Weekly Vulnerabilities Reports > May 23 to 29, 2022

Overview

361 new vulnerabilities reported during this period, including 56 critical vulnerabilities and 168 high severity vulnerabilities. This weekly summary report vulnerabilities in 336 products from 159 vendors including Apple, Chshcms, Fedoraproject, Debian, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Classic Buffer Overflow", and "Out-of-bounds Read".

  • 251 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 124 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 228 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 77 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

56 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-23 CVE-2022-1467 Aveva Unspecified vulnerability in Aveva products

Windows OS can be configured to overlay a “language bar” on top of any application.

9.9
2022-05-26 CVE-2022-26775 Apple Integer Overflow or Wraparound vulnerability in Apple mac OS X and Macos

An integer overflow was addressed with improved input validation.

9.8
2022-05-26 CVE-2022-26776 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

9.8
2022-05-26 CVE-2022-29632 Roncoo Unrestricted Upload of File with Dangerous Type vulnerability in Roncoo Roncoo-Education 9.0.0

An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file.

9.8
2022-05-26 CVE-2022-29633 Linglong Project Unspecified vulnerability in Linglong Project Linglong 1.0

An access control issue in Linglong v1.0 allows attackers to access the background of the application via a crafted cookie.

9.8
2022-05-26 CVE-2022-26708 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

9.8
2022-05-26 CVE-2022-26711 Apple Integer Overflow or Wraparound vulnerability in Apple products

An integer overflow issue was addressed with improved input validation.

9.8
2022-05-26 CVE-2022-26723 Apple Out-of-bounds Write vulnerability in Apple Macos

A memory corruption issue was addressed with improved input validation.

9.8
2022-05-26 CVE-2021-33016 Kuka Unspecified vulnerability in Kuka KR C4 Firmware and KSS

An attacker can gain full access (read/write/delete) to sensitive folders due to hard-coded credentials on KUKA KR C4 control software for versions prior to 8.7 or any product running KSS.

9.8
2022-05-26 CVE-2022-21831 Rubyonrails
Debian
Code Injection vulnerability in multiple products

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

9.8
2022-05-26 CVE-2022-30493 Automotive Shop Management System Project SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

In oretnom23 Automotive Shop Management System v1.0, the product id parameter suffers from a blind SQL Injection Vulnerability allowing remote attackers to dump all database credential and gain admin access(privilege escalation).

9.8
2022-05-26 CVE-2022-30495 Automotive Shop Management System Project Authorization Bypass Through User-Controlled Key vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)

9.8
2022-05-26 CVE-2022-30516 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

In Hospital-Management-System v1.0, the editid parameter in the doctor.php page is vulnerable to SQL injection attacks.

9.8
2022-05-26 CVE-2022-24422 Dell Improper Authentication vulnerability in Dell Idrac9

Dell iDRAC9 versions 5.00.00.00 and later but prior to 5.10.10.00, contain an improper authentication vulnerability.

9.8
2022-05-26 CVE-2022-30472 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Seris Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function fromAddressNat

9.8
2022-05-26 CVE-2022-30474 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a heap overflow in the httpd module when handling /goform/saveParentControlInfo request.

9.8
2022-05-26 CVE-2022-30476 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetFirewallCfg request.

9.8
2022-05-26 CVE-2022-30477 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetClientState request.

9.8
2022-05-26 CVE-2022-30500 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

Jfinal cms 5.1.0 is vulnerable to SQL Injection.

9.8
2022-05-26 CVE-2022-1664 Debian
Netapp
Path Traversal vulnerability in multiple products

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability.

9.8
2022-05-26 CVE-2022-29660 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/pic/del.

9.8
2022-05-25 CVE-2022-26082 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112.

9.8
2022-05-25 CVE-2022-23775 Truestack Unspecified vulnerability in Truestack Direct Connect 1.4.7

TrueStack Direct Connect 1.4.7 has Incorrect Access Control.

9.8
2022-05-25 CVE-2022-29379 F5 Out-of-bounds Write vulnerability in F5 NJS 0.7.3

Nginx NJS v0.7.3 was discovered to contain a stack overflow in the function njs_default_module_loader at /src/njs/src/njs_module.c.

9.8
2022-05-25 CVE-2022-29650 Online Food Ordering System Project SQL Injection vulnerability in Online Food Ordering System Project Online Food Ordering System 1.0

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.

9.8
2022-05-25 CVE-2022-26945 Hashicorp Unspecified vulnerability in Hashicorp Go-Getter

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing.

9.8
2022-05-25 CVE-2022-28862 Archibus SQL Injection vulnerability in Archibus web Central 21.3.3.815

In Archibus Web Central before 26.2, multiple SQL Injection vulnerabilities occur in dwr/call/plaincall/workflow.runWorkflowRule.dwr.

9.8
2022-05-25 CVE-2022-30595 Python Out-of-bounds Write vulnerability in Python Pillow 9.1.0

libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.

9.8
2022-05-25 CVE-2022-29361 Palletsprojects HTTP Request Smuggling vulnerability in Palletsprojects Werkzeug

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body.

9.8
2022-05-24 CVE-2022-29334 H Project Authentication Bypass by Capture-replay vulnerability in H Project H 1.0

An issue in H v1.0 allows attackers to bypass authentication via a session replay attack.

9.8
2022-05-24 CVE-2022-29337 Cdatatec OS Command Injection vulnerability in Cdatatec Fd702Xw-X-R430 Firmware 2.1.13X001

C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6.

9.8
2022-05-24 CVE-2013-10003 Telecomsoftware SQL Injection vulnerability in Telecomsoftware Samwin Agent and Samwin Contact Center

A vulnerability classified as critical has been found in Telecommunication Software SAMwin Contact Center Suite 5.1.

9.8
2022-05-24 CVE-2013-10004 Telecomsoftware Improper Restriction of Excessive Authentication Attempts vulnerability in Telecomsoftware Samwin Agent and Samwin Contact Center

A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1.

9.8
2022-05-24 CVE-2021-45914 Luxsoft Unspecified vulnerability in Luxsoft Luxcal

In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request.

9.8
2022-05-24 CVE-2021-45915 Luxsoft Unspecified vulnerability in Luxsoft Luxcal

In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value.

9.8
2022-05-24 CVE-2022-29223 Microsoft Classic Buffer Overflow vulnerability in Microsoft Azure Rtos Usbx

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack.

9.8
2022-05-24 CVE-2022-29246 Microsoft Unspecified vulnerability in Microsoft Azure Rtos Usbx

Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack.

9.8
2022-05-24 CVE-2022-30838 Covid 19 Travel Pass Management System Project SQL Injection vulnerability in Covid 19 Travel Pass Management System Project Covid 19 Travel Pass Management System 1.0

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

9.8
2022-05-24 CVE-2022-30461 Water Billing System Project SQL Injection vulnerability in Water Billing System Project Water Billing System 1.0

Water-billing-management-system v1.0 is vulnerable to SQL Injection via /wbms/classes/Master.php?f=delete_client, id

9.8
2022-05-24 CVE-2021-42654 Sscms Unrestricted Upload of File with Dangerous Type vulnerability in Sscms Siteserver CMS

SiteServer CMS < V5.1 is affected by an unrestricted upload of a file with dangerous type (getshell), which could be used to execute arbitrary code.

9.8
2022-05-24 CVE-2022-30454 Merchandise Online Store Project SQL Injection vulnerability in Merchandise Online Store Project Merchandise Online Store 1.0

Merchandise Online Store 1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/Master.php?f=delete_product.

9.8
2022-05-24 CVE-2022-30455 Badminton Center Management System Project SQL Injection vulnerability in Badminton Center Management System Project Badminton Center Management System 1.0

Badminton Center Management System 1.0 is vulnerable to SQL Injection via /bcms/classes/Master.php?f=delete_court_rental, id.

9.8
2022-05-23 CVE-2021-32935 Cognex Unspecified vulnerability in Cognex In-Sight OPC Server

The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation.

9.8
2022-05-23 CVE-2021-32941 Annke Out-of-bounds Write vulnerability in Annke N48Pbb Firmware 3.4.106

Annke N48PBB (Network Video Recorder) products of version 3.4.106 build 200422 and prior are vulnerable to a stack-based buffer overflow, which allows an unauthorized remote attacker to execute arbitrary code with the same privileges as the server user (root).

9.8
2022-05-23 CVE-2022-28932 Dlink Incorrect Default Permissions vulnerability in Dlink Dsl-G2452Dg Firmware

D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.

9.8
2022-05-23 CVE-2022-29599 Apache
Debian
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
9.8
2022-05-23 CVE-2022-0781 Nirweb Unspecified vulnerability in Nirweb Support

The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection

9.8
2022-05-23 CVE-2022-1014 Labarta Unspecified vulnerability in Labarta WP Contacts Manager

The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.

9.8
2022-05-25 CVE-2022-26833 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121.

9.4
2022-05-27 CVE-2022-20797 Cisco OS Command Injection vulnerability in Cisco Secure Network Analytics 2.1.1

A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administrator on the underlying operating system.

9.1
2022-05-26 CVE-2022-26693 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

9.1
2022-05-26 CVE-2022-26694 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

9.1
2022-05-26 CVE-2022-1899 Radare Out-of-bounds Read vulnerability in Radare Radare2

Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0.

9.1
2022-05-25 CVE-2021-27779 Hcltech Missing Encryption of Sensitive Data vulnerability in Hcltech Versionvault Express 2.0.1

VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.

9.1
2022-05-24 CVE-2020-4926 IBM Missing Authorization vulnerability in IBM Elastic Storage System and Spectrum Scale

A vulnerability in the Spectrum Scale 5.1 core component and IBM Elastic Storage System 6.1 could allow unauthorized access to user data or injection of arbitrary data in the communication protocol.

9.1
2022-05-24 CVE-2013-10002 Telecomsoftware Use of Hard-coded Credentials vulnerability in Telecomsoftware Samwin Agent and Samwin Contact Center

A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1.

9.1

168 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-26 CVE-2022-26748 Apple Out-of-bounds Write vulnerability in Apple mac OS X

An out-of-bounds write issue was addressed with improved input validation.

8.8
2022-05-26 CVE-2022-30584 RSA Unspecified vulnerability in RSA Archer

Archer Platform 6.3 before 6.11 (6.11.0.0) contains an Improper Access Control Vulnerability within SSO ADFS functionality that could potentially be exploited by malicious users to compromise the affected system.

8.8
2022-05-26 CVE-2022-31265 Wargaming Authentication Bypass by Capture-replay vulnerability in Wargaming World of Warships 0.11.4

The replay feature in the client in Wargaming World of Warships 0.11.4 allows remote attackers to execute code when a user launches a replay from an untrusted source.

8.8
2022-05-26 CVE-2021-33014 Kuka Unspecified vulnerability in Kuka KR C4 Firmware and KSS

An attacker can gain VxWorks Shell after login due to hard-coded credentials on a KUKA KR C4 control software for versions prior to 8.7 or any product running KSS.

8.8
2022-05-26 CVE-2022-1261 Honeywell Unspecified vulnerability in Honeywell Matrikon OPC Server

Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute operating system processes with system-level privileges.

8.8
2022-05-26 CVE-2022-26857 Dell Unspecified vulnerability in Dell Openmanage Enterprise 3.5/3.6.1

Dell OpenManage Enterprise Versions 3.8.3 and prior contain an improper authorization vulnerability.

8.8
2022-05-26 CVE-2021-34360 Qnap Cross-Site Request Forgery (CSRF) vulnerability in Qnap NAS Proxy Server

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server.

8.8
2022-05-26 CVE-2022-29664 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/pl_save.

8.8
2022-05-26 CVE-2022-29667 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy.

8.8
2022-05-26 CVE-2022-29669 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/lists/zhuan.

8.8
2022-05-26 CVE-2022-29685 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/User/level_sort.

8.8
2022-05-26 CVE-2021-40317 Piwigo SQL Injection vulnerability in Piwigo 11.5.0

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

8.8
2022-05-25 CVE-2022-27305 Gibbonedu Session Fixation vulnerability in Gibbonedu Gibbon

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.

8.8
2022-05-25 CVE-2022-1883 Camptocamp SQL Injection vulnerability in Camptocamp Terraboard

SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.

8.8
2022-05-24 CVE-2022-22495 IBM SQL Injection vulnerability in IBM I 7.3/7.4/7.5

IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection.

8.8
2022-05-24 CVE-2014-125001 Cardosystems Improper Privilege Management vulnerability in Cardosystems Scala Rider Q3 Firmware

A vulnerability classified as critical has been found in Cardo Systems Scala Rider Q3.

8.8
2022-05-24 CVE-2021-4229 UA Parser JS Project Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ua-Parser-Js Project Ua-Parser-Js 0.7.29/0.8.0/1.0.0

A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0.

8.8
2022-05-24 CVE-2022-29221 Smarty
Debian
Fedoraproject
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
8.8
2022-05-24 CVE-2022-30843 Room Rent Portal Site Project SQL Injection vulnerability in Room Rent Portal Site Project Room Rent Portal Site 1.0

Room-rent-portal-site v1.0 is vulnerable to SQL Injection via /rrps/classes/Master.php?f=delete_category, id.

8.8
2022-05-24 CVE-2022-30459 Chatbot APP With Suggestion Project SQL Injection vulnerability in Chatbot APP With Suggestion Project Chatbot APP With Suggestion 1.0

ChatBot App with Suggestion in PHP/OOP v1.0 is vulnerable to SQL Injection via /simple_chat_bot/classes/Master.php?f=delete_response, id.

8.8
2022-05-24 CVE-2022-30463 Automotive Shop Management System Project SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f=delete_product.

8.8
2022-05-24 CVE-2021-42655 Sscms SQL Injection vulnerability in Sscms Siteserver CMS 6.15.51

SiteServer CMS V6.15.51 is affected by a SQL injection vulnerability.

8.8
2022-05-24 CVE-2022-1839 Home Clean Services Management System Project SQL Injection vulnerability in Home Clean Services Management System Project Home Clean Services Management System 1.0

A vulnerability classified as critical was found in Home Clean Services Management System 1.0.

8.8
2022-05-23 CVE-2022-28999 Bloodshed Incorrect Default Permissions vulnerability in Bloodshed Dev-C++ 4.9.9.2

Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.

8.8
2022-05-23 CVE-2022-29002 Xuxueli Cross-Site Request Forgery (CSRF) vulnerability in Xuxueli Xxl-Job 2.3.0

A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.

8.8
2022-05-23 CVE-2022-29376 Apachefriends Incorrect Default Permissions vulnerability in Apachefriends Xampp

Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.

8.8
2022-05-23 CVE-2022-28944 Emcosoftware Download of Code Without Integrity Check vulnerability in Emcosoftware products

Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check.

8.8
2022-05-23 CVE-2022-30016 Rescue Dispatch Management System Project Incorrect Authorization vulnerability in Rescue Dispatch Management System Project Rescue Dispatch Management System 1.0

Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info.

8.8
2022-05-23 CVE-2022-30014 Simple Food Website Project Cross-Site Request Forgery (CSRF) vulnerability in Simple Food Website Project Simple Food Website 1.0

Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.

8.8
2022-05-23 CVE-2021-42585 GNU Out-of-bounds Write vulnerability in GNU Libredwg

A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

8.8
2022-05-23 CVE-2021-42586 GNU Out-of-bounds Write vulnerability in GNU Libredwg

A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.

8.8
2022-05-25 CVE-2022-30321 Hashicorp Command Injection vulnerability in Hashicorp Go-Getter

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws.

8.6
2022-05-25 CVE-2022-30322 Hashicorp Unspecified vulnerability in Hashicorp Go-Getter

go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses.

8.6
2022-05-25 CVE-2022-30323 Hashicorp Unspecified vulnerability in Hashicorp Go-Getter

go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files.

8.6
2022-05-25 CVE-2021-44719 Docker Unspecified vulnerability in Docker Desktop

Docker Desktop 4.3.0 has Incorrect Access Control.

8.4
2022-05-27 CVE-2022-1907 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi

Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.

8.1
2022-05-27 CVE-2022-1908 Libmobi Project Out-of-bounds Read vulnerability in Libmobi Project Libmobi

Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11.

8.1
2022-05-26 CVE-2022-22576 Haxx
Debian
Netapp
Brocade
Splunk
Missing Authentication for Critical Function vulnerability in multiple products

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.

8.1
2022-05-25 CVE-2022-29248 Guzzlephp
Drupal
Debian
Reliance on Cookies without Validation and Integrity Checking vulnerability in multiple products

Guzzle is a PHP HTTP client.

8.1
2022-05-24 CVE-2022-1669 Circutor Unspecified vulnerability in Circutor Compact Dc-S Basic Firmware 1.2.17

A buffer overflow vulnerability has been detected in the firewall function of the device management web portal.

8.1
2022-05-24 CVE-2022-1850 Filegator Path Traversal vulnerability in Filegator

Path Traversal in GitHub repository filegator/filegator prior to 7.8.0.

8.1
2022-05-24 CVE-2022-29305 Imgurl Project SQL Injection vulnerability in Imgurl Project Imgurl 2.31

imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.

8.1
2022-05-23 CVE-2022-28998 Xlightftpd Out-of-bounds Write vulnerability in Xlightftpd Xlight FTP 3.9.3.2

Xlight FTP v3.9.3.2 was discovered to contain a stack-based buffer overflow which allows attackers to leak sensitive information via crafted code.

8.1
2022-05-29 CVE-2022-1927 VIM
Fedoraproject
Apple
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
7.8
2022-05-27 CVE-2022-1897 VIM
Fedoraproject
Apple
Debian
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
7.8
2022-05-27 CVE-2022-1898 VIM
Fedoraproject
Debian
Apple
Use After Free in GitHub repository vim/vim prior to 8.2.
7.8
2022-05-27 CVE-2022-28394 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Password Manager

EOL Product CVE - Installer of Trend Micro Password Manager (Consumer) versions 3.7.0.1223 and below provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

7.8
2022-05-27 CVE-2022-30700 Trendmicro Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Apex ONE 2019

An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges on affected installations.

7.8
2022-05-27 CVE-2022-30701 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro Apex ONE 2019

An uncontrolled search path element vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to craft a special configuration file to load an untrusted library with escalated privileges on affected installations.

7.8
2022-05-26 CVE-2022-26739 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26740 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26741 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26742 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26744 Apple Out-of-bounds Write vulnerability in Apple Iphone OS

A memory corruption issue was addressed with improved state management.

7.8
2022-05-26 CVE-2022-26747 Apple Unspecified vulnerability in Apple Xcode

This issue was addressed with improved checks.

7.8
2022-05-26 CVE-2022-26749 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26750 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26751 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

7.8
2022-05-26 CVE-2022-26752 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26753 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26754 Apple Classic Buffer Overflow vulnerability in Apple Macos

A buffer overflow issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26756 Apple Out-of-bounds Write vulnerability in Apple mac OS X

An out-of-bounds write issue was addressed with improved input validation.

7.8
2022-05-26 CVE-2022-26757 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

7.8
2022-05-26 CVE-2022-26761 Apple Out-of-bounds Write vulnerability in Apple mac OS X

A memory corruption issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-26763 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

An out-of-bounds access issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26768 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

7.8
2022-05-26 CVE-2022-26769 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

A memory corruption issue was addressed with improved input validation.

7.8
2022-05-26 CVE-2022-26770 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved input validation.

7.8
2022-05-26 CVE-2022-26771 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

7.8
2022-05-26 CVE-2022-26772 Apple Out-of-bounds Write vulnerability in Apple Macos

A memory corruption issue was addressed with improved state management.

7.8
2022-05-26 CVE-2022-26774 Apple Unspecified vulnerability in Apple Itunes

A logic issue was addressed with improved state management.

7.8
2022-05-26 CVE-2022-29637 Iminho Unrestricted Upload of File with Dangerous Type vulnerability in Iminho Mindoc 2.1

An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.

7.8
2022-05-26 CVE-2022-26702 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

7.8
2022-05-26 CVE-2022-26704 Apple Link Following vulnerability in Apple mac OS X and Macos

A validation issue existed in the handling of symlinks and was addressed with improved validation of symlinks.

7.8
2022-05-26 CVE-2022-26714 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

7.8
2022-05-26 CVE-2022-26715 Apple Out-of-bounds Write vulnerability in Apple mac OS X

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26718 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read issue was addressed with improved input validation.

7.8
2022-05-26 CVE-2022-26720 Apple Out-of-bounds Write vulnerability in Apple mac OS X

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26721 Apple Improper Initialization vulnerability in Apple mac OS X

A memory initialization issue was addressed.

7.8
2022-05-26 CVE-2022-26722 Apple Improper Initialization vulnerability in Apple mac OS X

A memory initialization issue was addressed.

7.8
2022-05-26 CVE-2022-26736 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26737 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-26738 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-22672 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved memory handling.

7.8
2022-05-26 CVE-2022-22675 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

7.8
2022-05-26 CVE-2022-1882 Linux
Netapp
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux kernel’s pipes functionality in how a user performs manipulations with the pipe post_one_notification() after free_pipe_info() that is already called.

7.8
2022-05-26 CVE-2022-30784 Tuxera
Debian
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value in NTFS-3G through 2021.8.22.

7.8
2022-05-26 CVE-2022-30786 Tuxera
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate in NTFS-3G through 2021.8.22.

7.8
2022-05-26 CVE-2022-30788 Tuxera
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22.

7.8
2022-05-26 CVE-2022-30789 Tuxera
Debian
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array in NTFS-3G through 2021.8.22.

7.8
2022-05-26 CVE-2022-1886 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8
2022-05-25 CVE-2022-1851 VIM
Fedoraproject
Debian
Apple
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
7.8
2022-05-24 CVE-2022-29333 Cyberlink Improper Privilege Management vulnerability in Cyberlink Powerdirector 14.0

A vulnerability in CyberLink Power Director v14 allows attackers to escalate privileges via a crafted .exe file.

7.8
2022-05-24 CVE-2021-3717 Redhat Files or Directories Accessible to External Parties vulnerability in Redhat products

A flaw was found in Wildfly.

7.8
2022-05-24 CVE-2021-42612 Halibut Project
Fedoraproject
Use After Free vulnerability in multiple products

A use after free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have other unspecified impact via a crafted text document.

7.8
2022-05-24 CVE-2021-42613 Halibut Project
Fedoraproject
Double Free vulnerability in multiple products

A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.

7.8
2022-05-24 CVE-2021-42614 Halibut Project
Fedoraproject
Use After Free vulnerability in multiple products

A use after free in info_width_internal in bk_info.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted text document.

7.8
2022-05-24 CVE-2021-32965 Deltaww Unspecified vulnerability in Deltaww Diascreen

Delta Electronics DIAScreen versions prior to 1.1.0 are vulnerable to type confusion, which may allow an attacker to remotely execute arbitrary code.

7.8
2022-05-24 CVE-2021-32969 Deltaww Out-of-bounds Write vulnerability in Deltaww Diascreen

Delta Electronics DIAScreen versions prior to 1.1.0 are vulnerable to an out-of-bounds write condition, which may result in a system crash or allow an attacker to remotely execute arbitrary code.

7.8
2022-05-24 CVE-2022-26531 Zyxel Improper Input Validation vulnerability in Zyxel products

Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

7.8
2022-05-24 CVE-2022-26532 Zyxel OS Command Injection vulnerability in Zyxel products

A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command.

7.8
2022-05-27 CVE-2022-25878 Protobufjs Project Unspecified vulnerability in Protobufjs Project Protobufjs

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.

7.5
2022-05-26 CVE-2022-26701 Apple Race Condition vulnerability in Apple products

A race condition was addressed with improved locking.

7.5
2022-05-26 CVE-2022-22673 Apple Unspecified vulnerability in Apple Iphone OS

This issue was addressed with improved checks.

7.5
2022-05-26 CVE-2022-30473 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Series Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function form_fast_setting_wifi_set

7.5
2022-05-26 CVE-2022-30475 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/WifiExtraSet request.

7.5
2022-05-26 CVE-2022-29720 74Cms Files or Directories Accessible to External Parties vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain an arbitrary file read vulnerability via the component \index\controller\Download.php.

7.5
2022-05-26 CVE-2022-29721 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/jobfairol/resumelist.

7.5
2022-05-26 CVE-2021-42859 Mini XML Project Missing Release of Resource after Effective Lifetime vulnerability in Mini-Xml Project Mini-Xml 3.2

A memory leak issue was discovered in Mini-XML v3.2 that could cause a denial of service.

7.5
2022-05-26 CVE-2021-42860 Mini XML Project Missing Release of Resource after Effective Lifetime vulnerability in Mini-Xml Project Mini-Xml 3.2

A stack buffer overflow exists in Mini-XML v3.2.

7.5
2022-05-25 CVE-2022-26026 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-26043 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-26067 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-26077 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-26303 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-27169 Openautomationsoftware Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112

An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112.

7.5
2022-05-25 CVE-2022-30427 Ginadmin Project Path Traversal vulnerability in Ginadmin Project Ginadmin 1.0.1/20220510

In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.

7.5
2022-05-25 CVE-2022-30428 Ginadmin Project Files or Directories Accessible to External Parties vulnerability in Ginadmin Project Ginadmin 1.0.1/20220510

In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.

7.5
2022-05-25 CVE-2022-1678 Linux
Netapp
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
7.5
2022-05-25 CVE-2021-32966 Philips Unspecified vulnerability in Philips Interoperability Solution XDS

Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP system credentials.

7.5
2022-05-25 CVE-2021-32997 Bakerhughes Unspecified vulnerability in Bakerhughes products

The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No.

7.5
2022-05-25 CVE-2022-1815 Diagrams Server-Side Request Forgery (SSRF) vulnerability in Diagrams Drawio

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.

7.5
2022-05-24 CVE-2022-22497 IBM Unspecified vulnerability in IBM Aspera Faspex 4.4.1/5.0.0

IBM Aspera Faspex 4.4.1 and 5.0.0 could allow unauthorized access due to an incorrectly computed security token.

7.5
2022-05-24 CVE-2021-4230 Airfield Online Project Improper Authentication vulnerability in Airfield Online Project Airfield Online

A vulnerability has been found in Airfield Online and classified as problematic.

7.5
2022-05-24 CVE-2022-29249 Javaez Project Use of a Broken or Risky Cryptographic Algorithm vulnerability in Javaez Project Javaez 1.6

JavaEZ is a library that adds new functions to make Java easier.

7.5
2022-05-24 CVE-2022-29217 Pyjwt Project
Fedoraproject
PyJWT is a Python implementation of RFC 7519.
7.5
2022-05-24 CVE-2022-29219 Chainsafe Unspecified vulnerability in Chainsafe Lodestar

Lodestar is a TypeScript implementation of the Ethereum Consensus specification.

7.5
2022-05-24 CVE-2022-29242 Gost Engine Project Unspecified vulnerability in Gost Engine Project Gost Engine

GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL.

7.5
2022-05-24 CVE-2022-29567 Vaadin Information Exposure vulnerability in Vaadin

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.

7.5
2022-05-24 CVE-2022-31261 Morpheusdata XXE vulnerability in Morpheusdata Morpheus 5.2.16/5.4.0/5.4.4

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4.

7.5
2022-05-24 CVE-2022-29309 Mysiteforme Project Server-Side Request Forgery (SSRF) vulnerability in Mysiteforme Project Mysiteforme 2.2.1

mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery.

7.5
2022-05-24 CVE-2022-29377 Totolink Out-of-bounds Write vulnerability in Totolink A3600R Firmware 4.1.2Cu.5182B20201102

Totolink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a stacker overflow in the fread function at infostat.cgi.

7.5
2022-05-23 CVE-2022-31487 Inoutscripts SQL Injection vulnerability in Inoutscripts Blockchain Altexchanger and Blockchain Fiatexchanger

Inout Blockchain AltExchanger 1.2.1 and Inout Blockchain FiatExchanger 2.2.1 allow Chart/TradingView/chart_content/master.php symbol SQL injection.

7.5
2022-05-23 CVE-2022-31488 Inoutscripts SQL Injection vulnerability in Inoutscripts Blockchain Altexchanger 1.2.1

Inout Blockchain AltExchanger 1.2.1 allows index.php/coins/update_marketboxslider marketcurrency SQL injection.

7.5
2022-05-23 CVE-2022-31489 Inoutscripts SQL Injection vulnerability in Inoutscripts Blockchain Altexchanger 1.2.1

Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.

7.5
2022-05-23 CVE-2022-28997 Cszcms Server-Side Request Forgery (SSRF) vulnerability in Cszcms 1.3.0

CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/.

7.5
2022-05-23 CVE-2022-28874 F Secure
Withsecure
Out-of-bounds Write vulnerability in multiple products

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine.

7.5
2022-05-23 CVE-2022-31467 Quickheal Uncontrolled Search Path Element vulnerability in Quickheal Total Security 10.1.0.316/11.00/12.00

A DLL hijacking vulnerability in the installed for Quick Heal Total Security prior to 12.1.1.27 allows a local attacker to achieve privilege escalation, leading to execution of arbitrary code, via the installer not restricting the search path for required DLLs and then not verifying the signature of the DLLs it tries to load.

7.3
2022-05-26 CVE-2022-29661 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/save.

7.2
2022-05-26 CVE-2022-29662 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/news/save.

7.2
2022-05-26 CVE-2022-29663 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/hy.

7.2
2022-05-26 CVE-2022-29665 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/topic/save.

7.2
2022-05-26 CVE-2022-29666 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

7.2
2022-05-26 CVE-2022-29670 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/del.

7.2
2022-05-26 CVE-2022-29676 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

7.2
2022-05-26 CVE-2022-29680 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/zu_del.

7.2
2022-05-26 CVE-2022-29681 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.

7.2
2022-05-26 CVE-2022-29682 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/del.

7.2
2022-05-26 CVE-2022-29683 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del.

7.2
2022-05-26 CVE-2022-29684 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/js_del.

7.2
2022-05-26 CVE-2022-29686 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/lists/zhuan.

7.2
2022-05-26 CVE-2022-29687 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

7.2
2022-05-26 CVE-2022-29688 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.

7.2
2022-05-26 CVE-2022-29689 Chshcms SQL Injection vulnerability in Chshcms Cscms Music Portal System 4.2

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.

7.2
2022-05-25 CVE-2022-22127 Tableau Unspecified vulnerability in Tableau Server

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users.

7.2
2022-05-25 CVE-2022-29651 Online Food Ordering System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Food Ordering System Project Online Food Ordering System 1.0

An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

7.2
2022-05-24 CVE-2022-23050 Zohocorp Uncontrolled Search Path Element vulnerability in Zohocorp Manageengine Applications Manager

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

7.2
2022-05-24 CVE-2022-1837 Home Clean Services Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Home Clean Services Management System Project Home Clean Services Management System 1.0

A vulnerability was found in Home Clean Services Management System 1.0.

7.2
2022-05-24 CVE-2022-1838 Home Clean Services Management System Project SQL Injection vulnerability in Home Clean Services Management System Project Home Clean Services Management System 1.0

A vulnerability classified as critical has been found in Home Clean Services Management System 1.0.

7.2
2022-05-27 CVE-2022-20806 Cisco Information Exposure Through Log Files vulnerability in Cisco Telepresence Video Communication Server

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device.

7.1
2022-05-27 CVE-2022-30687 Trendmicro Link Following vulnerability in Trendmicro Maximum Security 2022 17.7

Trend Micro Maximum Security 2022 is vulnerable to a link following vulnerability that could allow a low privileged local user to manipulate the product's secure erase feature to delete arbitrary files.

7.1
2022-05-26 CVE-2022-26773 Apple Unspecified vulnerability in Apple Itunes

A logic issue was addressed with improved state management.

7.1
2022-05-26 CVE-2022-26697 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved input validation.

7.1
2022-05-26 CVE-2022-26698 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved bounds checking.

7.1
2022-05-26 CVE-2022-21827 Citrix Improper Privilege Management vulnerability in Citrix Gateway Plug-In 12.158/12.158.15/13.061.48

An improper privilege vulnerability has been discovered in Citrix Gateway Plug-in for Windows (Citrix Secure Access for Windows) <21.9.1.2 what could allow an attacker who has gained local access to a computer with Citrix Gateway Plug-in installed, to corrupt or delete files as SYSTEM.

7.1
2022-05-24 CVE-2022-22977 Vmware XXE vulnerability in VMWare Tools

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability.

7.1
2022-05-26 CVE-2022-26743 Apple Out-of-bounds Write vulnerability in Apple Macos

An out-of-bounds write issue was addressed with improved bounds checking.

7.0
2022-05-23 CVE-2022-31466 Quickheal Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Quickheal Total Security 10.1.0.316/11.00/12.00

Time of Check - Time of Use (TOCTOU) vulnerability in Quick Heal Total Security prior to 12.1.1.27 allows a local attacker to achieve privilege escalation, potentially leading to deletion of system files.

7.0

135 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-26 CVE-2022-26865 Dell Improper Authentication vulnerability in Dell Supportassist OS Recovery 5.5.1

Dell Support Assist OS Recovery versions before 5.5.2 contain an Authentication Bypass vulnerability.

6.8
2022-05-25 CVE-2022-29402 TP Link Missing Authentication for Critical Function vulnerability in Tp-Link Tl-Wr840N Firmware

TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console.

6.8
2022-05-25 CVE-2022-21951 Suse Unspecified vulnerability in Suse Rancher

A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5.

6.8
2022-05-24 CVE-2022-22309 IBM Missing Authentication for Critical Function vulnerability in IBM Power System S922 Firmware

The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface.

6.8
2022-05-26 CVE-2022-26691 Apple
Debian
Fedoraproject
Openprinting
Incorrect Comparison vulnerability in multiple products

A logic issue was addressed with improved state management.

6.7
2022-05-26 CVE-2022-24417 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

6.7
2022-05-26 CVE-2022-24418 Dell Improper Input Validation vulnerability in Dell products

Dell BIOS contains an improper input validation vulnerability.

6.7
2022-05-26 CVE-2022-30783 Tuxera
Fedoraproject
Debian
Unchecked Return Value vulnerability in multiple products

An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite.

6.7
2022-05-26 CVE-2022-30785 Tuxera
Fedoraproject
Debian
A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite.
6.7
2022-05-26 CVE-2022-30787 Tuxera
Fedoraproject
Debian
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

An integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite.

6.7
2022-05-25 CVE-2022-29256 Sharp Project OS Command Injection vulnerability in Sharp Project Sharp

sharp is an application for Node.js image processing.

6.7
2022-05-27 CVE-2022-20807 Cisco Information Exposure Through Log Files vulnerability in Cisco Telepresence Video Communication Server

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device.

6.5
2022-05-26 CVE-2022-30585 RSA Unspecified vulnerability in RSA Archer

The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an Authorization Bypass Vulnerability.

6.5
2022-05-26 CVE-2022-26726 Apple Unspecified vulnerability in Apple mac OS X

This issue was addressed with improved checks.

6.5
2022-05-26 CVE-2022-22662 Apple
Fedoraproject
A cookie management issue was addressed with improved state management.
6.5
2022-05-26 CVE-2022-30508 Dedecms Path Traversal vulnerability in Dedecms 5.7.93

DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.

6.5
2022-05-26 CVE-2022-24414 Dell Information Exposure vulnerability in Dell Cloudlink

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests.

6.5
2022-05-26 CVE-2022-20809 Cisco Information Exposure Through Log Files vulnerability in Cisco Telepresence Video Communication Server

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to write files or disclose sensitive information on an affected device.

6.5
2022-05-26 CVE-2022-20821 Cisco Unspecified vulnerability in Cisco IOS XR

A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.

6.5
2022-05-26 CVE-2021-42692 Tinytoml Project Out-of-bounds Write vulnerability in Tinytoml Project Tinytoml 0.4

There is a stack-overflow vulnerability in tinytoml v0.4 that can cause a crash or DoS.

6.5
2022-05-25 CVE-2022-31620 Libjpeg Project Reachable Assertion vulnerability in Libjpeg Project Libjpeg 1.63

In libjpeg before 1.64, BitStream<false>::Get in bitstream.hpp has an assertion failure that may cause denial of service.

6.5
2022-05-25 CVE-2021-27783 Hcltech Missing Encryption of Sensitive Data vulnerability in Hcltech Bigfix Mobile and Bigfix Modern Client Management

User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.

6.5
2022-05-25 CVE-2022-1348 Logrotate Project
Fedoraproject
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

A vulnerability was found in logrotate in how the state file is created.

6.5
2022-05-25 CVE-2022-28875 F Secure Improper Resource Shutdown or Release vulnerability in F-Secure products

A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant and in certain WithSecure products whereby the scanning the aemobile component can crash the scanning engine.

6.5
2022-05-25 CVE-2021-35487 Nokia SQL Injection vulnerability in Nokia Broadcast Message Center

Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter.

6.5
2022-05-25 CVE-2022-29405 Apache Unspecified vulnerability in Apache Archiva

In Apache Archiva, any registered user can reset password for any users.

6.5
2022-05-24 CVE-2021-42659 Tenda Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tenda AC9 Firmware 15.03.05.19(6318)/15.03.06.42Multi

There is a buffer overflow vulnerability in the Web server httpd of the router in Tenda router devices such as Tenda AC9 V1.0 V15.03.02.19(6318) and Tenda AC9 V3.0 V15.03.06.42_multi.

6.5
2022-05-24 CVE-2022-0910 Zyxel Improper Authentication vulnerability in Zyxel products

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

6.5
2022-05-23 CVE-2021-41714 Tipask Download of Code Without Integrity Check vulnerability in Tipask

In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.

6.5
2022-05-23 CVE-2021-41834 Jfrog Unspecified vulnerability in Jfrog Artifactory

JFrog Artifactory prior to version 7.28.0 and 6.23.38, is vulnerable to Broken Access Control, the copy functionality can be used by a low-privileged user to read and copy any artifact that exists in the Artifactory deployment due to improper permissions validation.

6.5
2022-05-26 CVE-2022-26755 Apple Unspecified vulnerability in Apple mac OS X

This issue was addressed with improved environment sanitization.

6.3
2022-05-27 CVE-2022-20666 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20667 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20668 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20669 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20670 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20671 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20672 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20673 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-27 CVE-2022-20674 Cisco Cross-site Scripting vulnerability in Cisco Common Services Platform Collector

Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-05-26 CVE-2021-28508 Arista Cleartext Transmission of Sensitive Information vulnerability in Arista EOS and Terminattr

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols.

6.1
2022-05-26 CVE-2021-28509 Arista Cleartext Transmission of Sensitive Information vulnerability in Arista EOS and Terminattr

This advisory documents the impact of an internally found vulnerability in Arista EOS state streaming telemetry agent TerminAttr and OpenConfig transport protocols.

6.1
2022-05-26 CVE-2022-31648 Talend Cross-site Scripting vulnerability in Talend Administration Center 7.2.0/7.3.0/8.0.0

Talend Administration Center is vulnerable to a reflected Cross-Site Scripting (XSS) issue in the SSO login endpoint.

6.1
2022-05-26 CVE-2021-4232 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0

A vulnerability classified as problematic has been found in Zoo Management System 1.0.

6.1
2022-05-26 CVE-2022-22577 Rubyonrails
Debian
Cross-site Scripting vulnerability in multiple products

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

6.1
2022-05-26 CVE-2022-27777 Rubyonrails
Debian
Cross-site Scripting vulnerability in multiple products

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

6.1
2022-05-26 CVE-2022-29091 Dell Cross-site Scripting vulnerability in Dell products

Dell Unity, Dell UnityVSA, and Dell UnityXT versions prior to 5.2.0.0.5.173 contain a Reflected Cross-Site Scripting Vulnerability in Unisphere GUI.

6.1
2022-05-25 CVE-2022-29251 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin.

6.1
2022-05-25 CVE-2022-29252 Xwiki Cross-site Scripting vulnerability in Xwiki

XWiki Platform Wiki UI Main Wiki is a package for managing subwikis.

6.1
2022-05-25 CVE-2022-29408 Vsourz Unspecified vulnerability in Vsourz Advanced CF7 DB

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.

6.1
2022-05-25 CVE-2021-32989 Lcds Unspecified vulnerability in Lcds Laquis Scada

When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.

6.1
2022-05-25 CVE-2022-29349 Keking Cross-site Scripting vulnerability in Keking Kkfileview 4.0.0

kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.

6.1
2022-05-25 CVE-2022-29359 School Club Application System Project Cross-site Scripting vulnerability in School Club Application System Project School Club Application System 1.0

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

6.1
2022-05-25 CVE-2022-29710 Limesurvey Cross-site Scripting vulnerability in Limesurvey

A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

6.1
2022-05-24 CVE-2021-32962 Aggsoft Unspecified vulnerability in Aggsoft Webserver

The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to cross-site scripting, which may allow an attacker to remotely execute arbitrary code.

6.1
2022-05-24 CVE-2022-30839 Room Rent Portal Site Project Cross-site Scripting vulnerability in Room Rent Portal Site Project Room Rent Portal Site 1.0

Room-rent-portal-site v1.0 is vulnerable to Cross Site Scripting (XSS) via /rrps/classes/Master.php?f=save_category, vehicle_name.

6.1
2022-05-24 CVE-2022-0734 Zyxel Cross-site Scripting vulnerability in Zyxel products

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

6.1
2022-05-23 CVE-2022-29004 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul E-Diary Management System 1.0

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.

6.1
2022-05-23 CVE-2022-29005 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Online Birth Certificate System 1.2

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

6.1
2022-05-23 CVE-2022-0346 Xmlsitemapgenerator Unspecified vulnerability in Xmlsitemapgenerator XML Sitemap Generator

The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.

6.1
2022-05-23 CVE-2022-1192 Turn OFF ALL Comments Project Unspecified vulnerability in Turn OFF ALL Comments Project Turn OFF ALL Comments 1.0

The Turn off all comments WordPress plugin through 1.0 does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-05-23 CVE-2022-1218 Duogeek Cross-site Scripting vulnerability in Duogeek Domain Replace 1.3.8

The Domain Replace WordPress plugin through 1.3.8 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-05-23 CVE-2022-1221 Gwyn S Imagemap Selector Project Unspecified vulnerability in Gwyn'S Imagemap Selector Project Gwyn'S Imagemap Selector 0.3.2/0.3.3

The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.

6.1
2022-05-23 CVE-2022-1268 Donate Extra Project Unspecified vulnerability in Donate Extra Project Donate Extra 2.02

The Donate Extra WordPress plugin through 2.02 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting

6.1
2022-05-23 CVE-2022-1547 Wpchill Unspecified vulnerability in Wpchill Check & LOG Email

The Check & Log Email WordPress plugin before 1.0.6 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

6.1
2022-05-24 CVE-2021-3597 Redhat
Netapp
Race Condition vulnerability in multiple products

A flaw was found in undertow.

5.9
2022-05-24 CVE-2021-3629 Redhat
Netapp
Resource Exhaustion vulnerability in multiple products

A flaw was found in Undertow.

5.9
2022-05-26 CVE-2022-26745 Apple Out-of-bounds Write vulnerability in Apple Macos

A memory corruption issue was addressed with improved validation.

5.5
2022-05-26 CVE-2022-26746 Apple Unspecified vulnerability in Apple mac OS X

This issue was addressed by removing the vulnerable code.

5.5
2022-05-26 CVE-2022-26766 Apple Improper Certificate Validation vulnerability in Apple products

A certificate parsing issue was addressed with improved checks.

5.5
2022-05-26 CVE-2022-26767 Apple Incorrect Authorization vulnerability in Apple Macos

The issue was addressed with additional permissions checks.

5.5
2022-05-26 CVE-2022-26706 Apple Unspecified vulnerability in Apple products

An access issue was addressed with additional sandbox restrictions on third-party applications.

5.5
2022-05-26 CVE-2022-26712 Apple Unspecified vulnerability in Apple Macos

This issue was addressed by removing the vulnerable code.

5.5
2022-05-26 CVE-2022-26724 Apple Improper Authentication vulnerability in Apple Tvos

An authentication issue was addressed with improved state management.

5.5
2022-05-26 CVE-2022-26727 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved entitlements.

5.5
2022-05-26 CVE-2022-26728 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved entitlements.

5.5
2022-05-26 CVE-2022-22616 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

5.5
2022-05-26 CVE-2022-22663 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks to prevent unauthorized actions.

5.5
2022-05-26 CVE-2022-22674 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue existed that led to the disclosure of kernel memory.

5.5
2022-05-26 CVE-2022-22676 Apple Unspecified vulnerability in Apple Macos 12.0.0/12.0.1/12.1

An event handler validation issue in the XPC Services API was addressed by removing the service.

5.5
2022-05-25 CVE-2022-31650 SOX Project Incorrect Comparison vulnerability in SOX Project SOX 14.4.2

In SoX 14.4.2, there is a floating-point exception in lsx_aiffstartwrite in aiff.c in libsox.a.

5.5
2022-05-25 CVE-2022-31651 SOX Project Reachable Assertion vulnerability in SOX Project SOX 14.4.2

In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.

5.5
2022-05-25 CVE-2022-31621 Mariadb Improper Locking vulnerability in Mariadb

MariaDB Server before 10.7 is vulnerable to Denial of Service.

5.5
2022-05-25 CVE-2022-31622 Mariadb Improper Locking vulnerability in Mariadb

MariaDB Server before 10.7 is vulnerable to Denial of Service.

5.5
2022-05-25 CVE-2022-31623 Mariadb Improper Locking vulnerability in Mariadb

MariaDB Server before 10.7 is vulnerable to Denial of Service.

5.5
2022-05-25 CVE-2022-31624 Mariadb Improper Locking vulnerability in Mariadb

MariaDB Server before 10.7 is vulnerable to Denial of Service.

5.5
2022-05-25 CVE-2021-44974 Radare NULL Pointer Dereference vulnerability in Radare Radare2

radareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser.

5.5
2022-05-25 CVE-2022-29358 Epub2Txt2 Project Integer Overflow or Wraparound vulnerability in Epub2Txt2 Project Epub2Txt2 2.04

epub2txt2 v2.04 was discovered to contain an integer overflow via the function bug in _parse_special_tag at sxmlc.c.

5.5
2022-05-24 CVE-2021-44975 Radare Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Radare Radare2 5.5.2

radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser.

5.5
2022-05-23 CVE-2021-32958 Claroty Unspecified vulnerability in Claroty Secure Remote Access 3.0/3.2

Successful exploitation of this vulnerability on Claroty Secure Remote Access (SRA) Site versions 3.0 through 3.2 allows an attacker with local command line interface access to gain the secret key, subsequently allowing them to generate valid session tokens for the web user interface (UI).

5.5
2022-05-29 CVE-2022-1928 Gitea Cross-site Scripting vulnerability in Gitea

Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.

5.4
2022-05-27 CVE-2022-20802 Cisco Cross-site Scripting vulnerability in Cisco Enterprise Chat and Email

A vulnerability in the web interface of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

5.4
2022-05-27 CVE-2022-1909 Organizr Cross-site Scripting vulnerability in Organizr

Cross-site Scripting (XSS) - Stored in GitHub repository causefx/organizr prior to 2.1.2200.

5.4
2022-05-26 CVE-2022-30494 Automotive Shop Management System Project Cross-site Scripting vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

In oretnom23 Automotive Shop Management System v1.0, the first and last name user fields suffer from a stored XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

5.4
2022-05-26 CVE-2021-4231 Angular Cross-site Scripting vulnerability in Angular

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2.

5.4
2022-05-25 CVE-2022-29362 Zkeacms Cross-site Scripting vulnerability in Zkeacms 3.5.2

A cross-site scripting (XSS) vulnerability in /navigation/create?ParentID=%23 of ZKEACMS v3.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ParentID parameter.

5.4
2022-05-24 CVE-2022-1849 Filegator Session Fixation vulnerability in Filegator

Session Fixation in GitHub repository filegator/filegator prior to 7.8.0.

5.4
2022-05-24 CVE-2022-29237 Apereo Unspecified vulnerability in Apereo Opencast

Opencast is a free and open source solution for automated video capture and distribution at scale.

5.4
2022-05-24 CVE-2022-30842 Covid 19 Travel Pass Management System Project Cross-site Scripting vulnerability in Covid 19 Travel Pass Management System Project Covid 19 Travel Pass Management System 1.0

Covid-19 Travel Pass Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /ctpms/classes/Users.php?f=save, firstname.

5.4
2022-05-24 CVE-2022-30458 Automotive Shop Management System Project Cross-site Scripting vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

Automotive Shop Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /asms/classes/Master.php?f=save_product, name.

5.4
2022-05-24 CVE-2022-30460 Simple Social Networking Site Project Cross-site Scripting vulnerability in Simple Social Networking Site Project Simple Social Networking Site 1.0

Simple Social Networking Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /sns/classes/Users.php?f=save, firstname.

5.4
2022-05-24 CVE-2022-30462 Water Billing System Project Cross-site Scripting vulnerability in Water Billing System Project Water Billing System 1.0

Water-billing-management-system v1.0 is affected by: Cross Site Scripting (XSS) via /wbms/classes/Users.php?f=save, firstname.

5.4
2022-05-24 CVE-2022-30464 Chatbot APP With Suggestion Project Cross-site Scripting vulnerability in Chatbot APP With Suggestion Project Chatbot APP With Suggestion 1.0

ChatBot App with Suggestion in PHP/OOP v1.0 is vulnerable to Cross Site Scripting (XSS) via /simple_chat_bot/classes/Master.php?f=save_response.

5.4
2022-05-24 CVE-2022-30837 Toll TAX Management System Project Cross-site Scripting vulnerability in Toll TAX Management System Project Toll TAX Management System 1.0

Toll-tax-management-system v1.0 is vulnerable to Cross Site Scripting (XSS) via /ttms/classes/Master.php?f=save_recipient, vehicle_name.

5.4
2022-05-24 CVE-2021-42656 Sscms Cross-site Scripting vulnerability in Sscms Siteserver CMS 6.15.51

SiteServer CMS V6.15.51 is affected by a Cross Site Scripting (XSS) vulnerability.

5.4
2022-05-24 CVE-2022-30456 Badminton Center Management System Project Cross-site Scripting vulnerability in Badminton Center Management System Project Badminton Center Management System 1.0

Badminton Center Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /bcms/classes/Master.php?f=save_court_rental.

5.4
2022-05-23 CVE-2022-30015 Simple Food Website Project Cross-site Scripting vulnerability in Simple Food Website Project Simple Food Website 1.0

In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss.

5.4
2022-05-23 CVE-2021-42233 Simple Blog Project Cross-site Scripting vulnerability in Simple Blog Project Simple Blog

The Simple Blog plugin in Wondercms 3.4.1 is vulnerable to stored cross-site scripting (XSS) vulnerability.

5.4
2022-05-23 CVE-2022-30017 Rescue Dispatch Management System Project Cross-site Scripting vulnerability in Rescue Dispatch Management System Project Rescue Dispatch Management System 1.0

Rescue Dispatch Management System 1.0 suffers from Stored XSS, leading to admin account takeover via cookie stealing.

5.4
2022-05-23 CVE-2022-1811 Publify Project Unrestricted Upload of File with Dangerous Type vulnerability in Publify Project Publify

Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.

5.4
2022-05-23 CVE-2022-1816 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0

A vulnerability, which was classified as problematic, has been found in Zoo Management System 1.0.

5.4
2022-05-23 CVE-2022-1817 Badminton Center Management System Project Cross-site Scripting vulnerability in Badminton Center Management System Project Badminton Center Management System 1.0

A vulnerability, which was classified as problematic, was found in Badminton Center Management System.

5.4
2022-05-23 CVE-2022-1825 Collectiveaccess Cross-site Scripting vulnerability in Collectiveaccess Providence

Cross-site Scripting (XSS) - Reflected in GitHub repository collectiveaccess/providence prior to 1.8.

5.4
2022-05-27 CVE-2021-27780 Hcltech Unspecified vulnerability in Hcltech Bigfix Mobile and Modern Client Management

The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.

5.3
2022-05-26 CVE-2022-26725 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved state management.

5.3
2022-05-24 CVE-2021-32964 Aggsoft Path Traversal vulnerability in Aggsoft Webserver

The AGG Software Web Server version 4.0.40.1014 and prior is vulnerable to a path traversal attack, which may allow an attacker to read arbitrary files from the file system.

5.3
2022-05-24 CVE-2022-22306 Fortinet Improper Certificate Validation vulnerability in Fortinet Fortios

An improper certificate validation vulnerability [CWE-295] in FortiOS 6.0.0 through 6.0.14, 6.2.0 through 6.2.10, 6.4.0 through 6.4.8, 7.0.0 may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the FortiGate and some peers such as private SDNs and external cloud platforms.

5.3
2022-05-24 CVE-2022-1848 Erudika Unspecified vulnerability in Erudika Para

Business Logic Errors in GitHub repository erudika/para prior to 1.45.11.

5.3
2022-05-24 CVE-2022-31263 Joinmastodon Unspecified vulnerability in Joinmastodon Mastodon

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

5.3
2022-05-27 CVE-2021-27781 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Mobile and Modern Client Management

The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.

4.8
2022-05-27 CVE-2022-20765 Cisco Cross-site Scripting vulnerability in Cisco UCS Director

A vulnerability in the web applications of Cisco UCS Director could allow an authenticated, remote attacker to conduct a cross-site scripting attack on an affected system.

4.8
2022-05-25 CVE-2022-29380 Creativeitem Cross-site Scripting vulnerability in Creativeitem Academy LMS 4.3

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.

4.8
2022-05-24 CVE-2022-1819 Student Information System Project Cross-site Scripting vulnerability in Student Information System Project Student Information System 1.0

A vulnerability, which was classified as problematic, was found in Student Information System 1.0.

4.8
2022-05-24 CVE-2022-1840 Home Clean Services Management System Project Cross-site Scripting vulnerability in Home Clean Services Management System Project Home Clean Services Management System 1.0

A vulnerability, which was classified as problematic, has been found in Home Clean Services Management System 1.0.

4.8
2022-05-23 CVE-2022-1093 Joomunited Unspecified vulnerability in Joomunited WP Meta SEO

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed.

4.8
2022-05-23 CVE-2022-1298 Wpshopmart Unspecified vulnerability in Wpshopmart Tabs Responsive

The Tabs WordPress plugin before 2.2.8 does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2022-05-23 CVE-2022-1320 10Web Unspecified vulnerability in 10Web Sliderby10Web

The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2022-05-23 CVE-2022-1558 Curtain Project Unspecified vulnerability in Curtain Project Curtain 1.0.2

The Curtain WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

4.8
2022-05-26 CVE-2022-26764 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

4.7
2022-05-26 CVE-2022-26765 Apple Race Condition vulnerability in Apple products

A race condition was addressed with improved state handling.

4.7
2022-05-26 CVE-2022-26690 Apple Race Condition vulnerability in Apple Macos

Description: A race condition was addressed with additional validation.

4.7
2022-05-26 CVE-2022-29082 Dell Improper Certificate Validation vulnerability in Dell EMC Networker

Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates.

4.6
2022-05-26 CVE-2022-26688 Apple Link Following vulnerability in Apple mac OS X and Macos

An issue in the handling of symlinks was addressed with improved validation.

4.4
2022-05-26 CVE-2022-26731 Apple Unspecified vulnerability in Apple Iphone OS and Macos

A logic issue was addressed with improved state management.

4.3
2022-05-23 CVE-2022-1810 Publify Project Unspecified vulnerability in Publify Project Publify

Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-05-25 CVE-2022-29253 Xwiki Path Traversal vulnerability in Xwiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

2.7
2022-05-26 CVE-2022-26703 Apple Unspecified vulnerability in Apple Iphone OS

An authorization issue was addressed with improved state management.

2.4