2022-05-18 CVE-2021-42700 Inkscape Out-of-bounds Read vulnerability in Inkscape 0.91

Inkscape 0.91 is vulnerable to an out-of-bounds read, which may allow an attacker to have access to unauthorized information.

3.5
2022-05-18 CVE-2022-22776 Tibco Cross-site Scripting vulnerability in Tibco Businessconnect Trading Community Management

The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system.

3.5
2022-05-18 CVE-2022-28717 Meikyo Cross-site Scripting vulnerability in Meikyo products

Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors.

3.5
2022-05-18 CVE-2021-41946 Fiberhome Cross-site Scripting vulnerability in Fiberhome Hg150-Ub Firmware 3.0

In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scripting (XSS) vulnerability in Parental Control --> Access Time Restriction --> Username field, a user cannot delete the rule due to the XSS.

3.5
2022-05-17 CVE-2022-23674 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

3.5
2022-05-17 CVE-2022-24890 Nextcloud Incorrect Default Permissions vulnerability in Nextcloud Talk

Nextcloud Talk is a video and audio conferencing app for Nextcloud.

3.5
2022-05-17 CVE-2022-22773 Tibco Cross-site Scripting vulnerability in Tibco Jasperreports Server

The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system.

3.5
2022-05-17 CVE-2022-22775 Tibco Cross-site Scripting vulnerability in Tibco products

The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system.

3.5
2022-05-17 CVE-2022-23675 Arubanetworks Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below.

3.5
2022-05-17 CVE-2022-30072 Wbce Cross-site Scripting vulnerability in Wbce CMS 1.5.2

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters.

3.5
2022-05-17 CVE-2022-30073 Wbce Cross-site Scripting vulnerability in Wbce CMS 1.5.2

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php.

3.5
2022-05-17 CVE-2021-42943 Ipplan Project Cross-site Scripting vulnerability in Ipplan Project Ipplan 4.92B

Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter.

3.5
2022-05-16 CVE-2022-0873 Codeasily Cross-site Scripting vulnerability in Codeasily Gmedia Gallery

The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed

3.5
2022-05-16 CVE-2022-1051 2Code Cross-site Scripting vulnerability in 2Code Wpqa Builder

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.

3.5
2022-05-16 CVE-2022-1062 Th23 Cross-site Scripting vulnerability in Th23 Social

The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-05-16 CVE-2022-1089 Wpsheeteditor Cross-site Scripting vulnerability in Wpsheeteditor Bulk Edit and Create User Profiles - WP Sheet Editor

The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-05-16 CVE-2022-1265 AIT PRO Cross-site Scripting vulnerability in Ait-Pro Bulletproof Security

The BulletProof Security WordPress plugin before 6.1 does not sanitize and escape some of its CAPTCHA settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

3.5
2022-05-16 CVE-2022-1334 WP Youtube Live Project Cross-site Scripting vulnerability in WP Youtube Live Project WP Youtube Live

The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

3.5
2022-05-16 CVE-2022-1393 WP Subtitle Project Cross-site Scripting vulnerability in WP Subtitle Project WP Subtitle

The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle].

3.5
2022-05-16 CVE-2022-1408 Vikwp Cross-site Scripting vulnerability in Vikwp Hotel Booking Engine & PMS

The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

3.5
2022-05-16 CVE-2022-1435 Wptaskforce Cross-site Scripting vulnerability in Wptaskforce Track & Trace

The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

3.5
2022-05-16 CVE-2022-1512 Scrollrevealjs Effects Project Cross-site Scripting vulnerability in Scrollrevealjs-Effects Project Scrollrevealjs-Effects

The ScrollReveal.js Effects WordPress plugin through 1.2 does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

3.5
2022-05-16 CVE-2022-1557 Uleak Security Dashboard Project Cross-site Scripting vulnerability in Uleak-Security-Dashboard Project Uleak-Security-Dashboard

The ULeak Security & Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings

3.5
2022-05-16 CVE-2022-1559 Clipr Cross-site Scripting vulnerability in Clipr

The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

3.5
2022-05-16 CVE-2022-1726 Bootstrap Table Cross-site Scripting vulnerability in Bootstrap-Table Bootstrap Table

Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in GitHub repository wenzhixin/bootstrap-table prior to 1.20.2.

3.5
2022-05-16 CVE-2022-30013 Totaljs Cross-site Scripting vulnerability in Totaljs Total.Js 3.4.5

A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.

3.5
2022-05-20 CVE-2022-29160 Nextcloud Incomplete Cleanup vulnerability in Nextcloud

Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform.

3.3
2022-05-16 CVE-2022-1722 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5.

3.3
2022-05-21 CVE-2022-29209 Google Type Confusion vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-21 CVE-2022-29211 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-21 CVE-2022-29212 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29203 Google Integer Overflow or Wraparound vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29204 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29205 Google Use of Uninitialized Resource vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29206 Google NULL Pointer Dereference vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29193 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29195 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29197 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29198 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29199 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29207 Google Undefined Behavior for Input to API vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29191 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29192 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-29194 Google Improper Input Validation vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

2.1
2022-05-20 CVE-2022-27242 Siemens Classic Buffer Overflow vulnerability in Siemens Openv2G 0.9.4

A vulnerability has been identified in OpenV2G (V0.9.4).

2.1
2022-05-19 CVE-2020-16235 Emerson Inadequate Encryption Strength vulnerability in Emerson Openenterprise Scada Server 2.8.3/3.1/3.3.3

Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.

2.1
2022-05-17 CVE-2022-28189 Nvidia NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash.

2.1
2022-05-17 CVE-2022-28190 Nvidia Improper Input Validation vulnerability in Nvidia GPU Display Driver

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service.

2.1
2022-05-17 CVE-2022-22484 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Spectrum Protect

IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history.

2.1
2022-05-17 CVE-2022-28192 Nvidia Use After Free vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where it may lead to a use-after-free, which in turn may cause denial of service.

1.9