Weekly Vulnerabilities Reports > May 16 to 22, 2022
Overview
467 new vulnerabilities reported during this period, including 53 critical vulnerabilities and 112 high severity vulnerabilities. This weekly summary report vulnerabilities in 639 products from 219 vendors including Jenkins, Siemens, Google, Arubanetworks, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Input Validation", "OS Command Injection", and "Unrestricted Upload of File with Dangerous Type".
- 374 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 179 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 294 reported vulnerabilities are exploitable by an anonymous user.
- Jenkins has the most reported vulnerabilities, with 28 reported vulnerabilities.
- Arubanetworks has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
53 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-20 | CVE-2022-29165 | Argoproj | Authentication Bypass by Spoofing vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 10.0 |
2022-05-20 | CVE-2021-34111 | Thecus | OS Command Injection vulnerability in Thecus N4800Eco Firmware Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php. | 10.0 |
2022-05-19 | CVE-2020-16209 | Fieldcommgroup | Stack-based Buffer Overflow vulnerability in Fieldcommgroup Hart-Ip Developer KIT Firmware and Hipserver A malicious attacker could exploit the interface of the Fieldcomm Group HART-IP (release 1.0.0.0) by constructing messages with sufficiently large payloads to overflow the internal buffer and crash the device, or obtain control of the device. | 10.0 |
2022-05-19 | CVE-2022-28349 | ARM | Use After Free vulnerability in ARM products Arm Mali GPU Kernel Driver has a use-after-free: Midgard r28p0 through r29p0 before r30p0, Bifrost r17p0 through r23p0 before r24p0, and Valhall r19p0 through r23p0 before r24p0. | 10.0 |
2022-05-19 | CVE-2022-28350 | ARM | Use After Free vulnerability in ARM Valhall GPU Kernel Driver R34P0 Arm Mali GPU Kernel Driver allows improper GPU operations in Valhall r29p0 through r36p0 before r37p0 to reach a use-after-free situation. | 10.0 |
2022-05-18 | CVE-2022-30105 | Belkin | OS Command Injection vulnerability in Belkin N300 Firmware 1.00.08 In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. | 10.0 |
2022-05-18 | CVE-2022-29516 | Fujitsu | OS Command Injection vulnerability in Fujitsu products The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. | 10.0 |
2022-05-18 | CVE-2022-29644 | Totolink | Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini. | 10.0 |
2022-05-18 | CVE-2022-29645 | Totolink | Use of Hard-coded Credentials vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample. | 10.0 |
2022-05-16 | CVE-2022-23657 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 10.0 |
2022-05-16 | CVE-2022-23658 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 10.0 |
2022-05-16 | CVE-2022-23660 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 10.0 |
2022-05-16 | CVE-2021-27446 | Weintek | Code Injection vulnerability in Weintek products The Weintek cMT product line is vulnerable to code injection, which may allow an unauthenticated remote attacker to execute commands with root privileges on the operation system. | 10.0 |
2022-05-17 | CVE-2022-28181 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 9.9 |
2022-05-21 | CVE-2022-31259 | Beego | Unspecified vulnerability in Beego The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control. | 9.8 |
2022-05-20 | CVE-2022-22972 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. | 9.8 |
2022-05-20 | CVE-2022-29186 | Pagerduty | Use of Hard-coded Credentials vulnerability in Pagerduty Rundeck Rundeck is an open source automation service with a web console, command line tools and a WebAPI. | 9.8 |
2022-05-20 | CVE-2022-28995 | Yogeshojha | Unspecified vulnerability in Yogeshojha Rengine 1.0.2 Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function. | 9.8 |
2022-05-20 | CVE-2022-28660 | Grafana | Missing Authentication for Critical Function vulnerability in Grafana 1.1.0/1.2.0/1.3.0 The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. | 9.8 |
2022-05-20 | CVE-2022-28993 | Bdtask | Missing Authorization vulnerability in Bdtask Multi Store Inventory Management System 1.0 Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request. | 9.8 |
2022-05-20 | CVE-2022-29021 | Openrazer Project | Classic Buffer Overflow vulnerability in Openrazer Project Openrazer A buffer overflow vulnerability exists in the razerkbd driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device. | 9.8 |
2022-05-20 | CVE-2022-29022 | Openrazer Project | Classic Buffer Overflow vulnerability in Openrazer Project Openrazer A buffer overflow vulnerability exists in the razeraccessory driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device. | 9.8 |
2022-05-20 | CVE-2022-29023 | Openrazer Project | Classic Buffer Overflow vulnerability in Openrazer Project Openrazer A buffer overflow vulnerability exists in the razermouse driver of OpenRazer up to version v3.3.0 allows attackers to cause a Denial of Service (DoS) and possibly escalate their privileges via a crafted buffer sent to the matrix_custom_frame device. | 9.8 |
2022-05-19 | CVE-2022-28962 | Online Sports Complex Booking System Project | SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0 Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client. | 9.8 |
2022-05-19 | CVE-2022-22978 | Vmware Oracle Netapp | Incorrect Authorization vulnerability in multiple products In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. | 9.8 |
2022-05-19 | CVE-2022-28348 | ARM | Use After Free vulnerability in ARM products Arm Mali GPU Kernel Driver (Midgard r4p0 through r31p0, Bifrost r0p0 through r36p0 before r37p0, and Valhall r19p0 through r36p0 before r37p0) allows improper GPU memory operations to reach a use-after-free situation. | 9.8 |
2022-05-18 | CVE-2022-30599 | Moodle Redhat Fedoraproject | SQL Injection vulnerability in multiple products A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria. | 9.8 |
2022-05-18 | CVE-2022-30600 | Moodle Redhat Fedoraproject | Incorrect Calculation vulnerability in multiple products A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed. | 9.8 |
2022-05-18 | CVE-2022-1795 | Gpac | Use After Free vulnerability in Gpac Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. | 9.8 |
2022-05-17 | CVE-2022-28617 | HP | Unspecified vulnerability in HP Oneview A remote bypass security restrictions vulnerability was discovered in HPE OneView version(s): Prior to 7.0. | 9.8 |
2022-05-16 | CVE-2021-33318 | Watsonwebserver Project Ipmatcher Project | Incorrect Type Conversion or Cast vulnerability in multiple products An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets. | 9.8 |
2022-05-16 | CVE-2022-1386 | Fusion Builder Project Theme Fusion | Server-Side Request Forgery (SSRF) vulnerability in multiple products The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. | 9.8 |
2022-05-16 | CVE-2022-29351 | Tiddlywiki | Unrestricted Upload of File with Dangerous Type vulnerability in Tiddlywiki Tiddlywiki5 5.2.2 An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. | 9.8 |
2022-05-16 | CVE-2022-29622 | Formidable Project | Unrestricted Upload of File with Dangerous Type vulnerability in Formidable Project Formidable 3.1.4 An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. | 9.8 |
2022-05-16 | CVE-2022-30011 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 In HMS 1.0 when requesting appointment.php through POST, multiple parameters can lead to a SQL injection vulnerability. | 9.8 |
2022-05-16 | CVE-2022-30767 | Denx Fedoraproject | Classic Buffer Overflow vulnerability in multiple products nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. | 9.8 |
2022-05-17 | CVE-2022-1362 | Cambiumnetworks | OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise cnMaestro is vulnerable inside a specific route where a user can upload a crafted package to the system. | 9.3 |
2022-05-16 | CVE-2022-1586 | Pcre Fedoraproject Redhat Netapp | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. | 9.1 |
2022-05-16 | CVE-2022-1587 | Pcre Redhat Fedoraproject Netapp | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. | 9.1 |
2022-05-16 | CVE-2022-23662 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.1 |
2022-05-20 | CVE-2022-31245 | Mailcow | OS Command Injection vulnerability in Mailcow Mailcow: Dockerized mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs. | 9.0 |
2022-05-19 | CVE-2022-30617 | Strapi | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. | 9.0 |
2022-05-17 | CVE-2022-24388 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. | 9.0 |
2022-05-17 | CVE-2022-24389 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. | 9.0 |
2022-05-17 | CVE-2022-24392 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. | 9.0 |
2022-05-17 | CVE-2022-24393 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. | 9.0 |
2022-05-17 | CVE-2022-24394 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. | 9.0 |
2022-05-16 | CVE-2022-23661 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.0 |
2022-05-16 | CVE-2022-23663 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.0 |
2022-05-16 | CVE-2022-23664 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.0 |
2022-05-16 | CVE-2022-23665 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.0 |
2022-05-16 | CVE-2022-23666 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 9.0 |
2022-05-16 | CVE-2021-23267 | Craftercms | Improper Control of Dynamically-Managed Code Resources vulnerability in Craftercms Crafter CMS Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods. | 9.0 |
112 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-20 | CVE-2022-28992 | Phpgurukul | Cross-Site Request Forgery (CSRF) vulnerability in PHPgurukul Online Banquet Booking System 1.0 A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request. | 8.8 |
2022-05-19 | CVE-2022-28960 | Spip | Improper Encoding or Escaping of Output vulnerability in Spip A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire. | 8.8 |
2022-05-19 | CVE-2022-29304 | Online Sports Complex Booking System Project | SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0 Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility. | 8.8 |
2022-05-19 | CVE-2022-1423 | Gitlab | Missing Authorization vulnerability in Gitlab Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches | 8.8 |
2022-05-19 | CVE-2022-30018 | Mobotix | Insufficiently Protected Credentials vulnerability in Mobotix Mxcontrolcenter 2.5.4.5 Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. | 8.8 |
2022-05-18 | CVE-2022-1727 | Diagrams | Improper Input Validation vulnerability in Diagrams Drawio Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6. | 8.8 |
2022-05-17 | CVE-2022-29429 | Code Snippets Extended Project | Cross-Site Request Forgery (CSRF) vulnerability in Code Snippets Extended Project Code Snippets Extended Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery. | 8.8 |
2022-05-17 | CVE-2022-30950 | Jenkins | Classic Buffer Overflow vulnerability in Jenkins WMI Windows Agents Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library which has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine. | 8.8 |
2022-05-17 | CVE-2022-30951 | Jenkins | Missing Authorization vulnerability in Jenkins WMI Windows Agents Jenkins WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library does not implement access control, potentially allowing users to start processes even if they're not allowed to log in. | 8.8 |
2022-05-17 | CVE-2022-30958 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins SSH A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2022-05-17 | CVE-2022-30969 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter 1.0/1.1 A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator. | 8.8 |
2022-05-17 | CVE-2022-30971 | Jenkins | XXE vulnerability in Jenkins Storable Configs 1.0 Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.8 |
2022-05-17 | CVE-2022-30972 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Storage Configs A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | 8.8 |
2022-05-20 | CVE-2022-29170 | Grafana | Open Redirect vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 8.5 |
2022-05-17 | CVE-2022-30945 | Jenkins | Unspecified vulnerability in Jenkins Pipeline: Groovy Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | 8.5 |
2022-05-20 | CVE-2022-29181 | Nokogiri Apple | Improper Handling of Unexpected Data Type vulnerability in multiple products Nokogiri is an open source XML and HTML library for Ruby. | 8.2 |
2022-05-18 | CVE-2022-29639 | Totolink | Unspecified vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a command injection vulnerability via the magicid parameter in the function uci_cloudupdate_config. | 8.1 |
2022-05-20 | CVE-2022-22973 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. | 7.8 |
2022-05-20 | CVE-2022-24287 | Siemens | Insecure Default Initialization of Resource vulnerability in Siemens products A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC06), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1 UC01), SIMATIC WinCC Runtime Professional V16 and earlier (All versions), SIMATIC WinCC Runtime Professional V17 (All versions < V17 Upd4), SIMATIC WinCC V7.3 (All versions), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 21), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 8). | 7.8 |
2022-05-20 | CVE-2022-26634 | HMA | Unquoted Search Path or Element vulnerability in HMA Hidemyass 5.3.5913.0 HMA VPN v5.3.5913.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 7.8 |
2022-05-19 | CVE-2022-1796 | VIM | Use After Free vulnerability in VIM Use After Free in GitHub repository vim/vim prior to 8.2.4979. | 7.8 |
2022-05-19 | CVE-2022-1785 | VIM Debian | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. | 7.8 |
2022-05-18 | CVE-2022-30138 | Microsoft | Unspecified vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 7.8 |
2022-05-18 | CVE-2022-30033 | Tenda | Classic Buffer Overflow vulnerability in Tenda TX9 PRO Firmware 22.03.02.10 Tenda TX9 Pro V22.03.02.10 is vulnerable to Buffer Overflow via the functtion setIPv6Status() in httpd module. | 7.8 |
2022-05-18 | CVE-2021-42704 | Inkscape | Out-of-bounds Write vulnerability in Inkscape 0.91 Inkscape version 0.91 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code. | 7.8 |
2022-05-18 | CVE-2022-25161 | Mitsubishielectric Mitsubhishielectric | Improper Input Validation vulnerability in multiple products Improper Input Validation vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior and versions prior to 1.073, MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 179**** and prior and versions prior to 1.073, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DSS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MR/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/z(x=24,40,60, y=T,R, z=ES,ESS) versions prior to 1.030, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/ES-A(x=24,40,60, y=T,R) versions prior to 1.031 and Mitsubishi Electric MELSEC iQ-F series FX5S-xMy/z(x=30,40,60,80, y=T,R, z=ES,ESS) version 1.000 allows a remote unauthenticated attacker to cause a DoS condition for the product's program execution or communication by sending specially crafted packets. | 7.8 |
2022-05-18 | CVE-2022-28917 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax12 Firmware 22.03.01.21Cn Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp. | 7.8 |
2022-05-18 | CVE-2022-30065 | Busybox Siemens | Use After Free vulnerability in multiple products A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. | 7.8 |
2022-05-18 | CVE-2022-29638 | Totolink | Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setIpQosRules. | 7.8 |
2022-05-18 | CVE-2022-29640 | Totolink | Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the comment parameter in the function setPortForwardRules. | 7.8 |
2022-05-18 | CVE-2022-29641 | Totolink | Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the startTime and endTime parameters in the function setParentalRules. | 7.8 |
2022-05-18 | CVE-2022-29642 | Totolink | Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the url parameter in the function setUrlFilterRules. | 7.8 |
2022-05-18 | CVE-2022-29643 | Totolink | Out-of-bounds Write vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the macAddress parameter in the function setMacQos. | 7.8 |
2022-05-17 | CVE-2022-29162 | Linuxfoundation Fedoraproject | Incorrect Default Permissions vulnerability in multiple products runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. | 7.8 |
2022-05-17 | CVE-2022-28184 | Nvidia | Unspecified vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can access administrator- privileged registers, which may lead to denial of service, information disclosure, and data tampering. | 7.8 |
2022-05-17 | CVE-2022-1735 | VIM Apple | Classic Buffer Overflow vulnerability in multiple products Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969. | 7.8 |
2022-05-17 | CVE-2022-30688 | Needrestart Project Debian | needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. | 7.8 |
2022-05-17 | CVE-2022-1116 | Linux Netapp | Integer Overflow or Wraparound vulnerability in multiple products Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. | 7.8 |
2022-05-17 | CVE-2022-1733 | VIM Fedoraproject Apple | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968. | 7.8 |
2022-05-17 | CVE-2022-1769 | VIM Fedoraproject Apple | Buffer Over-read vulnerability in multiple products Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. | 7.8 |
2022-05-17 | CVE-2022-29581 | Linux Debian Canonical Netapp | Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. | 7.8 |
2022-05-16 | CVE-2022-1679 | Linux Debian Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. | 7.8 |
2022-05-18 | CVE-2021-42852 | Lenovo | OS Command Injection vulnerability in Lenovo products A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device. | 7.7 |
2022-05-22 | CVE-2022-1813 | Rengine Project | OS Command Injection vulnerability in Rengine Project Rengine OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0. | 7.5 |
2022-05-21 | CVE-2022-31264 | Solanalabs | Integer Overflow or Wraparound vulnerability in Solanalabs Rbpf Solana solana_rbpf before 0.2.29 has an addition integer overflow via invalid ELF program headers. | 7.5 |
2022-05-21 | CVE-2022-31267 | Gitblit | Improper Privilege Management vulnerability in Gitblit 1.9.2 Gitblit 1.9.2 allows privilege escalation via the Config User Service: a control character can be placed in a profile data field, such as an emailAddress%3Atext '[email protected]\n\trole = "#admin"' value. | 7.5 |
2022-05-20 | CVE-2022-1775 | Trudesk Project | Weak Password Requirements vulnerability in Trudesk Project Trudesk Weak Password Requirements in GitHub repository polonel/trudesk prior to 1.2.2. | 7.5 |
2022-05-20 | CVE-2022-28618 | HPE | Command Injection vulnerability in HPE Nimbleos A command injection security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays and HPE Nimble Storage Secondary Flash Arrays that could allow an attacker to execute arbitrary commands on a Nimble appliance. | 7.5 |
2022-05-20 | CVE-2022-21195 | URL Regex Project | Unspecified vulnerability in Url-Regex Project Url-Regex All versions of package url-regex are vulnerable to Regular Expression Denial of Service (ReDoS) which can cause the CPU usage to crash. | 7.5 |
2022-05-20 | CVE-2022-28531 | Covid 19 Directory ON Vaccination System Project | SQL Injection vulnerability in Covid-19 Directory on Vaccination System Project Covid-19 Directory on Vaccination System 1.0 Sourcecodester Covid-19 Directory on Vaccination System1.0 is vulnerable to SQL Injection via the admin/login.php txtusername (aka Username) field. | 7.5 |
2022-05-20 | CVE-2022-24290 | Siemens | Stack-based Buffer Overflow vulnerability in Siemens Teamcenter A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9), Teamcenter V13.1 (All versions), Teamcenter V13.2 (All versions < V13.2.0.8), Teamcenter V13.3 (All versions < V13.3.0.3), Teamcenter V14.0 (All versions < V14.0.0.2). | 7.5 |
2022-05-20 | CVE-2022-26632 | Multi Vendor Online Groceries Management System Project | SQL Injection vulnerability in Multi-Vendor Online Groceries Management System Project Multi-Vendor Online Groceries Management System 1.0 Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php. | 7.5 |
2022-05-20 | CVE-2022-26633 | Simple Student Quarterly Result Grade System Project | SQL Injection vulnerability in Simple Student Quarterly Result/Grade System Project Simple Student Quarterly Result/Grade System 1.0 Simple Student Quarterly Result/Grade System v1.0 was discovered to contain a SQL injection vulnerability via /sqgs/Actions.php. | 7.5 |
2022-05-20 | CVE-2022-28104 | Foxit | Unrestricted Upload of File with Dangerous Type vulnerability in Foxit PDF Editor 11.3.1 Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability. | 7.5 |
2022-05-20 | CVE-2022-28105 | Online Sports Complex Booking System Project | SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0 Online Sports Complex Booking System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /scbs/view_facility.php. | 7.5 |
2022-05-20 | CVE-2022-28106 | Online Sports Complex Booking System Project | Improper Authentication vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0 Online Sports Complex Booking System v1.0 was discovered to allow attackers to take over user accounts via a crafted POST request. | 7.5 |
2022-05-20 | CVE-2022-28991 | Bdtask | Forced Browsing vulnerability in Bdtask Multi Store Inventory Management System 1.0 Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files. | 7.5 |
2022-05-20 | CVE-2022-29801 | Siemens | XXE vulnerability in Siemens Teamcenter 12.4/13.0 A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). | 7.5 |
2022-05-20 | CVE-2022-29873 | Siemens | Unspecified vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 7.5 |
2022-05-20 | CVE-2022-30518 | Chatbot Application With A Suggestion Feature Project | SQL Injection vulnerability in Chatbot Application With a Suggestion Feature Project Chatbot Application With a Suggestion Feature 1.0 ChatBot Application with a Suggestion Feature 1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /simple_chat_bot/admin/responses/view_response.php. | 7.5 |
2022-05-20 | CVE-2022-30886 | School Dormitory Management System Project | SQL Injection vulnerability in School Dormitory Management System Project School Dormitory Management System 1.0 School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php. | 7.5 |
2022-05-20 | CVE-2022-30887 | Pharmacy Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Pharmacy Management System Project Pharmacy Management System 1.0 Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. | 7.5 |
2022-05-20 | CVE-2022-21500 | Oracle | Unspecified vulnerability in Oracle E-Business Suite and User Management Vulnerability in Oracle E-Business Suite (component: Manage Proxies). | 7.5 |
2022-05-19 | CVE-2022-28948 | Yaml Project Netapp | Deserialization of Untrusted Data vulnerability in multiple products An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. | 7.5 |
2022-05-19 | CVE-2020-14496 | Mitsubishielectric | Unspecified vulnerability in Mitsubishielectric products Successful exploitation of this vulnerability for multiple Mitsubishi Electric Factory Automation Engineering Software Products of various versions could allow an attacker to escalate privilege and execute malicious programs, which could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed. | 7.5 |
2022-05-19 | CVE-2022-1413 | Gitlab | Insufficiently Protected Credentials vulnerability in Gitlab Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface | 7.5 |
2022-05-19 | CVE-2022-28927 | Subconverter Project | Unrestricted Upload of File with Dangerous Type vulnerability in Subconverter Project Subconverter 0.7.2 A remote code execution (RCE) vulnerability in Subconverter v0.7.2 allows attackers to execute arbitrary code via crafted config and url parameters. | 7.5 |
2022-05-19 | CVE-2021-26630 | Handysoft | Improper Input Validation vulnerability in Handysoft Groupware Improper input validation vulnerability in HANDY Groupware’s ActiveX moudle allows attackers to download or execute arbitrary files. | 7.5 |
2022-05-19 | CVE-2021-37413 | Grandcom | SQL Injection vulnerability in Grandcom Dynweb GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. | 7.5 |
2022-05-19 | CVE-2022-1183 | ISC Netapp | Reachable Assertion vulnerability in multiple products On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. | 7.5 |
2022-05-18 | CVE-2022-30990 | Acronis | Incorrect Permission Assignment for Critical Resource vulnerability in Acronis Agent and Cyber Protect Sensitive information disclosure due to insecure folder permissions. | 7.5 |
2022-05-18 | CVE-2022-1767 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. | 7.5 |
2022-05-18 | CVE-2022-28956 | Dlink | Unspecified vulnerability in Dlink Dir-816L Firmware 206B01 An issue in the getcfg.php component of D-Link DIR816L_FW206b01 allows attackers to access the device via a crafted payload. | 7.5 |
2022-05-17 | CVE-2022-1357 | Cambiumnetworks | OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise cnMaestro allows an unauthenticated attacker to access the cnMaestro server and execute arbitrary code in the privileges of the web server. | 7.5 |
2022-05-17 | CVE-2022-1360 | Cambiumnetworks | OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server. | 7.5 |
2022-05-17 | CVE-2022-28616 | HP | Server-Side Request Forgery (SSRF) vulnerability in HP Oneview A remote server-side request forgery (ssrf) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. | 7.5 |
2022-05-17 | CVE-2022-30052 | Home Clean Service System Project | SQL Injection vulnerability in Home Clean Service System Project Home Clean Service System 1.0 In Home Clean Service System 1.0, the password parameter is vulnerable to SQL injection attacks. | 7.5 |
2022-05-17 | CVE-2022-30053 | Toll TAX Management System Project | SQL Injection vulnerability in Toll TAX Management System Project Toll TAX Management System 1.0 In Toll Tax Management System 1.0, the id parameter appears to be vulnerable to SQL injection attacks. | 7.5 |
2022-05-17 | CVE-2022-30054 | Covid 19 Travel Pass Management Project | SQL Injection vulnerability in Covid 19 Travel Pass Management Project Covid 19 Travel Pass Management 1.0 In Covid 19 Travel Pass Management 1.0, the code parameter is vulnerable to SQL injection attacks. | 7.5 |
2022-05-17 | CVE-2022-23671 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 7.5 |
2022-05-17 | CVE-2022-24108 | Skyoftech | Deserialization of Untrusted Data vulnerability in Skyoftech SO Listing Tabs 2.2.0 The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data. | 7.5 |
2022-05-17 | CVE-2022-30947 | Jenkins | Unspecified vulnerability in Jenkins GIT Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | 7.5 |
2022-05-17 | CVE-2022-30948 | Jenkins | Unspecified vulnerability in Jenkins Mercurial Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | 7.5 |
2022-05-17 | CVE-2022-26650 | Apache | Unspecified vulnerability in Apache Shenyu 2.4.0/2.4.1/2.4.2 In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. | 7.5 |
2022-05-16 | CVE-2021-27444 | Weintek | Unspecified vulnerability in Weintek products The Weintek cMT product line is vulnerable to various improper access controls, which may allow an unauthenticated attacker to remotely access and download sensitive information and perform administrative actions on behalf of a legitimate administrator. | 7.5 |
2022-05-16 | CVE-2022-30055 | Mersenne | Classic Buffer Overflow vulnerability in Mersenne Prime95 30.7 Prime95 30.7 build 9 suffers from a Buffer Overflow vulnerability that could lead to Remote Code Execution. | 7.5 |
2022-05-16 | CVE-2022-0867 | Reputeinfosystems | SQL Injection vulnerability in Reputeinfosystems Pricing Table The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users | 7.5 |
2022-05-16 | CVE-2022-1713 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. | 7.5 |
2022-05-16 | CVE-2022-1721 | Diagrams | Path Traversal vulnerability in Diagrams Drawio Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. | 7.5 |
2022-05-16 | CVE-2021-42897 | Feminer WMS Project | OS Command Injection vulnerability in Feminer WMS Project Feminer WMS 1.0 A remote command execution (RCE) vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php. | 7.5 |
2022-05-16 | CVE-2022-29353 | Graphql Upload Project | Unrestricted Upload of File with Dangerous Type vulnerability in Graphql-Upload Project Graphql-Upload 13.0.0 An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename. | 7.5 |
2022-05-16 | CVE-2022-29354 | Keystonejs | Unrestricted Upload of File with Dangerous Type vulnerability in Keystonejs Keystone 4.2.1 An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file. | 7.5 |
2022-05-16 | CVE-2022-30781 | Gitea | Improper Encoding or Escaping of Output vulnerability in Gitea Gitea before 1.16.7 does not escape git fetch remote. | 7.5 |
2022-05-16 | CVE-2022-30763 | Janet Lang | Improper Validation of Array Index vulnerability in Janet-Lang Janet Janet before 1.22.0 mishandles arrays. | 7.5 |
2022-05-16 | CVE-2022-30765 | Calibre WEB Project | SQL Injection vulnerability in Calibre-Web Project Calibre-Web 0.6.18 Calibre-Web before 0.6.18 allows user table SQL Injection. | 7.5 |
2022-05-16 | CVE-2022-29586 | Konicaminolta | Unspecified vulnerability in Konicaminolta products Konica Minolta bizhub MFP devices before 2022-04-14 allow a Sandbox Escape. | 7.4 |
2022-05-20 | CVE-2022-29179 | Cilium | Improper Privilege Management vulnerability in Cilium Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. | 7.2 |
2022-05-20 | CVE-2021-30028 | Sooteway WI FI Range Extender Project | Improper Authentication vulnerability in Sooteway Wi-Fi Range Extender Project Sooteway Wi-Fi Range Extender 1.5 SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use default credentials (the admin password for the admin account) to access the TELNET service, allowing attackers to erase/read/write the firmware remotely. | 7.2 |
2022-05-20 | CVE-2022-27094 | Sony | Unquoted Search Path or Element vulnerability in Sony Playmemories Home 6.0 Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 7.2 |
2022-05-20 | CVE-2022-27095 | Battleye | Unquoted Search Path or Element vulnerability in Battleye 0.9 BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 7.2 |
2022-05-20 | CVE-2022-29320 | Minitool | Unquoted Search Path or Element vulnerability in Minitool Partition Wizard 12.0 MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. | 7.2 |
2022-05-17 | CVE-2022-1356 | Cambiumnetworks | OS Command Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 cnMaestro is vulnerable to a local privilege escalation. | 7.2 |
2022-05-17 | CVE-2022-0486 | Fidelissecurity | Incorrect Default Permissions vulnerability in Fidelissecurity Deception and Network Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enable escalation of privileges equivalent to the root user. | 7.2 |
2022-05-17 | CVE-2022-0997 | Fidelissecurity | Incorrect Default Permissions vulnerability in Fidelissecurity Deception and Network Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. | 7.2 |
2022-05-17 | CVE-2022-23672 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 7.2 |
2022-05-17 | CVE-2022-23673 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 7.2 |
2022-05-17 | CVE-2022-30007 | Gxcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Gxcms Project Gxcms 1.5 GXCMS V1.5 has a file upload vulnerability in the background. | 7.2 |
2022-05-16 | CVE-2022-30523 | Trendmicro | Link Following vulnerability in Trendmicro Password Manager Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow a low privileged local attacker to delete the contents of an arbitrary folder as SYSTEM which can then be used for privilege escalation on the affected machine. | 7.2 |
2022-05-17 | CVE-2022-28183 | Nvidia | Out-of-bounds Read vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure. | 7.1 |
2022-05-17 | CVE-2022-28185 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the ECC layer, where an unprivileged regular user can cause an out-of-bounds write, which may lead to denial of service and data tampering. | 7.1 |
2022-05-18 | CVE-2022-1734 | Linux Debian Netapp | Use After Free vulnerability in multiple products A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine. | 7.0 |
2022-05-18 | CVE-2022-29518 | Koyoele | Unspecified vulnerability in Koyoele products Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names. | 7.0 |
234 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-21 | CVE-2022-1809 | Radare | Access of Uninitialized Pointer vulnerability in Radare Radare2 Access of Uninitialized Pointer in GitHub repository radareorg/radare2 prior to 5.7.0. | 6.8 |
2022-05-20 | CVE-2022-29427 | Disable Right Click FOR WP Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Disable Right Click for WP Wordpress Disable Right Click for WP Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress. | 6.8 |
2022-05-20 | CVE-2022-27653 | Siemens | Out-of-bounds Write vulnerability in Siemens Simcenter Femap A vulnerability has been identified in Simcenter Femap (All versions < V2022.2). | 6.8 |
2022-05-20 | CVE-2022-29032 | Siemens | Double Free vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 6.8 |
2022-05-20 | CVE-2022-29033 | Siemens | Access of Uninitialized Pointer vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 6.8 |
2022-05-20 | CVE-2022-29878 | Siemens | Authentication Bypass by Capture-replay vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 6.8 |
2022-05-20 | CVE-2022-25227 | Cybelesoft | Origin Validation Error vulnerability in Cybelesoft Thinfinity VNC 4.0.0.1 Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE. | 6.8 |
2022-05-18 | CVE-2022-22778 | Tibco | Cross-Site Request Forgery (CSRF) vulnerability in Tibco Businessconnect Trading Community Management The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. | 6.8 |
2022-05-18 | CVE-2021-42849 | Lenovo | Improper Authentication vulnerability in Lenovo products A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access. | 6.8 |
2022-05-18 | CVE-2022-22786 | Zoom | Download of Code Without Integrity Check vulnerability in Zoom Meetings and Rooms The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. | 6.8 |
2022-05-18 | CVE-2022-27632 | Meikyo | Cross-Site Request Forgery (CSRF) vulnerability in Meikyo products Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page. | 6.8 |
2022-05-18 | CVE-2022-23067 | Tooljet | Information Exposure vulnerability in Tooljet ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . | 6.8 |
2022-05-17 | CVE-2022-29174 | Count | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Count Countly Server countly-server is the server-side part of Countly, a product analytics solution. | 6.8 |
2022-05-17 | CVE-2022-1118 | Rockwellautomation | Deserialization of Untrusted Data vulnerability in Rockwellautomation products Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. | 6.8 |
2022-05-17 | CVE-2022-28182 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. | 6.8 |
2022-05-16 | CVE-2022-1731 | Allgeier | SQL Injection vulnerability in Allgeier Metasonic DOC Webclient 7.0.12.0/7.0.14.0/7.0.3.0 Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field. | 6.8 |
2022-05-16 | CVE-2022-29623 | Connect Multiparty Project | Unrestricted Upload of File with Dangerous Type vulnerability in Connect-Multiparty Project Connect-Multiparty 2.2.0 An arbitrary file upload vulnerability in the file upload module of Connect-Multiparty v2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. | 6.8 |
2022-05-20 | CVE-2022-31258 | Tribe29 Checkmk | Link Following vulnerability in multiple products In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink. | 6.7 |
2022-05-20 | CVE-2022-29184 | Thoughtworks | Command Injection vulnerability in Thoughtworks Gocd GoCD is a continuous delivery server. | 6.5 |
2022-05-20 | CVE-2022-1770 | Trudesk Project | Improper Privilege Management vulnerability in Trudesk Project Trudesk Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2. | 6.5 |
2022-05-20 | CVE-2022-24045 | Siemens | Missing Encryption of Sensitive Data vulnerability in Siemens products A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). | 6.5 |
2022-05-20 | CVE-2022-29872 | Siemens | Improper Input Validation vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 6.5 |
2022-05-20 | CVE-2022-28965 | Avast | Uncontrolled Search Path Element vulnerability in Avast Premium Security 19.8.2393/20.8.2429 Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file. | 6.5 |
2022-05-19 | CVE-2022-28961 | Spip | SQL Injection vulnerability in Spip Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters. | 6.5 |
2022-05-19 | CVE-2020-16231 | Bachmann | Use of Password Hash With Insufficient Computational Effort vulnerability in Bachmann products The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. | 6.5 |
2022-05-19 | CVE-2021-41938 | Shopxo | Unrestricted Upload of File with Dangerous Type vulnerability in Shopxo 2.2.0 An issue was discovered in ShopXO CMS 2.2.0. | 6.5 |
2022-05-18 | CVE-2022-29229 | Cassproject | Unspecified vulnerability in Cassproject Competency and Skills System CaSS is a Competency and Skills System. | 6.5 |
2022-05-18 | CVE-2022-29445 | WOW Estore | Use of Incorrectly-Resolved Name or Reference vulnerability in Wow-Estore Popup BOX Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress. | 6.5 |
2022-05-17 | CVE-2022-24390 | Fidelissecurity | Command Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. | 6.5 |
2022-05-17 | CVE-2022-24391 | Fidelissecurity | SQL Injection vulnerability in Fidelissecurity Deception and Network Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacker with user level access. | 6.5 |
2022-05-17 | CVE-2022-1706 | Redhat Fedoraproject | Incorrect Authorization vulnerability in multiple products A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. | 6.5 |
2022-05-17 | CVE-2022-23669 | Arubanetworks | Insufficient Session Expiration vulnerability in Arubanetworks Clearpass Policy Manager A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 6.5 |
2022-05-17 | CVE-2022-22475 | IBM | Unspecified vulnerability in IBM Open Liberty and Websphere Application Server IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. | 6.5 |
2022-05-17 | CVE-2022-30952 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Blue Ocean Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | 6.5 |
2022-05-17 | CVE-2022-30953 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Blue Ocean A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | 6.5 |
2022-05-17 | CVE-2022-30954 | Jenkins | Missing Authorization vulnerability in Jenkins Blue Ocean Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | 6.5 |
2022-05-17 | CVE-2022-30955 | Jenkins | Missing Authorization vulnerability in Jenkins Gitlab Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 6.5 |
2022-05-17 | CVE-2022-30959 | Jenkins | Missing Authorization vulnerability in Jenkins SSH A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-05-17 | CVE-2021-42643 | Cmseasy | Path Traversal vulnerability in Cmseasy 7.7.520211012 cmseasy V7.7.5_20211012 is affected by an arbitrary file write vulnerability. | 6.5 |
2022-05-16 | CVE-2022-23667 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 6.5 |
2022-05-16 | CVE-2021-25119 | Wpsocket | Unrestricted Upload of File with Dangerous Type vulnerability in Wpsocket Automatic Grid Image Listing The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. | 6.5 |
2022-05-16 | CVE-2022-0573 | Jfrog | Deserialization of Untrusted Data vulnerability in Jfrog Artifactory JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object. | 6.5 |
2022-05-16 | CVE-2022-0578 | Publify Project | Unspecified vulnerability in Publify Project Publify Code Injection in GitHub repository publify/publify prior to 9.2.8. | 6.5 |
2022-05-16 | CVE-2022-1103 | Advanced Uploader Project | Unrestricted Upload of File with Dangerous Type vulnerability in Advanced Uploader Project Advanced Uploader The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE | 6.5 |
2022-05-16 | CVE-2022-1182 | Visual Slide BOX Builder Project | SQL Injection vulnerability in Visual Slide BOX Builder Project Visual Slide BOX Builder The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections | 6.5 |
2022-05-16 | CVE-2022-1409 | Vikwp | Unrestricted Upload of File with Dangerous Type vulnerability in Vikwp Hotel Booking Engine & PMS The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code | 6.5 |
2022-05-16 | CVE-2022-1560 | Amministrazione Aperta Project | Path Traversal vulnerability in Amministrazione Aperta Project Amministrazione Aperta The Amministrazione Aperta WordPress plugin before 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. | 6.5 |
2022-05-21 | CVE-2022-29188 | Stripe | Server-Side Request Forgery (SSRF) vulnerability in Stripe Smokescreen Smokescreen is an HTTP proxy. | 6.4 |
2022-05-20 | CVE-2022-29877 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 6.4 |
2022-05-18 | CVE-2022-22785 | Zoom | Reliance on Cookies without Validation and Integrity Checking vulnerability in Zoom Meetings The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. | 6.4 |
2022-05-16 | CVE-2022-0574 | Publify Project | Incorrect Authorization vulnerability in Publify Project Publify Improper Access Control in GitHub repository publify/publify prior to 9.2.8. | 6.4 |
2022-05-20 | CVE-2022-27640 | Siemens | Resource Exhaustion vulnerability in Siemens products A vulnerability has been identified in SIMATIC CP 442-1 RNA (All versions < V1.5.18), SIMATIC CP 443-1 RNA (All versions < V1.5.18). | 6.1 |
2022-05-19 | CVE-2022-29652 | Online Sports Complex Booking System Project | SQL Injection vulnerability in Online Sports Complex Booking System Project Online Sports Complex Booking System 1.0 Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client. | 6.1 |
2022-05-18 | CVE-2022-1774 | Diagrams | Open Redirect vulnerability in Diagrams Drawio Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. | 6.1 |
2022-05-18 | CVE-2022-30991 | Acronis | Cross-site Scripting vulnerability in Acronis Cyber Protect 15 HTML injection via report name. | 6.1 |
2022-05-17 | CVE-2022-24611 | Silabs | Unspecified vulnerability in Silabs products Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs. | 6.1 |
2022-05-16 | CVE-2022-30776 | Atmail | Cross-site Scripting vulnerability in Atmail 6.5.0 atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter. | 6.1 |
2022-05-16 | CVE-2022-30777 | Parallels | Cross-site Scripting vulnerability in Parallels H-Sphere 3.6.2 Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter. | 6.1 |
2022-05-16 | CVE-2022-30770 | Terminalfour | Cross-site Scripting vulnerability in Terminalfour Terminalfour versions 8.3.7, 8.3.x versions prior to version 8.3.8 and r 8.2.x versions prior to version 8.2.18.5 or 8.2.18.2.1 are vulnerable to (XSS) vulnerability that could be exploited by an attacker to mislead an administrator and steal their credentials. | 6.1 |
2022-05-21 | CVE-2022-1752 | Trudesk Project | Unrestricted Upload of File with Dangerous Type vulnerability in Trudesk Project Trudesk Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2. | 6.0 |
2022-05-19 | CVE-2022-30618 | Strapi | Improper Cross-boundary Removal of Sensitive Data vulnerability in Strapi An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). | 6.0 |
2022-05-18 | CVE-2022-22787 | Zoom | Improper Certificate Validation vulnerability in Zoom Meetings The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. | 6.0 |
2022-05-21 | CVE-2022-29214 | Nextauth JS | Open Redirect vulnerability in Nextauth.Js Next-Auth NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. | 5.8 |
2022-05-20 | CVE-2022-29431 | Kubiq | Cross-Site Request Forgery (CSRF) vulnerability in Kubiq CPT Base Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base. | 5.8 |
2022-05-18 | CVE-2022-30992 | Acronis | Open Redirect vulnerability in Acronis Cyber Protect 15 Open redirect via user-controlled query parameter. | 5.8 |
2022-05-17 | CVE-2022-29435 | Code Snippets Extended Project | Cross-Site Request Forgery (CSRF) vulnerability in Code Snippets Extended Project Code Snippets Extended Cross-Site Request Forgery (CSRF) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress allows an attacker to delete or to turn on/off snippets. | 5.8 |
2022-05-21 | CVE-2022-29210 | Out-of-bounds Write vulnerability in Google Tensorflow 2.8.0 TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-21 | CVE-2022-29213 | Reachable Assertion vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-20 | CVE-2022-29201 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-20 | CVE-2022-29202 | Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-20 | CVE-2022-29196 | Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-20 | CVE-2022-29200 | Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 5.5 | |
2022-05-18 | CVE-2022-1771 | VIM | Uncontrolled Recursion vulnerability in VIM Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. | 5.5 |
2022-05-18 | CVE-2022-22784 | Zoom | XML Injection (aka Blind XPath Injection) vulnerability in Zoom Meetings The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. | 5.5 |
2022-05-18 | CVE-2022-30974 | Artifex Debian Fedoraproject | Uncontrolled Recursion vulnerability in multiple products compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413. | 5.5 |
2022-05-18 | CVE-2022-30975 | Artifex Debian Fedoraproject | NULL Pointer Dereference vulnerability in multiple products In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp. | 5.5 |
2022-05-17 | CVE-2022-30067 | Gimp | Classic Buffer Overflow vulnerability in Gimp 2.10.30/2.99.10 GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. | 5.5 |
2022-05-16 | CVE-2022-25169 | Apache Oracle | Allocation of Resources Without Limits or Throttling vulnerability in multiple products The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. | 5.5 |
2022-05-16 | CVE-2022-30126 | Apache Oracle | In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. | 5.5 |
2022-05-20 | CVE-2022-28964 | Avast | Untrusted Search Path vulnerability in Avast Premium Security 19.8.2393/20.8.2429 An arbitrary file write vulnerability in Avast Premium Security before v21.11.2500 (build 21.11.6809.528) allows attackers to cause a Denial of Service (DoS) via a crafted DLL file. | 5.4 |
2022-05-18 | CVE-2022-30596 | Moodle Redhat Fedoraproject | Cross-site Scripting vulnerability in multiple products A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. | 5.4 |
2022-05-18 | CVE-2022-23068 | Tooljet | Cross-site Scripting vulnerability in Tooljet ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail. | 5.4 |
2022-05-17 | CVE-2022-30956 | Jenkins | Cross-site Scripting vulnerability in Jenkins Rundeck Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads. | 5.4 |
2022-05-17 | CVE-2022-30960 | Jenkins | Cross-site Scripting vulnerability in Jenkins Application Detector Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30961 | Jenkins | Cross-site Scripting vulnerability in Jenkins Autocomplete Parameter 1.0/1.1 Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30962 | Jenkins | Cross-site Scripting vulnerability in Jenkins Global Variable String Parameter 1.1/1.2 Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30963 | Jenkins | Cross-site Scripting vulnerability in Jenkins JDK Parameter 1.0 Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30964 | Jenkins | Cross-site Scripting vulnerability in Jenkins Multiselect Parameter Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30965 | Jenkins | Cross-site Scripting vulnerability in Jenkins Promoted Builds Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30966 | Jenkins | Improper Encoding or Escaping of Output vulnerability in Jenkins Random String Parameter 1.0 Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30967 | Jenkins | Cross-site Scripting vulnerability in Jenkins Selection Tasks 1.0 Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30968 | Jenkins | Cross-site Scripting vulnerability in Jenkins Vboxwrapper Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-17 | CVE-2022-30970 | Jenkins | Cross-site Scripting vulnerability in Jenkins Autocomplete Parameter Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-05-20 | CVE-2022-29883 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 5.3 |
2022-05-19 | CVE-2022-22976 | Vmware Oracle Netapp | Integer Overflow or Wraparound vulnerability in multiple products Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. | 5.3 |
2022-05-18 | CVE-2022-30597 | Moodle Redhat Fedoraproject | A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. | 5.3 |
2022-05-17 | CVE-2022-30689 | Hashicorp | Unspecified vulnerability in Hashicorp Vault 1.10.0/1.10.2 HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. | 5.3 |
2022-05-17 | CVE-2021-29726 | IBM | Improper Certificate Validation vulnerability in IBM products IBM Sterling Secure Proxy 6.0.3 and IBM Secure External Authentication Server 6.0.3 does not properly ensure that a certificate is actually associated with the host due to improper validation of certificates. | 5.3 |
2022-05-17 | CVE-2022-30949 | Jenkins | Unspecified vulnerability in Jenkins Repo 1.14.0 Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | 5.3 |
2022-05-18 | CVE-2022-1430 | Octoprint | Cross-site Scripting vulnerability in Octoprint Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0. | 5.1 |
2022-05-21 | CVE-2022-31268 | Gitblit | Path Traversal vulnerability in Gitblit 1.9.3 A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). | 5.0 |
2022-05-21 | CVE-2022-29189 | Pion | Classic Buffer Overflow vulnerability in Pion Dtls Pion DTLS is a Go implementation of Datagram Transport Layer Security. | 5.0 |
2022-05-21 | CVE-2022-29190 | Pion | Infinite Loop vulnerability in Pion Dtls Pion DTLS is a Go implementation of Datagram Transport Layer Security. | 5.0 |
2022-05-21 | CVE-2022-29215 | Regionprotect Project | Argument Injection or Modification vulnerability in Regionprotect Project Regionprotect RegionProtect is a plugin that allows users to manage certain events in certain regions of the world. | 5.0 |
2022-05-21 | CVE-2022-29222 | Pion | Improper Certificate Validation vulnerability in Pion Dtls Pion DTLS is a Go implementation of Datagram Transport Layer Security. | 5.0 |
2022-05-20 | CVE-2022-24434 | Dicer Project | Unspecified vulnerability in Dicer Project Dicer This affects all versions of package dicer. | 5.0 |
2022-05-20 | CVE-2022-1784 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | 5.0 |
2022-05-20 | CVE-2022-24043 | Siemens | Information Exposure Through Discrepancy vulnerability in Siemens products A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). | 5.0 |
2022-05-20 | CVE-2022-24044 | Siemens | Improper Restriction of Excessive Authentication Attempts vulnerability in Siemens products A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). | 5.0 |
2022-05-20 | CVE-2022-29874 | Siemens | Cleartext Transmission of Sensitive Information vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 5.0 |
2022-05-20 | CVE-2022-29881 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 5.0 |
2022-05-20 | CVE-2022-30551 | Opcfoundation | Resource Exhaustion vulnerability in Opcfoundation Ua-Java 20220401 OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources. | 5.0 |
2022-05-20 | CVE-2022-28987 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus 6.1 Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | 5.0 |
2022-05-19 | CVE-2022-28946 | Openpolicyagent | Unspecified vulnerability in Openpolicyagent Open Policy Agent 0.39.0 An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access. | 5.0 |
2022-05-19 | CVE-2021-32934 | Throughtek | Cleartext Transmission of Sensitive Information vulnerability in Throughtek Kalay P2P Software Development KIT The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. | 5.0 |
2022-05-19 | CVE-2021-26631 | Mangboard | Improper Input Validation vulnerability in Mangboard Commerce Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. | 5.0 |
2022-05-19 | CVE-2022-1670 | Octopus | Unspecified vulnerability in Octopus Server When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. | 5.0 |
2022-05-18 | CVE-2022-30993 | Acronis | Cleartext Transmission of Sensitive Information vulnerability in Acronis Cyber Protect 15 Cleartext transmission of sensitive information. | 5.0 |
2022-05-18 | CVE-2022-30994 | Acronis | Cleartext Transmission of Sensitive Information vulnerability in Acronis Cyber Protect 15 Cleartext transmission of sensitive information. | 5.0 |
2022-05-18 | CVE-2022-25162 | Mitsubishielectric Mitsubhishielectric | Improper Input Validation vulnerability in multiple products Improper Input Validation vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior and versions prior to 1.073, MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 17X**** or later and versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) with serial number 179**** and prior and versions prior to 1.073, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DSS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MR/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/z(x=24,40,60, y=T,R, z=ES,ESS) versions prior to 1.030, Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/ES-A(x=24,40,60, y=T,R) versions prior to 1.031 and Mitsubishi Electric MELSEC iQ-F series FX5S-xMy/z(x=30,40,60,80, y=T,R, z=ES,ESS) version 1.000 allows a remote unauthenticated attacker to cause a temporary DoS condition for the product's communication by sending specially crafted packets. | 5.0 |
2022-05-18 | CVE-2021-42848 | Lenovo | Missing Authorization vulnerability in Lenovo products An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. | 5.0 |
2022-05-18 | CVE-2021-42851 | Lenovo | Unspecified vulnerability in Lenovo products A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. | 5.0 |
2022-05-18 | CVE-2022-28955 | Dlink | Improper Authentication vulnerability in Dlink Dir-816L Firmware 206B01 An access control issue in D-Link DIR816L_FW206b01 allows unauthenticated attackers to access folders folder_view.php and category_view.php. | 5.0 |
2022-05-18 | CVE-2022-29646 | Totolink | Exposure of Resource to Wrong Sphere vulnerability in Totolink A3100R Firmware 4.1.2Cu.5050B20200504/4.1.2Cu.5247B20211129 An access control issue in TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 allows attackers to obtain sensitive information via a crafted web request. | 5.0 |
2022-05-18 | CVE-2019-25061 | Random Password Generator Project | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Random Password Generator Project Random Password Generator The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction. | 5.0 |
2022-05-17 | CVE-2022-1358 | Cambiumnetworks | SQL Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise is vulnerable to data exfiltration through improper neutralization of special elements used in an SQL command. | 5.0 |
2022-05-17 | CVE-2022-1359 | Cambiumnetworks | Path Traversal vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route. | 5.0 |
2022-05-17 | CVE-2022-1361 | Cambiumnetworks | SQL Injection vulnerability in Cambiumnetworks Cnmaestro 2.4.2/3.0.0/3.0.3 The affected On-Premise cnMaestro is vulnerable to a pre-auth data exfiltration through improper neutralization of special elements used in an SQL command. | 5.0 |
2022-05-17 | CVE-2020-4994 | IBM | Unspecified vulnerability in IBM Datapower Gateway IBM DataPower Gateway 10.0.1.0 through 10.0.1.4 and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a temporary denial of service by sending invalid HTTP requests. | 5.0 |
2022-05-17 | CVE-2021-38872 | IBM | Unspecified vulnerability in IBM Datapower Gateway IBM DataPower Gateway 10.0.2.0, 10.0.3.0, 10.0.1.0 through 10.0.1.4, and 2018.4.1.0 through 2018.4.1.17 could allow a remote user to cause a denial of service by consuming resources with multiple requests. | 5.0 |
2022-05-17 | CVE-2020-4957 | IBM | Information Exposure vulnerability in IBM Security Identity Governance and Intelligence 5.2.6 IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information in URL parameters that could aid in future attacks against the system. | 5.0 |
2022-05-17 | CVE-2022-24856 | Flyte | Server-Side Request Forgery (SSRF) vulnerability in Flyte Console FlyteConsole is the web user interface for the Flyte platform. | 5.0 |
2022-05-17 | CVE-2022-1711 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. | 5.0 |
2022-05-17 | CVE-2022-1723 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. | 5.0 |
2022-05-16 | CVE-2021-42870 | Accel PPP | Out-of-bounds Read vulnerability in Accel-Ppp 1.12.0 ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request. | 5.0 |
2022-05-16 | CVE-2022-30012 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 In the POST request of the appointment.php page of HMS v.0, there are SQL injection vulnerabilities in multiple parameters, and database information can be obtained through injection. | 5.0 |
2022-05-16 | CVE-2022-29588 | Konicaminolta | Insufficiently Protected Credentials vulnerability in Konicaminolta products Konica Minolta bizhub MFP devices before 2022-04-14 use cleartext password storage for the /var/log/nginx/html/ADMINPASS and /etc/shadow files. | 5.0 |
2022-05-16 | CVE-2022-30782 | Openmoney API Project | Use of Insufficiently Random Values vulnerability in Openmoney API Project Openmoney API Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers. | 5.0 |
2022-05-20 | CVE-2022-1803 | Trudesk Project | Improper Restriction of Rendered UI Layers or Frames vulnerability in Trudesk Project Trudesk Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2. | 4.9 |
2022-05-18 | CVE-2022-1110 | Lenovo | Classic Buffer Overflow vulnerability in Lenovo Smart Standby Driver A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service. | 4.9 |
2022-05-17 | CVE-2022-28187 | Nvidia | Missing Release of Resource after Effective Lifetime vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where the memory management software does not release a resource after its effective lifetime has ended, which may lead to denial of service. | 4.9 |
2022-05-17 | CVE-2022-28188 | Nvidia | Improper Input Validation vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service. | 4.9 |
2022-05-17 | CVE-2022-28191 | Nvidia | Resource Exhaustion vulnerability in Nvidia Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where uncontrolled resource consumption can be triggered by an unprivileged regular user, which may lead to denial of service. | 4.9 |
2022-05-20 | CVE-2021-36833 | Mailchimp FOR Wordpress Project | Cross-site Scripting vulnerability in Mailchimp for Wordpress Project Mailchimp for Wordpress Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. | 4.8 |
2022-05-21 | CVE-2022-29216 | Code Injection vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 4.6 | |
2022-05-20 | CVE-2022-28990 | Wasm3 Project | Out-of-bounds Write vulnerability in Wasm3 Project Wasm3 0.5.0 WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm. | 4.6 |
2022-05-20 | CVE-2022-29178 | Cilium | Incorrect Default Permissions vulnerability in Cilium Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. | 4.6 |
2022-05-19 | CVE-2020-4107 | Hcltech | Unspecified vulnerability in Hcltech Domino 10.0/11.0/9.0 HCL Domino is affected by an Insufficient Access Control vulnerability. | 4.6 |
2022-05-19 | CVE-2022-1730 | Diagrams | Cross-site Scripting vulnerability in Diagrams Drawio Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. | 4.6 |
2022-05-18 | CVE-2022-30111 | MCK Smartlock Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in MCK Smartlock Project MCK Smartlock 1.0 Due to the use of an insecure algorithm for rolling codes in MCK Smartlock 1.0, allows attackers to unlock the mechanism via replay attacks. | 4.6 |
2022-05-18 | CVE-2022-0883 | Snowsoftware | Unquoted Search Path or Element vulnerability in Snowsoftware Snow License Manager SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue. | 4.6 |
2022-05-18 | CVE-2021-42850 | Lenovo | Use of Hard-coded Credentials vulnerability in Lenovo products A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access. | 4.6 |
2022-05-18 | CVE-2022-1432 | Octoprint | Cross-site Scripting vulnerability in Octoprint Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0. | 4.6 |
2022-05-16 | CVE-2021-33025 | Xarrow | Improper Input Validation vulnerability in Xarrow 7.2 xArrow SCADA versions 7.2 and prior permits unvalidated registry keys to be run with application-level privileges. | 4.6 |
2022-05-16 | CVE-2022-30695 | Acronis | Improper Privilege Management vulnerability in Acronis Snap Deploy 6 Local privilege escalation due to excessive permissions assigned to child processes. | 4.6 |
2022-05-16 | CVE-2022-30697 | Acronis | Unspecified vulnerability in Acronis Snap Deploy 6 Local privilege escalation due to insecure folder permissions. | 4.6 |
2022-05-18 | CVE-2021-3922 | Lenovo | Race Condition vulnerability in Lenovo System Interface Foundation A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3 that could allow a local attacker to connect and interact with the IMController child process' named pipe. | 4.4 |
2022-05-18 | CVE-2021-3969 | Lenovo | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Lenovo System Interface Foundation A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges. | 4.4 |
2022-05-16 | CVE-2022-30696 | Acronis | Uncontrolled Search Path Element vulnerability in Acronis Snap Deploy 6 Local privilege escalation due to a DLL hijacking vulnerability. | 4.4 |
2022-05-20 | CVE-2022-29430 | PNG TO JPG Project | Cross-site Scripting vulnerability in PNG to JPG Project PNG to JPG Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). | 4.3 |
2022-05-20 | CVE-2022-29425 | Wpwham | Cross-site Scripting vulnerability in Wpwham Checkout Files Upload for Woocommerce Cross-Site Scripting (XSS) vulnerability in WP Wham's Checkout Files Upload for WooCommerce plugin <= 2.1.2 at WordPress. | 4.3 |
2022-05-20 | CVE-2022-29182 | Thoughtworks | Cross-site Scripting vulnerability in Thoughtworks Gocd GoCD is a continuous delivery server. | 4.3 |
2022-05-20 | CVE-2022-29183 | Thoughtworks | Cross-site Scripting vulnerability in Thoughtworks Gocd GoCD is a continuous delivery server. | 4.3 |
2022-05-20 | CVE-2022-22365 | IBM | Unspecified vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames. | 4.3 |
2022-05-20 | CVE-2022-29177 | Ethereum | Unspecified vulnerability in Ethereum GO Ethereum Go Ethereum is the official Golang implementation of the Ethereum protocol. | 4.3 |
2022-05-20 | CVE-2022-24906 | Nextcloud | Information Exposure Through an Error Message vulnerability in Nextcloud Deck Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. | 4.3 |
2022-05-20 | CVE-2022-24904 | Argoproj | Link Following vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 4.3 |
2022-05-20 | CVE-2022-24905 | Argoproj | Unspecified vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 4.3 |
2022-05-20 | CVE-2022-29028 | Siemens | Infinite Loop vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 4.3 |
2022-05-20 | CVE-2022-29029 | Siemens | NULL Pointer Dereference vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 4.3 |
2022-05-20 | CVE-2022-29030 | Siemens | Integer Overflow or Wraparound vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 4.3 |
2022-05-20 | CVE-2022-29031 | Siemens | NULL Pointer Dereference vulnerability in Siemens Jt2Go and Teamcenter Visualization A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). | 4.3 |
2022-05-20 | CVE-2022-29876 | Siemens | Cross-site Scripting vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 4.3 |
2022-05-20 | CVE-2022-29882 | Siemens | Cross-site Scripting vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 4.3 |
2022-05-20 | CVE-2022-1806 | RTX Project | Cross-site Scripting vulnerability in RTX Project RTX Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18. | 4.3 |
2022-05-19 | CVE-2022-28959 | Spip | Cross-site Scripting vulnerability in Spip Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML. | 4.3 |
2022-05-19 | CVE-2020-4970 | IBM | Cleartext Transmission of Sensitive Information vulnerability in IBM Security Identity Manager 5.2.4/5.2.5/5.2.6 IBM Security Identity Governance and Intelligence 5.2.4, 5.2.5, and 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. | 4.3 |
2022-05-18 | CVE-2021-38944 | IBM | Cross-site Scripting vulnerability in IBM Datapower Gateway IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 4.3 |
2022-05-18 | CVE-2022-25617 | Codesnippets | Cross-site Scripting vulnerability in Codesnippets Code Snippets Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter. | 4.3 |
2022-05-18 | CVE-2022-28921 | Blogengine | Cross-Site Request Forgery (CSRF) vulnerability in Blogengine Blogengine.Net 3.3.8.0 A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server. | 4.3 |
2022-05-18 | CVE-2022-30598 | Moodle Redhat Fedoraproject | A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it. | 4.3 |
2022-05-18 | CVE-2021-42702 | Inkscape | Access of Uninitialized Pointer vulnerability in Inkscape 0.91 Inkscape version 0.91 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information. | 4.3 |
2022-05-18 | CVE-2022-22777 | Tibco | Cross-site Scripting vulnerability in Tibco Businessconnect Trading Community Management The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow an unauthenticated attacker with network access to execute scripts targeting the affected system or the victim's local system. | 4.3 |
2022-05-18 | CVE-2021-3956 | Lenovo | Incorrect Authorization vulnerability in Lenovo Xclarity Controller A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. | 4.3 |
2022-05-18 | CVE-2021-27548 | Xpdfreader | NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.03 There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. | 4.3 |
2022-05-18 | CVE-2022-1782 | Erudika | Cross-site Scripting vulnerability in Erudika Para Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11. | 4.3 |
2022-05-17 | CVE-2021-35249 | Solarwinds | Unspecified vulnerability in Solarwinds Serv-U This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. | 4.3 |
2022-05-17 | CVE-2022-23706 | HP | Cross-site Scripting vulnerability in HP Oneview A remote cross-site scripting (xss) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. | 4.3 |
2022-05-17 | CVE-2022-29436 | Code Snippets Extended Project | Cross-site Scripting vulnerability in Code Snippets Extended Project Code Snippets Extended Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code). | 4.3 |
2022-05-17 | CVE-2022-30045 | Ezxml Project | Out-of-bounds Read vulnerability in Ezxml Project Ezxml 0.8.6 An issue was discovered in libezxml.a in ezXML 0.8.6. | 4.3 |
2022-05-17 | CVE-2022-30946 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Script Security A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. | 4.3 |
2022-05-17 | CVE-2022-30957 | Jenkins | Missing Authorization vulnerability in Jenkins SSH A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-05-17 | CVE-2022-30110 | Jirafeau | Cross-site Scripting vulnerability in Jirafeau The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting. | 4.3 |
2022-05-17 | CVE-2013-10001 | HTC | Improper Certificate Validation vulnerability in HTC Mail 5.2.2222282614.528614.528614/5.5.550363 A vulnerability was found in HTC One/Sense 4.x. | 4.3 |
2022-05-16 | CVE-2022-23659 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager A remote reflected cross site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 4.3 |
2022-05-16 | CVE-2021-27442 | Weintek | Cross-site Scripting vulnerability in Weintek products The Weintek cMT product line is vulnerable to a cross-site scripting vulnerability, which could allow an unauthenticated remote attacker to inject malicious JavaScript code. | 4.3 |
2022-05-16 | CVE-2021-33001 | Xarrow | Cross-site Scripting vulnerability in Xarrow 7.2 xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code. | 4.3 |
2022-05-16 | CVE-2021-33021 | Xarrow | Cross-site Scripting vulnerability in Xarrow 7.2 xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘edate’ of the resource xhisalarm.htm, which may allow an unauthorized attacker to execute arbitrary code. | 4.3 |
2022-05-16 | CVE-2021-23266 | Craftercms | Improper Encoding or Escaping of Output vulnerability in Craftercms Crafter CMS An anonymous user can craft a URL with text that ends up in the log viewer as is. | 4.3 |
2022-05-16 | CVE-2022-30050 | SIR | Cross-site Scripting vulnerability in SIR Gnuboard 5.55/5.56 Gnuboard 5.55 and 5.56 is vulnerable to Cross Site Scripting (XSS) via bbs/member_confirm.php. | 4.3 |
2022-05-16 | CVE-2022-1216 | Advanced Image Sitemap Project | Cross-site Scripting vulnerability in Advanced Image Sitemap Project Advanced Image Sitemap The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHP_SELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. | 4.3 |
2022-05-16 | CVE-2022-1217 | Custom Tinymce Shortcode Button Project | Cross-site Scripting vulnerability in Custom Tinymce Shortcode Button Project Custom Tinymce Shortcode Button The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. | 4.3 |
2022-05-16 | CVE-2022-1267 | BMI BMR Calculator Project | Cross-site Scripting vulnerability in BMI BMR Calculator Project BMI BMR Calculator The BMI BMR Calculator WordPress plugin through 1.3 does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-05-16 | CVE-2022-1349 | 2Code | Unspecified vulnerability in 2Code Wpqa Builder The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user. | 4.3 |
2022-05-16 | CVE-2022-1407 | Vikwp | Cross-Site Request Forgery (CSRF) vulnerability in Vikwp Hotel Booking Engine & PMS The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. | 4.3 |
2022-05-16 | CVE-2022-1418 | Pluginmirror | Cross-site Scripting vulnerability in Pluginmirror Social Stickers The Social Stickers WordPress plugin through 2.2.9 does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues. | 4.3 |
2022-05-16 | CVE-2022-1436 | Wptaskforce | Cross-site Scripting vulnerability in Wptaskforce Track & Trace The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks. | 4.3 |
2022-05-16 | CVE-2022-1455 | Callnowbutton | Cross-site Scripting vulnerability in Callnowbutton Call NOW Button The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled | 4.3 |
2022-05-16 | CVE-2022-1465 | Wpclever | Cross-site Scripting vulnerability in Wpclever WPC Smart Wishlist for Woocommerce The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. | 4.3 |
2022-05-16 | CVE-2022-29017 | Axiosys | Improper Handling of Exceptional Conditions vulnerability in Axiosys Bento4 1.6.0.0 Bento4 v1.6.0.0 was discovered to contain a segmentation fault via the component /x86_64/multiarch/strlen-avx2.S. | 4.3 |
2022-05-16 | CVE-2022-30775 | Xpdfreader | Allocation of Resources Without Limits or Throttling vulnerability in Xpdfreader Xpdf 4.04 xpdf 4.04 allocates excessive memory when presented with crafted input. | 4.3 |
2022-05-20 | CVE-2022-29434 | Spiffyplugins | Authorization Bypass Through User-Controlled Key vulnerability in Spiffyplugins Spiffy Calendar Insecure Direct Object References (IDOR) vulnerability in Spiffy Plugins Spiffy Calendar <= 4.9.0 at WordPress allows an attacker to edit or delete events. | 4.0 |
2022-05-20 | CVE-2022-29447 | WOW Company | Files or Directories Accessible to External Parties vulnerability in Wow-Company Hover Effects Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress. | 4.0 |
2022-05-20 | CVE-2022-29448 | WOW Estore | Use of Incorrectly-Resolved Name or Reference vulnerability in Wow-Estore Herd Effects Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress. | 4.0 |
2022-05-20 | CVE-2022-29159 | Nextcloud | Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Deck Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. | 4.0 |
2022-05-20 | CVE-2022-29163 | Nextcloud | Lack of Administrator Control over Security vulnerability in Nextcloud Server Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. | 4.0 |
2022-05-20 | CVE-2022-29879 | Siemens | Missing Authentication for Critical Function vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 4.0 |
2022-05-20 | CVE-2022-1754 | Trudesk Project | Integer Overflow or Wraparound vulnerability in Trudesk Project Trudesk Integer Overflow or Wraparound in GitHub repository polonel/trudesk prior to 1.2.2. | 4.0 |
2022-05-19 | CVE-2022-29446 | WOW Company | Files or Directories Accessible to External Parties vulnerability in Wow-Company Counter BOX Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress. | 4.0 |
2022-05-19 | CVE-2021-45730 | Jfrog | Unspecified vulnerability in Jfrog Artifactory JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. | 4.0 |
2022-05-18 | CVE-2022-28924 | Universis | Exposure of Resource to Wrong Sphere vulnerability in Universis Universis-Students An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/. | 4.0 |
2022-05-18 | CVE-2022-30976 | Gpac | Out-of-bounds Read vulnerability in Gpac 2.0.0 GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box. | 4.0 |
2022-05-17 | CVE-2022-22482 | IBM | Unrestricted Upload of File with Dangerous Type vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow an authenticated user to upload files that could fill up the filesystem and cause a denial of service. | 4.0 |
2022-05-17 | CVE-2022-29332 | Dlink | Path Traversal vulnerability in Dlink Dir-825 Firmware 2022.01.1313.48 D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal. | 4.0 |
2022-05-17 | CVE-2021-42644 | Cmseasy | Files or Directories Accessible to External Parties vulnerability in Cmseasy 7.7.520211012 cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. | 4.0 |
2022-05-17 | CVE-2022-1753 | Wowonder | Incorrect Authorization vulnerability in Wowonder A vulnerability, which was classified as critical, was found in WoWonder. | 4.0 |
2022-05-16 | CVE-2022-23668 | Arubanetworks | Server-Side Request Forgery (SSRF) vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated server-side request forgery (ssrf) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 4.0 |
2022-05-16 | CVE-2022-23670 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 4.0 |
2022-05-16 | CVE-2021-23265 | Craftercms | Unspecified vulnerability in Craftercms Crafter CMS A logged-in and authenticated user with a Reviewer Role may lock a content item. | 4.0 |
2022-05-16 | CVE-2022-1398 | External Media Without Import Project | Server-Side Request Forgery (SSRF) vulnerability in External Media Without Import Project External Media Without Import The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks | 4.0 |
2022-05-16 | CVE-2022-1425 | 2Code | Authorization Bypass Through User-Controlled Key vulnerability in 2Code Wpqa Builder The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability. | 4.0 |
2022-05-16 | CVE-2022-1553 | Publify Project | Incorrect Authorization vulnerability in Publify Project Publify Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. | 4.0 |
2022-05-16 | CVE-2022-1728 | Trudesk Project | Integer Overflow or Wraparound vulnerability in Trudesk Project Trudesk Allowing long password leads to denial of service in polonel/trudesk in GitHub repository polonel/trudesk prior to 1.2.2. | 4.0 |
2022-05-16 | CVE-2022-29587 | Konicaminolta | Improper Privilege Management vulnerability in Konicaminolta products Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges. | 4.0 |
68 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-05-20 | CVE-2022-29208 | Out-of-bounds Write vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 3.6 | |
2022-05-17 | CVE-2022-28186 | Nvidia | Improper Input Validation vulnerability in Nvidia GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the product receives input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly, which may lead to denial of service or data tampering. | 3.6 |
2022-05-20 | CVE-2022-29426 | 2Joomla | Cross-site Scripting vulnerability in 2Joomla 2J Slideshow Authenticated (contributor or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in 2J Slideshow Team's Slideshow, Image Slider by 2J plugin <= 1.3.54 at WordPress. | 3.5 |
2022-05-20 | CVE-2022-29428 | Muneeb | Cross-site Scripting vulnerability in Muneeb WP Slider Cross-Site Scripting (XSS) vulnerability in Muneeb's WP Slider Plugin <= 1.4.5 at WordPress. | 3.5 |
2022-05-20 | CVE-2022-29432 | TMS Outsource | Cross-site Scripting vulnerability in Tms-Outsource Wpdatatables Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters. | 3.5 |
2022-05-20 | CVE-2022-29185 | Totp RS Project | Information Exposure Through Discrepancy vulnerability in Totp-Rs Project Totp-Rs totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). | 3.5 |
2022-05-20 | CVE-2022-29424 | Oxilab | Cross-site Scripting vulnerability in Oxilab Image Hover Effects Ultimate Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress. | 3.5 |
2022-05-20 | CVE-2021-39043 | IBM | Cross-site Scripting vulnerability in IBM Jazz Team Server IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to stored cross-site scripting. | 3.5 |
2022-05-20 | CVE-2021-43728 | PIX Link | Cross-site Scripting vulnerability in Pix-Link Lv-Wr09 Firmware 28K.Minirouter.20190211 Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized SSID parameter. | 3.5 |
2022-05-20 | CVE-2021-43729 | PIX Link | Cross-site Scripting vulnerability in Pix-Link Lv-Wr09 Firmware 28K.Minirouter.20190211 Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter. | 3.5 |
2022-05-20 | CVE-2022-29880 | Siemens | Cross-site Scripting vulnerability in Siemens products A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). | 3.5 |
2022-05-20 | CVE-2022-25224 | Proton Project | Cross-site Scripting vulnerability in Proton Project Proton 0.2.0 Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. | 3.5 |
2022-05-20 | CVE-2022-31215 | Goverlan | Unspecified vulnerability in Goverlan Client Agent, Reach Console and Reach Server In certain Goverlan products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation. | 3.5 |
2022-05-20 | CVE-2022-25229 | Popcorn Time Project | Cross-site Scripting vulnerability in Popcorn Time Project Popcorn Time 0.4.7 Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. | 3.5 |
2022-05-20 | CVE-2022-28985 | Orangehrm | Cross-site Scripting vulnerability in Orangehrm 4.10.1 A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | 3.5 |
2022-05-19 | CVE-2022-1416 | Gitlab | Cross-site Scripting vulnerability in Gitlab Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling | 3.5 |
2022-05-19 | CVE-2022-29449 | Wpopal | Cross-site Scripting vulnerability in Wpopal Opal Hotel Room Booking Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress. | 3.5 |
2022-05-18 | CVE-2022-29230 | Shopify | Cross-site Scripting vulnerability in Shopify Hydrogen Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. | 3.5 |
2022-05-18 | CVE-2021-42700 | Inkscape | Out-of-bounds Read vulnerability in Inkscape 0.91 Inkscape 0.91 is vulnerable to an out-of-bounds read, which may allow an attacker to have access to unauthorized information. | 3.5 |
2022-05-18 | CVE-2022-22776 | Tibco | Cross-site Scripting vulnerability in Tibco Businessconnect Trading Community Management The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. | 3.5 |
2022-05-18 | CVE-2022-28717 | Meikyo | Cross-site Scripting vulnerability in Meikyo products Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors. | 3.5 |
2022-05-18 | CVE-2021-41946 | Fiberhome | Cross-site Scripting vulnerability in Fiberhome Hg150-Ub Firmware 3.0 In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scripting (XSS) vulnerability in Parental Control --> Access Time Restriction --> Username field, a user cannot delete the rule due to the XSS. | 3.5 |
2022-05-17 | CVE-2022-23674 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 3.5 |
2022-05-17 | CVE-2022-24890 | Nextcloud | Incorrect Default Permissions vulnerability in Nextcloud Talk Nextcloud Talk is a video and audio conferencing app for Nextcloud. | 3.5 |
2022-05-17 | CVE-2022-22773 | Tibco | Cross-site Scripting vulnerability in Tibco Jasperreports Server The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. | 3.5 |
2022-05-17 | CVE-2022-22775 | Tibco | Cross-site Scripting vulnerability in Tibco products The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. | 3.5 |
2022-05-17 | CVE-2022-23675 | Arubanetworks | Cross-site Scripting vulnerability in Arubanetworks Clearpass Policy Manager A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. | 3.5 |
2022-05-17 | CVE-2022-30072 | Wbce | Cross-site Scripting vulnerability in Wbce CMS 1.5.2 WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters. | 3.5 |
2022-05-17 | CVE-2022-30073 | Wbce | Cross-site Scripting vulnerability in Wbce CMS 1.5.2 WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php. | 3.5 |
2022-05-17 | CVE-2021-42943 | Ipplan Project | Cross-site Scripting vulnerability in Ipplan Project Ipplan 4.92B Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter. | 3.5 |
2022-05-16 | CVE-2022-0873 | Codeasily | Cross-site Scripting vulnerability in Codeasily Gmedia Gallery The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed | 3.5 |
2022-05-16 | CVE-2022-1051 | 2Code | Cross-site Scripting vulnerability in 2Code Wpqa Builder The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks. | 3.5 |
2022-05-16 | CVE-2022-1062 | Th23 | Cross-site Scripting vulnerability in Th23 Social The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-05-16 | CVE-2022-1089 | Wpsheeteditor | Cross-site Scripting vulnerability in Wpsheeteditor Bulk Edit and Create User Profiles - WP Sheet Editor The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
2022-05-16 | CVE-2022-1265 | AIT PRO | Cross-site Scripting vulnerability in Ait-Pro Bulletproof Security The BulletProof Security WordPress plugin before 6.1 does not sanitize and escape some of its CAPTCHA settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
2022-05-16 | CVE-2022-1334 | WP Youtube Live Project | Cross-site Scripting vulnerability in WP Youtube Live Project WP Youtube Live The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
2022-05-16 | CVE-2022-1393 | WP Subtitle Project | Cross-site Scripting vulnerability in WP Subtitle Project WP Subtitle The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. | 3.5 |
2022-05-16 | CVE-2022-1408 | Vikwp | Cross-site Scripting vulnerability in Vikwp Hotel Booking Engine & PMS The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
2022-05-16 | CVE-2022-1435 | Wptaskforce | Cross-site Scripting vulnerability in Wptaskforce Track & Trace The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | 3.5 |
2022-05-16 | CVE-2022-1512 | Scrollrevealjs Effects Project | Cross-site Scripting vulnerability in Scrollrevealjs-Effects Project Scrollrevealjs-Effects The ScrollReveal.js Effects WordPress plugin through 1.2 does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
2022-05-16 | CVE-2022-1557 | Uleak Security Dashboard Project | Cross-site Scripting vulnerability in Uleak-Security-Dashboard Project Uleak-Security-Dashboard The ULeak Security & Monitoring WordPress plugin through 1.2.3 does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings | 3.5 |
2022-05-16 | CVE-2022-1559 | Clipr | Cross-site Scripting vulnerability in Clipr The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed | 3.5 |
2022-05-16 | CVE-2022-1726 | Bootstrap Table | Cross-site Scripting vulnerability in Bootstrap-Table Bootstrap Table Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in GitHub repository wenzhixin/bootstrap-table prior to 1.20.2. | 3.5 |
2022-05-16 | CVE-2022-30013 | Totaljs | Cross-site Scripting vulnerability in Totaljs Total.Js 3.4.5 A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file. | 3.5 |
2022-05-20 | CVE-2022-29160 | Nextcloud | Incomplete Cleanup vulnerability in Nextcloud Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. | 3.3 |
2022-05-16 | CVE-2022-1722 | Diagrams | Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. | 3.3 |
2022-05-21 | CVE-2022-29209 | Type Confusion vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-21 | CVE-2022-29211 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-21 | CVE-2022-29212 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29203 | Integer Overflow or Wraparound vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29204 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29205 | Use of Uninitialized Resource vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29206 | NULL Pointer Dereference vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29193 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29195 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29197 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29198 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29199 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29207 | Undefined Behavior for Input to API vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29191 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29192 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-29194 | Improper Input Validation vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 2.1 | |
2022-05-20 | CVE-2022-27242 | Siemens | Classic Buffer Overflow vulnerability in Siemens Openv2G 0.9.4 A vulnerability has been identified in OpenV2G (V0.9.4). | 2.1 |
2022-05-19 | CVE-2020-16235 | Emerson | Inadequate Encryption Strength vulnerability in Emerson Openenterprise Scada Server 2.8.3/3.1/3.3.3 Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained. | 2.1 |
2022-05-17 | CVE-2022-28189 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash. | 2.1 |
2022-05-17 | CVE-2022-28190 | Nvidia | Improper Input Validation vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service. | 2.1 |
2022-05-17 | CVE-2022-22484 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Spectrum Protect IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history. | 2.1 |
2022-05-17 | CVE-2022-28192 | Nvidia | Use After Free vulnerability in Nvidia Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where it may lead to a use-after-free, which in turn may cause denial of service. | 1.9 |