Weekly Vulnerabilities Reports > June 20 to 26, 2022

Overview

410 new vulnerabilities reported during this period, including 26 critical vulnerabilities and 67 high severity vulnerabilities. This weekly summary report vulnerabilities in 333 products from 178 vendors including Jenkins, IBM, Prison Management System Project, Hindu Matrimonial Script Project, and 74Cms. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Improper Privilege Management", "Cross-Site Request Forgery (CSRF)", and "Path Traversal".

  • 372 reported vulnerabilities are remotely exploitables.
  • 18 reported vulnerabilities have public exploit available.
  • 174 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 257 reported vulnerabilities are exploitable by an anonymous user.
  • Jenkins has the most reported vulnerabilities, with 44 reported vulnerabilities.
  • Bosch has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

26 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-24 CVE-2022-31767 IBM OS Command Injection vulnerability in IBM Cics TX 11.1

IBM CICS TX Standard and Advanced 11.1 could allow a remote attacker to execute arbitrary commands on the system by sending a specially crafted request.

10.0
2022-06-24 CVE-2022-1517 Illumina Code Injection vulnerability in Illumina Local RUN Manager 1.3/2.0/3.1

LRM utilizes elevated privileges.

10.0
2022-06-24 CVE-2022-1519 Illumina Unrestricted Upload of File with Dangerous Type vulnerability in Illumina Local RUN Manager 1.3/2.0/3.1

LRM does not restrict the types of files that can be uploaded to the affected product.

10.0
2022-06-24 CVE-2022-1668 Secheron Weak Password Requirements vulnerability in Secheron Sepcos Control and Protection Relay Firmware

Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH.

10.0
2022-06-23 CVE-2021-26638 Xisnd Improper Authentication vulnerability in Xisnd S&D Smarthome 3.2.48

Improper Authentication vulnerability in S&D smarthome(smartcare) application can cause authentication bypass and information exposure.

10.0
2022-06-23 CVE-2022-32534 Bosch Injection vulnerability in Bosch Pra-Es8P2S Firmware 1.01.05

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 and earlier was found to be vulnerable to command injection through its diagnostics web interface.

10.0
2022-06-23 CVE-2022-32535 Bosch Improper Privilege Management vulnerability in Bosch Pra-Es8P2S Firmware 1.01.05

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege.

10.0
2022-06-23 CVE-2022-32554 Purestorage Unspecified vulnerability in Purestorage Purity//Fa and Purity//Fb

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to possibly exposed credentials for accessing the product’s management interface.

10.0
2022-06-21 CVE-2022-26147 Quectel OS Command Injection vulnerability in Quectel Rg502Q-Ea Firmware

The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.

10.0
2022-06-21 CVE-2022-2068 Openssl
Debian
OS Command Injection vulnerability in multiple products

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

10.0
2022-06-21 CVE-2022-31800 Phoenixcontact Insufficient Verification of Data Authenticity vulnerability in Phoenixcontact products

An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.

10.0
2022-06-21 CVE-2022-31801 Phoenixcontact
Phoenixcontact Software
Insufficient Verification of Data Authenticity vulnerability in multiple products

An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device.

10.0
2022-06-20 CVE-2022-31794 Fujitsu OS Command Injection vulnerability in Fujitsu Eternus Cs8000 Firmware 8.1

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04.

10.0
2022-06-20 CVE-2022-31795 Fujitsu OS Command Injection vulnerability in Fujitsu Eternus Cs8000 Firmware 8.1

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04.

10.0
2022-06-24 CVE-2022-30885 ESA Unspecified vulnerability in ESA Pyesasky

The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party.

9.8
2022-06-24 CVE-2021-38945 IBM
Netapp
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 could allow a remote attacker to upload arbitrary files, caused by improper content validation.

9.8
2022-06-21 CVE-2022-29774 Ispyconnect Path Traversal vulnerability in Ispyconnect Ispy 7.2.2.0

iSpy v7.2.2.0 is vulnerable to remote command execution via path traversal.

9.8
2022-06-21 CVE-2022-33139 Siemens Use of Client-Side Authentication vulnerability in Siemens Wincc Open Architecture 3.16/3.17/3.18

A vulnerability has been identified in Cerberus DMS (All versions), Desigo CC (All versions), Desigo CC Compact (All versions), SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration).

9.8
2022-06-25 CVE-2019-25071 Apple Unspecified vulnerability in Apple Iphone OS

A vulnerability was found in Apple iPhone up to 12.4.1.

9.3
2022-06-24 CVE-2021-41635 Melag Incorrect Default Permissions vulnerability in Melag FTP Server 2.2.0.4

When installed as Windows service MELAG FTP Server 2.2.0.4 is run as SYSTEM user, which grants remote attackers to abuse misconfigurations or vulnerabilities with administrative access over the entire host system.

9.0
2022-06-23 CVE-2022-31395 Algosolutions Path Traversal vulnerability in Algosolutions 8373 IP Zone Paging Adapter Firmware 1.7.6

Algo Communication Products Ltd.

9.0
2022-06-23 CVE-2022-32536 Bosch Improper Privilege Management vulnerability in Bosch Pra-Es8P2S Firmware 1.01.05

The user access rights validation in the web server of the Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 was insufficient.

9.0
2022-06-23 CVE-2022-32552 Purestorage Unspecified vulnerability in Purestorage Purity//Fa and Purity//Fb

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges.

9.0
2022-06-23 CVE-2022-32553 Purestorage Unspecified vulnerability in Purestorage Purity//Fa and Purity//Fb

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges.

9.0
2022-06-21 CVE-2022-23171 Atlasvpn Improper Privilege Management vulnerability in Atlasvpn 2.4.2

AtlasVPN - Privilege Escalation Lack of proper security controls on named pipe messages can allow an attacker with low privileges to send a malicious payload and gain SYSTEM permissions on a windows computer where the AtlasVPN client is installed.

9.0
2022-06-21 CVE-2022-32973 Tenable Unspecified vulnerability in Tenable Nessus

An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.

9.0

67 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-23 CVE-2022-34200 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform 1.0/1.1

A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL.

8.8
2022-06-24 CVE-2013-1916 User Photo Project Unrestricted Upload of File with Dangerous Type vulnerability in User Photo Project User Photo 0.9.4

In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress.

8.5
2022-06-25 CVE-2022-24893 Espressif Out-of-bounds Write vulnerability in Espressif Esp-Idf

ESP-IDF is the official development framework for Espressif SoCs.

8.3
2022-06-24 CVE-2022-1965 Codesys Improper Handling of Exceptional Conditions vulnerability in Codesys Plcwinnt and Runtime Toolkit

Multiple products of CODESYS implement a improper error handling.

8.1
2022-06-24 CVE-2022-1667 Secheron Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware

Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script

7.8
2022-06-20 CVE-2022-1720 VIM
Debian
Fedoraproject
Apple
Buffer Over-read vulnerability in multiple products

Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956.

7.8
2022-06-20 CVE-2021-45918 NHI Out-of-bounds Write vulnerability in NHI Health Insurance web Service Component

NHI’s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack.

7.8
2022-06-24 CVE-2022-32996 Pypi Unspecified vulnerability in Pypi Django-Navbar-Client

The django-navbar-client package of v0.9.50 to v1.0.1 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-32997 Pypi Unspecified vulnerability in Pypi Rootinteractive 0.0.19

The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-32998 Pypi Unspecified vulnerability in Pypi Cryptoasset-Data-Downloader

The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-32999 Pypi Unspecified vulnerability in Pypi Cloudlabeling 0.0.1

The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-33000 Pypi Unspecified vulnerability in Pypi Ml-Scanner

The ML-Scanner package in PyPI v0.1.0 to v0.1.5 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-33001 Pypi Unspecified vulnerability in Pypi Aamiles 0.1.0

The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-33002 Pypi Unspecified vulnerability in Pypi Explore

The KGExplore package in PyPI v0.1.1 to v0.1.2 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-33003 Pypi Unspecified vulnerability in Pypi Watools

The watools package in PyPI v0.0.1 to v0.0.8 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-33004 Pypi Unspecified vulnerability in Pypi Beginner

The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34053 Pypi Unspecified vulnerability in Pypi Dr-Web-Engine 0.2.0

The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34054 Pypi Unspecified vulnerability in Pypi Perdido

The Perdido package in PyPI v0.0.1 to v0.0.2 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34055 Pypi Unspecified vulnerability in Pypi Drxhello 0.0.1

The drxhello package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34056 Pypi Unspecified vulnerability in Pypi Watertools 0.0.0

The Watertools package in PyPI v0.0.0 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34057 Scoptrial Project Unspecified vulnerability in Scoptrial Project Scoptrial 0.0.5

The Scoptrial package in PyPI version v0.0.5 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34059 Sixfab Tool Project Unspecified vulnerability in Sixfab-Tool Project Sixfab-Tool 0.0.2/0.0.3

The Sixfab-Tool in PyPI v0.0.2 to v0.0.3 was discovered to contain a code execution backdoor via the request package.

7.5
2022-06-24 CVE-2022-34060 Togglee Unspecified vulnerability in Togglee 0.0.8

The Togglee package in PyPI version v0.0.8 was discovered to contain a code execution backdoor.

7.5
2022-06-24 CVE-2022-34061 Catly Translate Project Unspecified vulnerability in Catly Translate Project Catly Translate

The Catly-Translate package in PyPI v0.0.3 to v0.0.5 was discovered to contain a code execution backdoor.

7.5
2022-06-24 CVE-2022-34064 Zibal Project Unspecified vulnerability in Zibal Project Zibal 1.0.0

The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor.

7.5
2022-06-24 CVE-2022-34065 Rondolu YT Concate Project Unspecified vulnerability in Rondolu-Yt-Concate Project Rondolu-Yt-Concate 0.1.0

The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor.

7.5
2022-06-24 CVE-2022-34066 Texercise Project Unspecified vulnerability in Texercise Project Texercise

The Texercise package in PyPI v0.0.1 to v0.0.12 was discovered to contain a code execution backdoor.

7.5
2022-06-24 CVE-2022-21231 Deep GET SET Project Unspecified vulnerability in Deep-Get-Set Project Deep-Get-Set

All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function.

7.5
2022-06-24 CVE-2021-39409 Online Student Rate System Project Incorrect Permission Assignment for Critical Resource vulnerability in Online Student Rate System Project Online Student Rate System 1.0

A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.

7.5
2022-06-24 CVE-2022-22390 IBM Improper Privilege Management vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an information disclosure caused by improper privilege management when table function is used.

7.5
2022-06-24 CVE-2022-1518 Illumina Path Traversal vulnerability in Illumina Local RUN Manager 1.3/2.0/3.1

LRM contains a directory traversal vulnerability that can allow a malicious actor to upload outside the intended directory structure.

7.5
2022-06-24 CVE-2022-21829 Concretecms Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE.

7.5
2022-06-24 CVE-2022-28620 HPE Improper Authentication vulnerability in HPE products

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27.

7.5
2022-06-24 CVE-2022-2104 Secheron Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware

The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).

7.5
2022-06-24 CVE-2022-2119 Offis Path Traversal vulnerability in Offis Dcmtk

OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names.

7.5
2022-06-24 CVE-2022-2120 Offis Path Traversal vulnerability in Offis Dcmtk

OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names.

7.5
2022-06-24 CVE-2022-31802 Codesys Partial String Comparison vulnerability in Codesys Gateway

In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared to the real CODESYS Gateway password.

7.5
2022-06-24 CVE-2017-20095 Simple ADS Manager Project Code Injection vulnerability in Simple ADS Manager Project Simple ADS Manager 2.9.8.125

A vulnerability classified as critical was found in Simple Ads Manager Plugin.

7.5
2022-06-23 CVE-2021-26637 Shinasys Improper Authentication vulnerability in Shinasys products

There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.

7.5
2022-06-23 CVE-2021-40954 Laiketui Unrestricted Upload of File with Dangerous Type vulnerability in Laiketui 3.5.0

Laiketui 3.5.0 is affected by an arbitrary file upload vulnerability that can allow an attacker to execute arbitrary code.

7.5
2022-06-23 CVE-2022-31361 Docebo SQL Injection vulnerability in Docebo 4.0.5

** UNSUPPORTED WHEN ASSIGNED ** Docebo Community Edition v4.0.5 and below was discovered to contain a SQL injection vulnerability.

7.5
2022-06-23 CVE-2022-31787 Ideaco SQL Injection vulnerability in Ideaco Ideatms 2022

IdeaTMS 2022 is vulnerable to SQL Injection via the PATH_INFO

7.5
2022-06-23 CVE-2022-33105 Redis Memory Leak vulnerability in Redis 7.0

Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID.

7.5
2022-06-23 CVE-2022-33127 Diffy Project Unspecified vulnerability in Diffy Project Diffy 3.4.1

The function that calls the diff tool in Diffy 3.4.1 does not properly handle double quotes in a filename when run in a windows environment.

7.5
2022-06-23 CVE-2022-34175 Jenkins Unspecified vulnerability in Jenkins

Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.

7.5
2022-06-21 CVE-2022-29775 Ispyconnect Improper Authentication vulnerability in Ispyconnect Ispy 7.2.2.0

iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.

7.5
2022-06-21 CVE-2022-31374 Contec Unrestricted Upload of File with Dangerous Type vulnerability in Contec Sv-Cpt-Mc310 Firmware 6.0

An arbitrary file upload vulnerability /images/background/1.php in of SolarView Compact 6.0 allows attackers to execute arbitrary code via a crafted php file.

7.5
2022-06-21 CVE-2017-20067 Hindu Matrimonial Script Project SQL Injection vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script.

7.5
2022-06-20 CVE-2022-22317 IBM Insufficient Session Expiration vulnerability in IBM Curam Social Program Management 8.0.0/8.0.1

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

7.5
2022-06-20 CVE-2022-2128 Trudesk Project Unrestricted Upload of File with Dangerous Type vulnerability in Trudesk Project Trudesk

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.

7.5
2022-06-20 CVE-2022-1905 E Dynamics SQL Injection vulnerability in E-Dynamics Events Made Easy

The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

7.5
2022-06-20 CVE-2022-2023 Trudesk Project Improper Privilege Management vulnerability in Trudesk Project Trudesk

Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.

7.5
2022-06-24 CVE-2021-42056 Thalesgroup Link Following vulnerability in Thalesgroup Safenet Authentication Client

Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.

7.2
2022-06-24 CVE-2020-21046 Softonic Improper Privilege Management vulnerability in Softonic Eagleget 2.1.5.20

A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable.

7.2
2022-06-24 CVE-2022-20828 Cisco Unspecified vulnerability in Cisco ASA Firepower 6.3.0/6.5.0/6.7.0

A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user.

7.2
2022-06-24 CVE-2022-20829 Cisco Insufficient Verification of Data Authenticity vulnerability in Cisco products

A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software.

7.2
2022-06-24 CVE-2022-1741 Dominionvoting Improper Privilege Management vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The tested version of Dominion Voting Systems ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.

7.2
2022-06-24 CVE-2022-1742 Dominionvoting Improper Protection of Alternate Path vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system.

7.2
2022-06-24 CVE-2022-1743 Dominionvoting Path Traversal: '../filedir' vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files.

7.2
2022-06-24 CVE-2022-1744 Dominionvoting Execution with Unnecessary Privileges vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

Applications on the tested version of Dominion Voting Systems ImageCast X can execute code with elevated privileges by exploiting a system level service.

7.2
2022-06-24 CVE-2022-1745 Dominionvoting Authentication Bypass by Spoofing vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery.

7.2
2022-06-24 CVE-2022-1746 Dominionvoting Improper Privilege Management vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information.

7.2
2022-06-23 CVE-2022-26862 Dell Improper Input Validation vulnerability in Dell products

Prior Dell BIOS versions contain an Input Validation vulnerability.

7.2
2022-06-23 CVE-2022-26863 Dell Improper Input Validation vulnerability in Dell products

Prior Dell BIOS versions contain an Input Validation vulnerability.

7.2
2022-06-23 CVE-2022-26864 Dell Improper Input Validation vulnerability in Dell products

Prior Dell BIOS versions contain an Input Validation vulnerability.

7.2
2022-06-22 CVE-2017-20083 Jung Group Unspecified vulnerability in Jung-Group Smart Visu Server Firmware 1.0.804/1.0.830/1.0.832

A vulnerability, which was classified as critical, was found in JUNG Smart Visu Server 1.0.804/1.0.830/1.0.832.

7.2
2022-06-21 CVE-2022-34008 Comodo Improper Privilege Management vulnerability in Comodo Antivirus 12.2.2.8012

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation.

7.2

249 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-26 CVE-2022-2206 VIM
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

6.8
2022-06-24 CVE-2022-1739 Dominionvoting Improper Verification of Cryptographic Signature vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The tested version of Dominion Voting Systems ImageCast X does not validate application signatures to a trusted root certificate.

6.8
2022-06-24 CVE-2022-23170 Sysaid XXE vulnerability in Sysaid Okta SSO

SysAid - Okta SSO integration - was found vulnerable to XML External Entity Injection vulnerability.

6.8
2022-06-24 CVE-2022-32530 Schneider Electric Exposure of Resource to Wrong Sphere vulnerability in Schneider-Electric GEO Scada Mobile 2020

A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application.

6.8
2022-06-24 CVE-2021-41636 Melag Path Traversal vulnerability in Melag FTP Server 2.2.0.4

MELAG FTP Server 2.2.0.4 allows an attacker to use the CWD command to break out of the FTP servers root directory and operate on the entire operating system, while the access restrictions of the user running the FTP server apply.

6.8
2022-06-24 CVE-2022-31806 Codesys Insecure Default Initialization of Resource vulnerability in Codesys Plcwinnt and Runtime Toolkit

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

6.8
2022-06-23 CVE-2022-2183 VIM
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

6.8
2022-06-23 CVE-2022-2182 VIM
Fedoraproject
Heap-based Buffer Overflow vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

6.8
2022-06-23 CVE-2021-26636 Maxb SQL Injection vulnerability in Maxb Maxboard 1.9.6

Stored XSS and SQL injection vulnerability in MaxBoard could lead to occur Remote Code Execution, which could lead to information exposure and privilege escalation.

6.8
2022-06-23 CVE-2022-22980 Vmware Expression Language Injection vulnerability in VMWare Spring Data Mongodb

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

6.8
2022-06-23 CVE-2022-33025 GNU Use After Free vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free via the function decode_preR13_section at decode_r11.c.

6.8
2022-06-23 CVE-2022-33026 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow via the function bit_calc_CRC at bits.c.

6.8
2022-06-23 CVE-2022-33027 GNU Use After Free vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a heap-use-after-free via the function dwg_add_handleref at dwg.c.

6.8
2022-06-23 CVE-2022-33028 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a heap buffer overflow via the function dwg_add_object at decode.c.

6.8
2022-06-23 CVE-2022-33032 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a heap-buffer-overflow via the function decode_preR13_section_hdr at decode_r11.c.

6.8
2022-06-23 CVE-2022-33033 GNU Double Free vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a double-free via the function dwg_read_file at dwg.c.

6.8
2022-06-23 CVE-2022-33034 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.12.4.4608

LibreDWG v0.12.4.4608 was discovered to contain a stack overflow via the function copy_bytes at decode_r2007.c.

6.8
2022-06-23 CVE-2022-34203 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Easyqa

A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server.

6.8
2022-06-23 CVE-2022-34300 Tinyexr Project Out-of-bounds Read vulnerability in Tinyexr Project Tinyexr 1.0.1

In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::DecodePixelData.

6.8
2022-06-23 CVE-2022-2175 VIM
Fedoraproject
Buffer Over-read vulnerability in multiple products

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

6.8
2022-06-23 CVE-2017-20090 Global Content Blocks Project Cross-Site Request Forgery (CSRF) vulnerability in Global Content Blocks Project Global Content Blocks 2.1.5

A vulnerability was found in Global Content Blocks Plugin 2.1.5.

6.8
2022-06-22 CVE-2022-23079 Getmotoradmin Improper Encoding or Escaping of Output vulnerability in Getmotoradmin Motor Admin

In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.

6.8
2022-06-21 CVE-2022-27867 Autodesk Use After Free vulnerability in Autodesk Autocad

A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 2019 can be used to trigger use-after-free vulnerability.

6.8
2022-06-21 CVE-2022-27868 Autodesk Use After Free vulnerability in Autodesk Autocad 2023

A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to trigger use-after-free vulnerability.

6.8
2022-06-21 CVE-2022-27869 Autodesk Out-of-bounds Write vulnerability in Autodesk Autocad 2023

A maliciously crafted TIFF file in Autodesk AutoCAD 2023 can be forced to read and write beyond allocated boundaries when parsing the TIFF file.

6.8
2022-06-21 CVE-2022-27870 Autodesk Out-of-bounds Write vulnerability in Autodesk Autocad 2023

A maliciously crafted TGA file in Autodesk AutoCAD 2023 may be used to write beyond the allocated buffer while parsing TGA file.

6.8
2022-06-21 CVE-2022-27871 Autodesk Allocation of Resources Without Limits or Throttling vulnerability in Autodesk products

Autodesk AutoCAD product suite, Revit, Design Review and Navisworks releases using PDFTron prior to 9.1.17 version may be used to write beyond the allocated buffer while parsing PDF files.

6.8
2022-06-21 CVE-2022-27872 Autodesk Improper Handling of Exceptional Conditions vulnerability in Autodesk Navisworks 2022

A maliciously crafted PDF file may be used to dereference a pointer for read or write operation while parsing PDF files in Autodesk Navisworks 2022.

6.8
2022-06-20 CVE-2021-41682 Jerryscript Use After Free vulnerability in Jerryscript 2.4.0

There is a heap-use-after-free at ecma-helpers-string.c:1940 in ecma_compare_ecma_non_direct_strings in JerryScript 2.4.0

6.8
2022-06-20 CVE-2021-41683 Jerryscript Out-of-bounds Write vulnerability in Jerryscript 2.4.0

There is a stack-overflow at ecma-helpers.c:326 in ecma_get_lex_env_type in JerryScript 2.4.0

6.8
2022-06-20 CVE-2017-20062 Elefantcms Cross-Site Request Forgery (CSRF) vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability was found in Elefant CMS 1.3.12-RC and classified as problematic.

6.8
2022-06-24 CVE-2022-22389 IBM SQL Injection vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user.

6.5
2022-06-24 CVE-2021-29768 IBM
Netapp
Exposure of Resource to Wrong Sphere vulnerability in multiple products

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access.

6.5
2022-06-24 CVE-2022-32137 Codesys Heap-based Buffer Overflow vulnerability in Codesys Plcwinnt and Runtime Toolkit

In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite.

6.5
2022-06-24 CVE-2022-32138 Codesys Unexpected Sign Extension vulnerability in Codesys Plcwinnt and Runtime Toolkit

In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.

6.5
2022-06-24 CVE-2022-32143 Codesys Files or Directories Accessible to External Parties vulnerability in Codesys Plcwinnt and Runtime Toolkit

In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g.

6.5
2022-06-24 CVE-2022-32391 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/actions/view_action.php:4

6.5
2022-06-24 CVE-2022-32392 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/actions/manage_action.php:4

6.5
2022-06-24 CVE-2022-32393 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/cells/view_cell.php:4

6.5
2022-06-24 CVE-2022-32394 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/view_inmate.php:3

6.5
2022-06-24 CVE-2022-32395 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/crimes/manage_crime.php:4

6.5
2022-06-24 CVE-2022-32396 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/visits/manage_visit.php:4

6.5
2022-06-24 CVE-2022-32397 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/visits/view_visit.php:4

6.5
2022-06-24 CVE-2022-32398 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/cells/manage_cell.php:4

6.5
2022-06-24 CVE-2022-32399 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/crimes/view_crime.php:4

6.5
2022-06-24 CVE-2022-32400 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/user/manage_user.php:4.

6.5
2022-06-24 CVE-2022-32401 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_privilege.php:4

6.5
2022-06-24 CVE-2022-32402 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/prisons/manage_prison.php:4

6.5
2022-06-24 CVE-2022-32403 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_record.php:4

6.5
2022-06-24 CVE-2022-32404 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/inmates/manage_inmate.php:3

6.5
2022-06-24 CVE-2022-32405 Prison Management System Project SQL Injection vulnerability in Prison Management System Project Prison Management System 1.0

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/prisons/view_prison.php:4

6.5
2022-06-23 CVE-2021-40955 Laiketui SQL Injection vulnerability in Laiketui 3.5.0

SQL injection exists in LaiKetui v3.5.0 the background administrator list.

6.5
2022-06-23 CVE-2022-22967 Saltstack Incorrect Authorization vulnerability in Saltstack Salt

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2.

6.5
2022-06-23 CVE-2022-31362 Docebo Unrestricted Upload of File with Dangerous Type vulnerability in Docebo 4.0.5

** UNSUPPORTED WHEN ASSIGNED ** Docebo Community Edition v4.0.5 and below was discovered to contain an arbitrary file upload vulnerability.

6.5
2022-06-23 CVE-2022-33114 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.

6.5
2022-06-21 CVE-2022-1833 Redhat Incorrect Default Permissions vulnerability in Redhat AMQ Broker 7.9.4

A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets.

6.5
2022-06-21 CVE-2022-33048 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/reservations/view_details.php.

6.5
2022-06-21 CVE-2022-33049 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/?page=user/manage_user.

6.5
2022-06-21 CVE-2022-33055 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/trains/manage_train.php.

6.5
2022-06-21 CVE-2022-33056 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/schedules/manage_schedule.php.

6.5
2022-06-21 CVE-2017-20068 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20069 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability classified as critical has been found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20070 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability classified as critical was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20071 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability, which was classified as critical, has been found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20072 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability, which was classified as critical, was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20073 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability has been found in Hindu Matrimonial Script and classified as critical.

6.5
2022-06-21 CVE-2017-20074 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script and classified as critical.

6.5
2022-06-21 CVE-2017-20075 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20076 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20077 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20078 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability classified as critical has been found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20079 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability classified as critical was found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20080 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability, which was classified as critical, has been found in Hindu Matrimonial Script.

6.5
2022-06-21 CVE-2017-20081 Hindu Matrimonial Script Project Improper Privilege Management vulnerability in Hindu Matrimonial Script Project Hindu Matrimonial Script

A vulnerability, which was classified as critical, was found in Hindu Matrimonial Script.

6.5
2022-06-20 CVE-2022-22318 IBM Insufficient Session Expiration vulnerability in IBM Curam Social Program Management 8.0.0/8.0.1

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

6.5
2022-06-20 CVE-2021-25121 Bestwebsoft Integer Underflow (Wrap or Wraparound) vulnerability in Bestwebsoft Rating

The Rating by BestWebSoft WordPress plugin before 1.6 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating

6.5
2022-06-20 CVE-2022-1472 Codesolz SQL Injection vulnerability in Codesolz Better Find and Replace

The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection

6.5
2022-06-20 CVE-2022-1939 Allow SVG Files Project Unrestricted Upload of File with Dangerous Type vulnerability in Allow SVG Files Project Allow SVG Files

The Allow svg files WordPress plugin before 1.1 does not properly validate uploaded files, which could allow high privilege users such as admin to upload PHP files even when they are not allowed to

6.5
2022-06-20 CVE-2017-20063 Elefantcms Unrestricted Upload of File with Dangerous Type vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability was found in Elefant CMS 1.3.12-RC.

6.5
2022-06-20 CVE-2017-20064 Elefantcms Code Injection vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability was found in Elefant CMS 1.3.12-RC.

6.5
2022-06-25 CVE-2022-33128 Ruijienetworks SQL Injection vulnerability in Ruijienetworks Rg-Eg350 Firmware Egrgos11.1(6)

RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a SQL injection vulnerability via the function get_alarmAction at /alarm_pi/alarmService.php.

6.4
2022-06-24 CVE-2022-1521 Illumina Missing Authorization vulnerability in Illumina Local RUN Manager 1.3/2.0/3.1

LRM does not implement authentication or authorization by default.

6.4
2022-06-24 CVE-2022-2103 Secheron Insufficiently Protected Credentials vulnerability in Secheron Sepcos Control and Protection Relay Firmware

An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.

6.4
2022-06-24 CVE-2022-2105 Secheron Unspecified vulnerability in Secheron Sepcos Control and Protection Relay Firmware

Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor.

6.4
2022-06-24 CVE-2022-30117 Concretecms Path Traversal vulnerability in Concretecms Concrete CMS

Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit.

6.4
2022-06-23 CVE-2022-34181 Jenkins Protection Mechanism Failure vulnerability in Jenkins Xunit 3.0.8

Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.

6.4
2022-06-20 CVE-2022-26668 Asus Incorrect Authorization vulnerability in Asus Control Center 1.4.2.5

ASUS Control Center API has a broken access control vulnerability.

6.4
2022-06-25 CVE-2022-29931 Raytion Cross-site Scripting vulnerability in Raytion Custom Security Manager 7.2.0

The administration interface of the Raytion Custom Security Manager (Raytion CSM) in Version 7.2.0 allows reflected Cross-site Scripting (XSS).

6.1
2022-06-24 CVE-2021-39047 IBM
Netapp
Cross-site Scripting vulnerability in multiple products

IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting.

6.1
2022-06-23 CVE-2022-34170 Jenkins Cross-site Scripting vulnerability in Jenkins 2.333/2.334

In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

6.1
2022-06-23 CVE-2022-34171 Jenkins Cross-site Scripting vulnerability in Jenkins 2.333/2.334

In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.

6.1
2022-06-23 CVE-2022-34172 Jenkins Cross-site Scripting vulnerability in Jenkins

In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.

6.1
2022-06-23 CVE-2022-34173 Jenkins Cross-site Scripting vulnerability in Jenkins

In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

6.1
2022-06-23 CVE-2022-34305 Apache Cross-site Scripting vulnerability in Apache Tomcat

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

6.1
2022-06-23 CVE-2017-20086 Automattic Code Injection vulnerability in Automattic Vaultpress 1.8.4

A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4.

6.0
2022-06-24 CVE-2022-33121 1234N Cross-Site Request Forgery (CSRF) vulnerability in 1234N Minicms 1.11

A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link.

5.8
2022-06-23 CVE-2022-34299 Libdwarf Project Out-of-bounds Read vulnerability in Libdwarf Project Libdwarf 0.4.0

There is a heap-based buffer over-read in libdwarf 0.4.0.

5.8
2022-06-22 CVE-2022-23078 Habitica Open Redirect vulnerability in Habitica

In habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page.

5.8
2022-06-24 CVE-2013-1891 Opencart Path Traversal vulnerability in Opencart 1.5.5.1

In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.

5.5
2022-06-24 CVE-2022-32142 Codesys Use of Out-of-range Pointer Offset vulnerability in Codesys Plcwinnt and Runtime Toolkit

Multiple CODESYS Products are prone to a out-of bounds read or write access.

5.5
2022-06-23 CVE-2022-33068 Harfbuzz Project
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

5.5
2022-06-23 CVE-2022-33070 Protobuf C Project
Fedoraproject
Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c.
5.5
2022-06-22 CVE-2022-23055 Frappe Missing Authorization vulnerability in Frappe Erpnext

In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality.

5.4
2022-06-24 CVE-2021-40894 Underscore 99Xp Project Unspecified vulnerability in Underscore-99Xp Project Underscore-99Xp 1.7.2

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp v1.7.2 when the deepValueSearch function is called.

5.0
2022-06-24 CVE-2021-20355 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag.

5.0
2022-06-24 CVE-2021-38879 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag.

5.0
2022-06-24 CVE-2021-40893 Validate Data Project Unspecified vulnerability in Validate Data Project Validate Data 0.1.1

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails.

5.0
2022-06-24 CVE-2022-29578 Meridian Improper Authentication vulnerability in Meridian 22.02/22.03

Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage.

5.0
2022-06-24 CVE-2022-2102 Secheron Unrestricted Upload of File with Dangerous Type vulnerability in Secheron Sepcos Control and Protection Relay Firmware

Controls limiting uploads to certain file extensions may be bypassed.

5.0
2022-06-24 CVE-2021-40892 Validate Color Project Unspecified vulnerability in Validate Color Project Validate Color 2.1.0

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.

5.0
2022-06-24 CVE-2021-41634 Melag Information Exposure Through Discrepancy vulnerability in Melag FTP Server 2.2.0.4

A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.

5.0
2022-06-24 CVE-2021-41638 Melag Improper Authentication vulnerability in Melag FTP Server 2.2.0.4

The authentication checks of the MELAG FTP Server in version 2.2.0.4 are incomplete, which allows a remote attacker to access local files only by using a valid username.

5.0
2022-06-24 CVE-2022-31803 Codesys Resource Exhaustion vulnerability in Codesys Gateway

In CODESYS Gateway Server V2 an insufficient check for the activity of TCP client connections allows an unauthenticated attacker to consume all available TCP connections and prevent legitimate users or clients from establishing a new connection to the CODESYS Gateway Server V2.

5.0
2022-06-24 CVE-2022-31804 Codesys Uncontrolled Memory Allocation vulnerability in Codesys Gateway

The CODESYS Gateway Server V2 does not verifiy that the size of a request is within expected limits.

5.0
2022-06-23 CVE-2021-40956 Laiketui SQL Injection vulnerability in Laiketui 3.5.0

LaiKetui v3.5.0 has SQL injection in the background through the menu management function, and sensitive data can be obtained.

5.0
2022-06-23 CVE-2022-29526 Golang
Fedoraproject
Netapp
Improper Privilege Management vulnerability in multiple products

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment.

5.0
2022-06-23 CVE-2022-33024 GNU Reachable Assertion vulnerability in GNU Libredwg 0.12.4.4608

There is an Assertion `int decode_preR13_entities(BITCODE_RL, BITCODE_RL, unsigned int, BITCODE_RL, BITCODE_RL, Bit_Chain *, Dwg_Data *' failed at dwg2dxf: decode.c:5801 in libredwg v0.12.4.4608.

5.0
2022-06-23 CVE-2022-33092 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/index.

5.0
2022-06-23 CVE-2022-33093 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the key parameter at /freelance/resume_list.

5.0
2022-06-23 CVE-2022-33094 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/map.

5.0
2022-06-23 CVE-2022-33095 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/jobfairol/resumelist.

5.0
2022-06-23 CVE-2022-33096 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/resume/index.

5.0
2022-06-23 CVE-2022-33097 74Cms SQL Injection vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/campus/campus_job.

5.0
2022-06-23 CVE-2022-34174 Jenkins Information Exposure Through Discrepancy vulnerability in Jenkins

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

5.0
2022-06-23 CVE-2022-34177 Jenkins Path Traversal vulnerability in Jenkins Pipeline: Input Step

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

5.0
2022-06-23 CVE-2022-34179 Jenkins Path Traversal vulnerability in Jenkins Embeddable Build Status

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

5.0
2022-06-23 CVE-2022-34180 Jenkins Missing Authorization vulnerability in Jenkins Embeddable Build Status

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

5.0
2022-06-23 CVE-2022-34296 Zalando Incorrect Authorization vulnerability in Zalando Skipper

In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request.

5.0
2022-06-23 CVE-2022-34298 Openidentityplatform Incorrect Authorization vulnerability in Openidentityplatform Openam

The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."

5.0
2022-06-22 CVE-2022-32549 Apache Improper Encoding or Escaping of Output vulnerability in Apache Sling API and Sling Commons LOG

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection.

5.0
2022-06-22 CVE-2022-21952 Suse Resource Exhaustion vulnerability in Suse Manager Server 4.1/4.2

An Uncontrolled Resource Consumption vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to easily exhaust available disk resources leading to DoS.

5.0
2022-06-22 CVE-2022-31248 Suse Response Discrepancy Information Exposure vulnerability in Suse Manager Server 4.1/4.2

A Observable Response Discrepancy vulnerability in spacewalk-java of SUSE Manager Server 4.1, SUSE Manager Server 4.2 allows remote attackers to discover valid usernames.

5.0
2022-06-21 CVE-2021-36761 Qlik Server-Side Request Forgery (SSRF) vulnerability in Qlik Sense April2020

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

5.0
2022-06-21 CVE-2021-40510 Obdasystems XXE vulnerability in Obdasystems Mastro 1.0

XML eXternal Entity (XXE) in OBDA systems’ Mastro 1.0 allows remote attackers to read system files via custom DTDs.

5.0
2022-06-21 CVE-2021-40511 Obdasystems XML Entity Expansion vulnerability in Obdasystems Mastro 1.0

OBDA systems’ Mastro 1.0 is vulnerable to XML Entity Expansion (aka “billion laughs”) attack allowing denial of service.

5.0
2022-06-21 CVE-2021-39006 IBM Unspecified vulnerability in IBM Qradar Wincollect 10.0/10.0.1

IBM QRadar WinCollect Agent 10.0 and 10.0.1 could allow an attacker to obtain sensitive information due to missing best practices.

5.0
2022-06-21 CVE-2022-22979 Vmware Allocation of Resources Without Limits or Throttling vulnerability in VMWare Spring Cloud Function

In Spring Cloud Function versions prior to 3.2.6, it is possible for a user who directly interacts with framework provided lookup functionality to cause a denial-of-service condition due to the caching issue in the Function Catalog component of the framework.

5.0
2022-06-21 CVE-2022-33995 Devolutions Path Traversal vulnerability in Devolutions Remote Desktop Manager

A path traversal issue in entry attachments in Devolutions Remote Desktop Manager before 2022.2 allows attackers to create or overwrite files in an arbitrary location.

5.0
2022-06-21 CVE-2022-23342 Hyland Unspecified vulnerability in Hyland Onbase

The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability.

5.0
2022-06-20 CVE-2022-31062 Glpi Project Path Traversal vulnerability in Glpi-Project Glpi Inventory 1.0.0/1.0.1

### Impact A plugin public script can be used to read content of system files.

5.0
2022-06-20 CVE-2022-32983 NIC Authentication Bypass by Spoofing vulnerability in NIC Knot Resolver

Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.

5.0
2022-06-20 CVE-2022-1801 Very Simple Contact Form Project Incorrect Authorization vulnerability in Very Simple Contact Form Project Very Simple Contact Form

The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.

5.0
2022-06-26 CVE-2022-34494 Linux Double Free vulnerability in Linux Kernel

rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.

4.9
2022-06-26 CVE-2022-34495 Linux Double Free vulnerability in Linux Kernel

rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.

4.9
2022-06-24 CVE-2021-29865 IBM Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to hijack the clicking action of the victim.

4.9
2022-06-22 CVE-2017-20082 Jung Group Unspecified vulnerability in Jung-Group Smart Visu Server Firmware 1.0.804/1.0.830/1.0.832

A vulnerability, which was classified as problematic, has been found in JUNG Smart Visu Server 1.0.804/1.0.830/1.0.832.

4.9
2022-06-24 CVE-2022-28619 HPE Unspecified vulnerability in HPE Control Repository Manager

A potential security vulnerability has been identified in the installer of HPE Version Control Repository Manager.

4.6
2022-06-23 CVE-2022-2147 Cloudflare Unquoted Search Path or Element vulnerability in Cloudflare Warp 2022.2.247.0/2022.2.95.0/2022.3.63.0

Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation.

4.6
2022-06-22 CVE-2017-20084 Jung Group Unspecified vulnerability in Jung-Group Smart Visu Server Firmware 1.0.804/1.0.830/1.0.832

A vulnerability has been found in JUNG Smart Visu Server 1.0.804/1.0.830/1.0.832 and classified as critical.

4.6
2022-06-21 CVE-2022-1665 Redhat Unspecified vulnerability in Redhat Enterprise Linux 8.0

A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn't.

4.6
2022-06-20 CVE-2017-20066 Adminer Login Project Incorrect Authorization vulnerability in Adminer Login Project Adminer Login 1.4.4

A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic.

4.6
2022-06-20 CVE-2022-1823 Mcafee Improper Privilege Management vulnerability in Mcafee Consumer Product Removal Tool

Improper privilege management vulnerability in McAfee Consumer Product Removal Tool prior to version 10.4.128 could allow a local user to modify a configuration file and perform a LOLBin (Living off the land) attack.

4.6
2022-06-20 CVE-2022-1824 Mcafee Uncontrolled Search Path Element vulnerability in Mcafee Consumer Product Removal Tool

An uncontrolled search path vulnerability in McAfee Consumer Product Removal Tool prior to version 10.4.128 could allow a local attacker to perform a sideloading attack by using a specific file name.

4.4
2022-06-25 CVE-2022-29168 Wire Cross-site Scripting vulnerability in Wire Wire-Webapp

Wire is a secure messaging application.

4.3
2022-06-24 CVE-2021-39408 Online Student Rate System Project Cross-site Scripting vulnerability in Online Student Rate System Project Online Student Rate System 1.0

Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file

4.3
2022-06-24 CVE-2022-30028 Dradisframework Race Condition vulnerability in Dradisframework Dradis

Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.

4.3
2022-06-24 CVE-2022-1524 Illumina Cleartext Transmission of Sensitive Information vulnerability in Illumina Local RUN Manager 1.3/2.0/3.1

LRM version 2.4 and lower does not implement TLS encryption.

4.3
2022-06-24 CVE-2022-30118 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS.

4.3
2022-06-24 CVE-2022-30119 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

XSS in /dashboard/reports/logs/view - old browsers only.

4.3
2022-06-24 CVE-2022-30120 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only.

4.3
2022-06-24 CVE-2022-32209 Rubyonrails
Fedoraproject
Cross-site Scripting vulnerability in multiple products

# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden.

4.3
2022-06-24 CVE-2022-32990 Gimp Improper Handling of Exceptional Conditions vulnerability in Gimp 2.10.30

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

4.3
2022-06-24 CVE-2022-31805 Codesys Unprotected Transport of Credentials vulnerability in Codesys products

In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected.

4.3
2022-06-24 CVE-2017-20092 Yoast Cross-site Scripting vulnerability in Yoast Google Analytics Dashboard 2.1.1

A vulnerability classified as problematic was found in Google Analytics Dashboard Plugin 2.1.1.

4.3
2022-06-24 CVE-2017-20093 Wpdownloadmanager Cross-Site Request Forgery (CSRF) vulnerability in Wpdownloadmanager Wordpress Download Manager 2.8.99

A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99.

4.3
2022-06-24 CVE-2017-20096 WP Spamfree Anti Spam Project Cross-site Scripting vulnerability in Wp-Spamfree Anti-Spam Project Wp-Spamfree Anti-Spam 2.1.1.4

A vulnerability classified as problematic has been found in WP-SpamFree Anti-Spam Plugin 2.1.1.4.

4.3
2022-06-24 CVE-2017-20097 WP Filebase Download Manager Project Cross-site Scripting vulnerability in Wp-Filebase Download Manager Project Wp-Filebase Download Manager 3.4.4

A vulnerability was found in WP-Filebase Download Manager Plugin 3.4.4.

4.3
2022-06-23 CVE-2021-29055 School File Management System Project Cross-site Scripting vulnerability in School File Management System Project School File Management System 1.0

Cross Site Scripting (XSS) vulnerability in sourcecodester School File Management System 1.0 via the Firtstname parameter to the Update Account form in student_profile.php.

4.3
2022-06-23 CVE-2022-32124 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /index/jobfairol/show/.

4.3
2022-06-23 CVE-2022-32125 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /job.

4.3
2022-06-23 CVE-2022-32126 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company.

4.3
2022-06-23 CVE-2022-32127 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/view_be_browsed/total.

4.3
2022-06-23 CVE-2022-32128 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/service/increment/add/im.

4.3
2022-06-23 CVE-2022-32129 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/account/safety/trade.

4.3
2022-06-23 CVE-2022-32130 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/down_resume/total/nature.

4.3
2022-06-23 CVE-2022-32131 74Cms Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.5.1

74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /index/notice/show.

4.3
2022-06-23 CVE-2022-33067 Long Range ZIP Project Unspecified vulnerability in Long Range ZIP Project Long Range ZIP 0.651

Lrzip v0.651 was discovered to contain multiple invalid arithmetic shifts via the functions get_magic in lrzip.c and Predictor::init in libzpaq/libzpaq.cpp.

4.3
2022-06-23 CVE-2022-33069 Soliditylang Reachable Assertion vulnerability in Soliditylang Solidity 0.8.13/0.8.14

Ethereum Solidity v0.8.14 contains an assertion failure via SMTEncoder::indexOrMemberAssignment() at SMTEncoder.cpp.

4.3
2022-06-23 CVE-2022-33124 Aiohttp Project Unspecified vulnerability in Aiohttp Project Aiohttp 3.8.1

** DISPUTED ** AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS).

4.3
2022-06-23 CVE-2022-34178 Jenkins Cross-site Scripting vulnerability in Jenkins Embeddable Build Status 2.0.3

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

4.3
2022-06-23 CVE-2022-34182 Jenkins Cross-site Scripting vulnerability in Jenkins Nested View 1.20/1.25

Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.

4.3
2022-06-23 CVE-2022-34205 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Jianliao Notification

A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL.

4.3
2022-06-23 CVE-2022-34207 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Beaker Builder

A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL.

4.3
2022-06-23 CVE-2022-34209 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Threadfix 1.5.4

A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL.

4.3
2022-06-23 CVE-2022-34211 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Vrealize Orchestrator 3.0

A cross-site request forgery (CSRF) vulnerability in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers to send an HTTP POST request to an attacker-specified URL.

4.3
2022-06-23 CVE-2022-34295 Totd Project Use of Insufficiently Random Values vulnerability in Totd Project Totd

totd before 1.5.3 does not properly randomize mesg IDs.

4.3
2022-06-23 CVE-2022-34328 PMB Project Cross-site Scripting vulnerability in PMB Project PMB 7.3.10

PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php.

4.3
2022-06-23 CVE-2017-20087 Thealpinepress Cross-site Scripting vulnerability in Thealpinepress Alpine-Photo-Tile-For-Instagram 1.2.7.7

A vulnerability, which was classified as problematic, has been found in Alpine PhotoTile for Instagram Plugin 1.2.7.7.

4.3
2022-06-23 CVE-2017-20088 Bytesforall Cross-Site Request Forgery (CSRF) vulnerability in Bytesforall Atahualpa

A vulnerability classified as problematic has been found in Atahualpa Theme.

4.3
2022-06-23 CVE-2017-20089 Gwolle Guestbook Project Cross-site Scripting vulnerability in Gwolle Guestbook Project Gwolle Guestbook 1.7.4

A vulnerability was found in Gwolle Guestbook Plugin 1.7.4.

4.3
2022-06-23 CVE-2017-20091 Wpjos Cross-Site Request Forgery (CSRF) vulnerability in Wpjos Library File Manager 3.0.1

A vulnerability was found in File Manager Plugin 3.0.1.

4.3
2022-06-22 CVE-2022-23081 Openlibrary Cross-site Scripting vulnerability in Openlibrary Ol201908

In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS.

4.3
2022-06-22 CVE-2022-23077 Habitica Cross-site Scripting vulnerability in Habitica

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.

4.3
2022-06-22 CVE-2022-2174 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.

4.3
2022-06-21 CVE-2021-41924 Webkul Cross-site Scripting vulnerability in Webkul Krayin

Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).

4.3
2022-06-21 CVE-2022-31786 Ideaco Cross-site Scripting vulnerability in Ideaco Idealms 2022

IdeaLMS 2022 allows reflected Cross Site Scripting (XSS) via the IdeaLMS/Class/Assessment/ PATH_INFO.

4.3
2022-06-21 CVE-2022-31306 F5 Use After Free vulnerability in F5 NJS 0.7.2

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_convert_to_slow_array at src/njs_array.c.

4.3
2022-06-21 CVE-2022-31307 F5 Use After Free vulnerability in F5 NJS 0.7.2

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c.

4.3
2022-06-21 CVE-2022-31373 Contec Cross-site Scripting vulnerability in Contec Sv-Cpt-Mc310 Firmware 6.0

SolarView Compact v6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Solar_AiConf.php.

4.3
2022-06-21 CVE-2022-32414 F5 Use After Free vulnerability in F5 NJS 0.7.2

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_vmcode_interpreter at src/njs_vmcode.c.

4.3
2022-06-21 CVE-2022-33119 Nuuo Cross-site Scripting vulnerability in Nuuo Nvrsolo Firmware 03.06.02

NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php.

4.3
2022-06-20 CVE-2017-20065 Supsystic Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Popup 1.7.6

A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic.

4.3
2022-06-20 CVE-2022-33913 Mahara Incorrect Authorization vulnerability in Mahara

In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check.

4.3
2022-06-20 CVE-2022-2134 Inventree Project Resource Exhaustion vulnerability in Inventree Project Inventree

Denial of Service in GitHub repository inventree/inventree prior to 0.8.0.

4.3
2022-06-20 CVE-2022-25772 Acquia Cross-site Scripting vulnerability in Acquia Mautic

A cross-site scripting (XSS) vulnerability in the web tracking component of Mautic before 4.3.0 allows remote attackers to inject executable javascript

4.3
2022-06-20 CVE-2021-25104 Oceanwp Cross-site Scripting vulnerability in Oceanwp Ocean Extra

The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue

4.3
2022-06-20 CVE-2022-1603 Webfwd Cross-Site Request Forgery (CSRF) vulnerability in Webfwd Mail Subscribe List

The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list

4.3
2022-06-20 CVE-2022-1610 Seamless Donations Project Cross-Site Request Forgery (CSRF) vulnerability in Seamless Donations Project Seamless Donations

The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-20 CVE-2022-1614 WP Email Project Authorization Bypass Through User-Controlled Key vulnerability in Wp-Email Project Wp-Email

The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.

4.3
2022-06-20 CVE-2022-1630 WP Email Project Cross-Site Request Forgery (CSRF) vulnerability in Wp-Email Project Wp-Email

The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack

4.3
2022-06-20 CVE-2022-1826 Cross Linker Project Cross-Site Request Forgery (CSRF) vulnerability in Cross-Linker Project Cross-Linker

The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such action via a CSRF attack

4.3
2022-06-20 CVE-2022-1827 Pdf24 Articles TO PDF Project Cross-Site Request Forgery (CSRF) vulnerability in Pdf24 Articles to PDF Project Pdf24 Articles to PDF

The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-20 CVE-2022-1828 Pdf24 Articles TO PDF Project Cross-Site Request Forgery (CSRF) vulnerability in Pdf24 Articles to PDF Project Pdf24 Articles to PDF

The PDF24 Articles To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-20 CVE-2022-1829 Inline Google Maps Project Cross-Site Request Forgery (CSRF) vulnerability in Inline Google Maps Project Inline Google Maps

The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

4.3
2022-06-20 CVE-2022-1832 Capa Protect Project Cross-Site Request Forgery (CSRF) vulnerability in Capa Protect Project Capa Protect

The CaPa Protect WordPress plugin through 0.5.8.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection.

4.3
2022-06-20 CVE-2022-1895 Underconstruction Project Cross-Site Request Forgery (CSRF) vulnerability in Underconstruction Project Underconstruction

The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

4.3
2022-06-20 CVE-2022-31734 Cisco Cross-site Scripting vulnerability in Cisco Ws-C2940-8Tf-S Firmware and Ws-C2940-8Tt-S Firmware

** Unsupported When Assigned ** Cisco Catalyst 2940 Series Switches provided by Cisco Systems, Inc.

4.3
2022-06-20 CVE-2022-2130 Microweber Cross-site Scripting vulnerability in Microweber

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.

4.3
2022-06-20 CVE-2017-20057 Elefantcms Cross-site Scripting vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability classified as problematic has been found in Elefant CMS 1.3.12-RC.

4.3
2022-06-20 CVE-2017-20058 Elefantcms Cross-site Scripting vulnerability in Elefantcms 1.3.12

A vulnerability classified as problematic was found in Elefant CMS 1.3.12-RC.

4.3
2022-06-25 CVE-2022-31016 Linuxfoundation Resource Exhaustion vulnerability in Linuxfoundation Argo-Cd

Argo CD is a declarative continuous deployment for Kubernetes.

4.0
2022-06-24 CVE-2021-20421 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF).

4.0
2022-06-24 CVE-2021-20544 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF).

4.0
2022-06-24 CVE-2022-29097 Dell Path Traversal vulnerability in Dell Wyse Management Suite

Dell WMS 3.6.1 and below contains a Path Traversal vulnerability in Device API.

4.0
2022-06-24 CVE-2022-29330 Vitalpbx Missing Authorization vulnerability in Vitalpbx

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

4.0
2022-06-24 CVE-2021-30651 Broadcom Insufficiently Protected Credentials vulnerability in Broadcom Symantec Messaging Gateway 10.7/10.7.4

A malicious authenticated SMG administrator user can obtain passwords for external LDAP/Active Directory servers that they might not otherwise be authorized to access.

4.0
2022-06-24 CVE-2022-1666 Secheron Insufficiently Protected Credentials vulnerability in Secheron Sepcos Control and Protection Relay Firmware

The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.

4.0
2022-06-24 CVE-2022-32136 Codesys Access of Uninitialized Pointer vulnerability in Codesys Plcwinnt and Runtime Toolkit

In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service.

4.0
2022-06-24 CVE-2022-32139 Codesys Out-of-bounds Read vulnerability in Codesys Plcwinnt and Runtime Toolkit

In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition.

4.0
2022-06-24 CVE-2022-32140 Codesys Classic Buffer Overflow vulnerability in Codesys Plcwinnt and Runtime Toolkit

Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition.

4.0
2022-06-24 CVE-2022-32141 Codesys Buffer Over-read vulnerability in Codesys Plcwinnt and Runtime Toolkit

Multiple CODESYS Products are prone to a buffer over read.

4.0
2022-06-23 CVE-2022-34011 Zhyd Server-Side Request Forgery (SSRF) vulnerability in Zhyd Oneblog 2.3.4

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls.

4.0
2022-06-23 CVE-2022-34012 Zhyd Incorrect Permission Assignment for Critical Resource vulnerability in Zhyd Oneblog 2.3.4

Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges.

4.0
2022-06-23 CVE-2022-34013 Zhyd Server-Side Request Forgery (SSRF) vulnerability in Zhyd Oneblog 2.3.4

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module.

4.0
2022-06-23 CVE-2022-34199 Jenkins Unprotected Storage of Credentials vulnerability in Jenkins Convertigo Mobile Platform 1.0/1.1

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

4.0
2022-06-23 CVE-2022-34201 Jenkins Missing Authorization vulnerability in Jenkins Convertigo Mobile Platform 1.0/1.1

A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

4.0
2022-06-23 CVE-2022-34202 Jenkins Unprotected Storage of Credentials vulnerability in Jenkins Easyqa

Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.0
2022-06-23 CVE-2022-34204 Jenkins Missing Authorization vulnerability in Jenkins Easyqa

A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

4.0
2022-06-23 CVE-2022-34206 Jenkins Missing Authorization vulnerability in Jenkins Jianliao Notification

A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL.

4.0
2022-06-23 CVE-2022-34208 Jenkins Missing Authorization vulnerability in Jenkins Beaker Builder

A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

4.0
2022-06-23 CVE-2022-34210 Jenkins Missing Authorization vulnerability in Jenkins Threadfix 1.5.4

A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

4.0
2022-06-23 CVE-2022-34213 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Squash TM Publisher 1.0.0

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.0
2022-06-23 CVE-2022-31009 Wire Reachable Assertion vulnerability in Wire

wire-ios is an iOS client for the Wire secure messaging application.

4.0
2022-06-22 CVE-2022-23080 Rangerstudio Server-Side Request Forgery (SSRF) vulnerability in Rangerstudio Directus

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

4.0
2022-06-21 CVE-2022-31095 Discourse Information Exposure vulnerability in Discourse Discourse-Chat 0.3

discourse-chat is a chat plugin for the Discourse application.

4.0
2022-06-21 CVE-2022-1596 ABB Incorrect Permission Assignment for Critical Resource vulnerability in ABB products

Incorrect Permission Assignment for Critical Resource vulnerability in ABB REX640 PCL1, REX640 PCL2, REX640 PCL3 allows an authenticated attacker to launch an attack against the user database file and try to take control of an affected system node.

4.0
2022-06-21 CVE-2022-32974 Tenable Unspecified vulnerability in Tenable Nessus

An authenticated attacker could read arbitrary files from the underlying operating system of the scanner using a custom crafted compliance audit file without providing any valid SSH credentials.

4.0
2022-06-21 CVE-2022-31478 SR Solutions Unspecified vulnerability in Sr.Solutions Usertakeover

The UserTakeOver plugin before 4.0.1 for ILIAS allows an attacker to list all users via the search function.

4.0
2022-06-20 CVE-2022-26669 Asus SQL Injection vulnerability in Asus Control Center 1.4.2.5

ASUS Control Center is vulnerable to SQL injection.

4.0

68 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-24 CVE-2021-41637 Melag Incorrect Default Permissions vulnerability in Melag FTP Server 2.2.0.4

Weak access control permissions in MELAG FTP Server 2.2.0.4 allow the "Everyone" group to read the local FTP configuration file, which includes among other information the unencrypted passwords of all FTP users.

3.6
2022-06-26 CVE-2020-27509 Galaxkey Cross-site Scripting vulnerability in Galaxkey

Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the 'subject' field.

3.5
2022-06-24 CVE-2022-33122 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.5.6

A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page.

3.5
2022-06-24 CVE-2021-20543 IBM Injection vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTML injection.

3.5
2022-06-24 CVE-2021-38871 IBM Cross-site Scripting vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting.

3.5
2022-06-24 CVE-2022-29096 Dell Cross-site Scripting vulnerability in Dell Wyse Management Suite

Dell Wyse Management Suite 3.6.1 and below contains a Reflected Cross-Site Scripting Vulnerability in saveGroupConfigurations page.

3.5
2022-06-24 CVE-2022-33910 Mantisbt Cross-site Scripting vulnerability in Mantisbt

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes.

3.5
2022-06-24 CVE-2022-22502 IBM Cross-site Scripting vulnerability in IBM products

IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting.

3.5
2022-06-24 CVE-2022-27238 Bigbluebutton Cross-site Scripting vulnerability in Bigbluebutton

BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality.

3.5
2022-06-24 CVE-2017-20094 Newstatpress Project Cross-site Scripting vulnerability in Newstatpress Project Newstatpress 1.2.4

A vulnerability, which was classified as problematic, has been found in NewStatPress Plugin 1.2.4.

3.5
2022-06-23 CVE-2022-32987 Simple Bakery Shop Management System Project Cross-site Scripting vulnerability in Simple Bakery Shop Management System Project Simple Bakery Shop Management System 1.0

Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields.

3.5
2022-06-23 CVE-2021-41432 Flatpress Cross-site Scripting vulnerability in Flatpress 1.2.1

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.

3.5
2022-06-23 CVE-2021-46824 School File Management System Project Cross-site Scripting vulnerability in School File Management System Project School File Management System 1.0

Cross Site Scripting (XSS) vulnerability in sourcecodester School File Management System 1.0 via the Lastname parameter to the Update Account form in student_profile.php.

3.5
2022-06-23 CVE-2022-33113 Jflyfox Cross-site Scripting vulnerability in Jflyfox Jfinal CMS 5.1.0

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

3.5
2022-06-23 CVE-2022-34176 Jenkins Cross-site Scripting vulnerability in Jenkins Junit

Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

3.5
2022-06-23 CVE-2022-34183 Jenkins Cross-site Scripting vulnerability in Jenkins Agent Server Parameter 1.0/1.1

Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34184 Jenkins Cross-site Scripting vulnerability in Jenkins CRX Content Package Deployer

Jenkins CRX Content Package Deployer Plugin 1.9 and earlier does not escape the name and description of CRX Content Package Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34185 Jenkins Cross-site Scripting vulnerability in Jenkins Date Parameter 0.0.4

Jenkins Date Parameter Plugin 0.0.4 and earlier does not escape the name and description of Date parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34186 Jenkins Cross-site Scripting vulnerability in Jenkins Dynamic Extended Choice Parameter 1.0.0/1.0.1

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34187 Jenkins Cross-site Scripting vulnerability in Jenkins Filesystem List Parameter 0.0.7

Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34188 Jenkins Cross-site Scripting vulnerability in Jenkins Hidden Parameter 0.0.4

Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34189 Jenkins Cross-site Scripting vulnerability in Jenkins Image TAG Parameter 1.10

Jenkins Image Tag Parameter Plugin 1.10 and earlier does not escape the name and description of Image Tag parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34190 Jenkins Cross-site Scripting vulnerability in Jenkins Maven Metadata

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34191 Jenkins Cross-site Scripting vulnerability in Jenkins Ns-Nd Integration Performance Publisher 4.8.0.77

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier does not escape the name of NetStorm Test parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34192 Jenkins Cross-site Scripting vulnerability in Jenkins Ontrack

Jenkins ontrack Jenkins Plugin 4.0.0 and earlier does not escape the name of Ontrack: Multi Parameter choice, Ontrack: Parameter choice, and Ontrack: SingleParameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34193 Jenkins Cross-site Scripting vulnerability in Jenkins Package Version 1.0.1

Jenkins Package Version Plugin 1.0.1 and earlier does not escape the name of Package version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34194 Jenkins Cross-site Scripting vulnerability in Jenkins Readonly Parameter 1.0.0

Jenkins Readonly Parameter Plugin 1.0.0 and earlier does not escape the name and description of Readonly String and Readonly Text parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34195 Jenkins Cross-site Scripting vulnerability in Jenkins Repository Connector

Jenkins Repository Connector Plugin 2.2.0 and earlier does not escape the name and description of Maven Repository Artifact parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34196 Jenkins Cross-site Scripting vulnerability in Jenkins Rest List Parameter

Jenkins REST List Parameter Plugin 1.5.2 and earlier does not escape the name and description of REST list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34197 Jenkins Cross-site Scripting vulnerability in Jenkins Sauce Ondemand 1.204

Jenkins Sauce OnDemand Plugin 1.204 and earlier does not escape the name and description of Sauce Labs Browsers parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34198 Jenkins Cross-site Scripting vulnerability in Jenkins Stash Branch Parameter

Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier does not escape the name and description of Stash Branch parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

3.5
2022-06-23 CVE-2022-34212 Jenkins Missing Authorization vulnerability in Jenkins Vrealize Orchestrator 3.0

A missing permission check in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL.

3.5
2022-06-23 CVE-2017-20085 Bytesforall Cross-site Scripting vulnerability in Bytesforall Atahualpa

A vulnerability has been found in Atahualpa Theme and classified as problematic.

3.5
2022-06-22 CVE-2022-32159 Infogami Cross-site Scripting vulnerability in Infogami Ol201908

In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Stored XSS.

3.5
2022-06-22 CVE-2022-23056 Frappe Cross-site Scripting vulnerability in Frappe Erpnext

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

3.5
2022-06-22 CVE-2022-23057 Frappe Cross-site Scripting vulnerability in Frappe Erpnext

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly.

3.5
2022-06-22 CVE-2022-23058 Frappe Cross-site Scripting vulnerability in Frappe Erpnext

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

3.5
2022-06-21 CVE-2022-30874 Nukeviet Cross-site Scripting vulnerability in Nukeviet

There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02.

3.5
2022-06-21 CVE-2022-25585 Unioncms Project Cross-site Scripting vulnerability in Unioncms Project Unioncms 1.0.13

Unioncms v1.0.13 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Default settings.

3.5
2022-06-21 CVE-2022-31302 Maccms Cross-site Scripting vulnerability in Maccms 8.0

maccms8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

3.5
2022-06-21 CVE-2022-31303 Maccms Cross-site Scripting vulnerability in Maccms 10.0

maccms10 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Server Group text field.

3.5
2022-06-21 CVE-2022-23074 Tandoor Cross-site Scripting vulnerability in Tandoor Recipes

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components.

3.5
2022-06-21 CVE-2022-23073 Tandoor Cross-site Scripting vulnerability in Tandoor Recipes

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality.

3.5
2022-06-21 CVE-2022-23072 Tandoor Cross-site Scripting vulnerability in Tandoor Recipes

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality.

3.5
2022-06-20 CVE-2021-25088 Google XML Sitemaps Project Cross-site Scripting vulnerability in Google XML Sitemaps Project Google XML Sitemaps

The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

3.5
2022-06-20 CVE-2022-0663 Printfriendly Cross-site Scripting vulnerability in Printfriendly Print, Pdf, Email BY Printfriendly

The Print, PDF, Email by PrintFriendly WordPress plugin before 5.2.3 does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3.5
2022-06-20 CVE-2022-1266 Wpwax Cross-site Scripting vulnerability in Wpwax Post Grid, Slider & Carousel Ultimate

The Post Grid, Slider & Carousel Ultimate WordPress plugin before 1.5.0 does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

3.5
2022-06-20 CVE-2022-1717 WP Experts Cross-site Scripting vulnerability in Wp-Experts Custom Share Buttons With Floating Sidebar

The Custom Share Buttons with Floating Sidebar WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

3.5
2022-06-20 CVE-2022-1818 Multi Page Toolkit Project Cross-Site Request Forgery (CSRF) vulnerability in Multi-Page Toolkit Project Multi-Page Toolkit

The Multi-page Toolkit WordPress plugin through 2.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well

3.5
2022-06-20 CVE-2022-1830 Amazon Einzeltitellinks Project Cross-Site Request Forgery (CSRF) vulnerability in Amazon Einzeltitellinks Project Amazon Einzeltitellinks

The Amazon Einzeltitellinks WordPress plugin through 1.3.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

3.5
2022-06-20 CVE-2022-1831 Wplite Project Cross-Site Request Forgery (CSRF) vulnerability in Wplite Project Wplite

The WPlite WordPress plugin through 1.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

3.5
2022-06-20 CVE-2022-1889 Thenewsletterplugin Cross-site Scripting vulnerability in Thenewsletterplugin Newsletter

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed

3.5
2022-06-20 CVE-2022-1896 Underconstruction Project Cross-site Scripting vulnerability in Underconstruction Project Underconstruction

The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.

3.5
2022-06-20 CVE-2022-1915 Wpreviewslider Cross-site Scripting vulnerability in Wpreviewslider WP Zillow Review Slider

The WP Zillow Review Slider WordPress plugin before 2.4 does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite)

3.5
2022-06-20 CVE-2022-1945 Colorlib Cross-site Scripting vulnerability in Colorlib Coming Soon & Maintenance Mode

The Coming Soon & Maintenance Mode by Colorlib WordPress plugin before 1.0.99 does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfiltered_html is disallowed (for example in multisite setup)

3.5
2022-06-20 CVE-2017-20059 Elefantcms Cross-site Scripting vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability, which was classified as problematic, has been found in Elefant CMS 1.3.12-RC.

3.5
2022-06-20 CVE-2017-20060 Elefantcms Cross-site Scripting vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability, which was classified as problematic, was found in Elefant CMS 1.3.12-RC.

3.5
2022-06-20 CVE-2017-20061 Elefantcms Cross-site Scripting vulnerability in Elefantcms Elefant CMS 1.3.12

A vulnerability has been found in Elefant CMS 1.3.12-RC and classified as problematic.

3.5
2022-06-24 CVE-2022-2121 Offis NULL Pointer Dereference vulnerability in Offis Dcmtk

OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition.

3.3
2022-06-20 CVE-2022-21742 Realtek Classic Buffer Overflow vulnerability in Realtek products

Realtek USB driver has a buffer overflow vulnerability due to insufficient parameter length verification in the API function.

3.3
2022-06-25 CVE-2022-31017 Zulip Always-Incorrect Control Flow Implementation vulnerability in Zulip

Zulip is an open-source team collaboration tool.

2.1
2022-06-24 CVE-2021-20551 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Jazz Team Server

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 allows web pages to be stored locally which can be read by another user on the system.

2.1
2022-06-24 CVE-2022-33953 IBM Insufficiently Protected Credentials vulnerability in IBM products

IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens.

2.1
2022-06-24 CVE-2022-1740 Dominionvoting Mutable Attestation or Measurement Reporting Data vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The tested version of Dominion Voting Systems ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms.

2.1
2022-06-24 CVE-2022-1747 Dominionvoting Origin Validation Error vulnerability in Dominionvoting Imagecast X 5.5.10.30/5.5.10.32

The authentication mechanism used by voters to activate a voting session on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery.

2.1
2022-06-24 CVE-2021-41639 Melag Cleartext Storage of Sensitive Information vulnerability in Melag FTP Server 2.2.0.4

MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.

2.1
2022-06-22 CVE-2022-20651 Cisco Information Exposure Through Log Files vulnerability in Cisco Adaptive Security Device Manager

A vulnerability in the logging component of Cisco Adaptive Security Device Manager (ASDM) could allow an authenticated, local attacker to view sensitive information in clear text on an affected system.

2.1
2022-06-20 CVE-2022-22414 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Robotic Process Automation

IBM Robotic Process Automation 21.0.2 could allow a local user to obtain sensitive web service configuration credentials from system memory.

2.1