Weekly Vulnerabilities Reports > June 27 to July 3, 2022

Overview

429 new vulnerabilities reported during this period, including 56 critical vulnerabilities and 156 high severity vulnerabilities. This weekly summary report vulnerabilities in 327 products from 199 vendors including Jenkins, Fedoraproject, Debian, Gitlab, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Insufficiently Protected Credentials", and "Missing Authorization".

  • 368 reported vulnerabilities are remotely exploitables.
  • 20 reported vulnerabilities have public exploit available.
  • 124 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 262 reported vulnerabilities are exploitable by an anonymous user.
  • Jenkins has the most reported vulnerabilities, with 42 reported vulnerabilities.
  • Robustel has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

56 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-02 CVE-2022-34913 Md2Roff Project Out-of-bounds Write vulnerability in Md2Roff Project Md2Roff 1.7

md2roff 1.7 has a stack-based buffer overflow via a Markdown file containing a large number of consecutive characters to be processed.

9.8
2022-07-01 CVE-2022-32324 Pdfalto Project Out-of-bounds Write vulnerability in Pdfalto Project Pdfalto 0.4

PDFAlto v0.4 was discovered to contain a heap buffer overflow via the component /pdfalto/src/pdfalto.cc.

9.8
2022-07-01 CVE-2022-31943 Mingsoft Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.8

MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability.

9.8
2022-07-01 CVE-2022-32093 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at adminlogin.php.

9.8
2022-07-01 CVE-2022-32094 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at doctorlogin.php.

9.8
2022-07-01 CVE-2022-32095 Hospital Management System Project SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at orders.php.

9.8
2022-07-01 CVE-2022-25898 Jsrsasign Project Improper Verification of Cryptographic Signature vulnerability in Jsrsasign Project Jsrsasign

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

9.8
2022-07-01 CVE-2022-25900 GIT Clone Project Argument Injection or Modification vulnerability in Git-Clone Project Git-Clone

All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

9.8
2022-07-01 CVE-2022-32032 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the deviceList parameter in the function formAddMacfilterRule.

9.8
2022-07-01 CVE-2022-2274 Openssl
Netapp
Out-of-bounds Write vulnerability in multiple products

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions.

9.8
2022-07-01 CVE-2021-32428 Viaviweb SQL Injection vulnerability in Viaviweb Ebook 10

SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php.

9.8
2022-07-01 CVE-2022-32295 Amperecomputing Unspecified vulnerability in Amperecomputing Ampere Altra Firmware and Ampere Altra MAX Firmware

On Ampere Altra and AltraMax devices before SRP 1.09, the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.

9.8
2022-06-30 CVE-2014-0156 Manageiq OS Command Injection vulnerability in Manageiq Awesomespawn

Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments.

9.8
2022-06-30 CVE-2022-2197 Exemys Unspecified vulnerability in Exemys Rme1 Firmware 2.1.6

By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations.

9.8
2022-06-30 CVE-2022-32585 Robustel Unspecified vulnerability in Robustel R1510 Firmware 3.3.0

A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33312 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33313 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33314 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33325 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33326 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33327 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33328 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2022-33329 Robustel OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0.

9.8
2022-06-30 CVE-2013-4144 Swfupload Project Injection vulnerability in Swfupload Project Swfupload 3.5.2

There is an object injection vulnerability in swfupload plugin for wordpress.

9.8
2022-06-30 CVE-2022-22487 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Spectrum Protect Server

An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID.

9.8
2022-06-30 CVE-2021-37778 GPS SDR SIM Project Classic Buffer Overflow vulnerability in Gps-Sdr-Sim Project Gps-Sdr-Sim 1.0

There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution.

9.8
2022-06-30 CVE-2021-41506 Xiongmaitech Improper Authentication vulnerability in Xiongmaitech products

Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system.

9.8
2022-06-30 CVE-2021-40663 Deep Assign Project Unspecified vulnerability in Deep.Assign Project Deep.Assign 0.0.0

deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

9.8
2022-06-30 CVE-2021-40643 Eyesofnetwork Unspecified vulnerability in Eyesofnetwork

EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page.

9.8
2022-06-30 CVE-2017-20125 Bestsoftinc SQL Injection vulnerability in Bestsoftinc Online Hotel Booking System 1.2

A vulnerability classified as critical was found in Online Hotel Booking System Pro 1.2.

9.8
2022-06-30 CVE-2022-34835 Denx Out-of-bounds Write vulnerability in Denx U-Boot

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.

9.8
2022-06-29 CVE-2021-40597 Edimax Use of Hard-coded Credentials vulnerability in Edimax Ic-3140W Firmware 3.11

The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.

9.8
2022-06-29 CVE-2022-33107 Thinkphp Deserialization of Untrusted Data vulnerability in Thinkphp 6.0.12

ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php.

9.8
2022-06-29 CVE-2017-20111 Calabrio Unspecified vulnerability in Calabrio Teleopti Workforce Management 7.1.0

A vulnerability, which was classified as critical, was found in Teleopti WFM 7.1.0.

9.8
2022-06-29 CVE-2022-32532 Apache Incorrect Authorization vulnerability in Apache Shiro

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers.

9.8
2022-06-28 CVE-2020-19896 1234N Unspecified vulnerability in 1234N Minicms 1.9

File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.

9.8
2022-06-28 CVE-2022-31887 Marvalglobal Insufficiently Protected Credentials vulnerability in Marvalglobal Marval MSM 14.19.0.12476

Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password.

9.8
2022-06-28 CVE-2022-31885 Marvalglobal OS Command Injection vulnerability in Marvalglobal Marval MSM 14.19.0.12476

Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.

9.8
2022-06-28 CVE-2022-31230 Dell Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dell Powerscale Onefs 9.0.0.0/9.1.0.0

Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm.

9.8
2022-06-28 CVE-2022-31056 Glpi Project Unspecified vulnerability in Glpi-Project Glpi 10.0.0/10.0.1

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

9.8
2022-06-28 CVE-2022-31061 Glpi Project Unspecified vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

9.8
2022-06-28 CVE-2022-31106 Clever Unspecified vulnerability in Clever Underscore.Deep

Underscore.deep is a collection of Underscore mixins that operate on nested objects.

9.8
2022-06-28 CVE-2022-34132 Jorani SQL Injection vulnerability in Jorani 1.0.0

Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php.

9.8
2022-06-27 CVE-2022-32994 Halo Unrestricted Upload of File with Dangerous Type vulnerability in Halo 1.5.3

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload.

9.8
2022-06-27 CVE-2022-32995 Halo Server-Side Request Forgery (SSRF) vulnerability in Halo 1.5.3

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function.

9.8
2022-06-27 CVE-2022-32092 Dlink OS Command Injection vulnerability in Dlink Dir-645 Firmware 1.03

D-Link DIR-645 v1.03 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter at __ajax_explorer.sgi.

9.8
2022-06-27 CVE-2022-31082 Glpi Project SQL Injection vulnerability in Glpi-Project Glpi Inventory 1.0.0/1.0.1

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

9.8
2022-06-27 CVE-2017-20099 Analytics Stats Counter Statistics Project Code Injection vulnerability in Analytics Stats Counter Statistics Project Analytics Stats Counter Statistics 1.2.2.5

A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical.

9.8
2022-06-27 CVE-2022-28171 Hikvision Command Injection vulnerability in Hikvision products

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability.

9.8
2022-06-27 CVE-2022-2216 Parse URL Project Unspecified vulnerability in Parse-Url Project Parse-Url

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

9.8
2022-06-27 CVE-2022-1574 Html2Wp Project Missing Authorization vulnerability in Html2Wp Project Html2Wp

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

9.8
2022-07-01 CVE-2022-2253 Webhmi Unspecified vulnerability in Webhmi Firmware

A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server.

9.1
2022-06-30 CVE-2013-4561 Redhat Exposure of Resource to Wrong Sphere vulnerability in Redhat Openshift

In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file.

9.1
2022-06-30 CVE-2022-28127 Robustel Path Traversal vulnerability in Robustel R1510 Firmware 3.3.0

A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0.

9.1
2022-06-27 CVE-2022-1953 Product Configurator FOR Woocommerce Project Unspecified vulnerability in Product Configurator for Woocommerce Project Product Configurator for Woocommerce

The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first

9.1
2022-06-27 CVE-2022-2140 Smartics Cross-site Scripting vulnerability in Smartics 2.3.4.0

Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters.

9.0

156 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-01 CVE-2022-32384 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44

Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the security_5g parameter in the function formWifiBasicSet.

8.8
2022-07-01 CVE-2022-32420 College Management System Project Unspecified vulnerability in College Management System Project College Management System 1.0

College Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /College/admin/teacher.php.

8.8
2022-07-01 CVE-2022-2185 Gitlab OS Command Injection vulnerability in Gitlab

A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.

8.8
2022-06-30 CVE-2022-31115 Amazon Unspecified vulnerability in Amazon Opensearch 1.0.0/2.0.0/2.0.1

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby.

8.8
2022-06-30 CVE-2022-34793 Jenkins XXE vulnerability in Jenkins Recipe 1.0/1.1/1.2

Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

8.8
2022-06-30 CVE-2022-22472 IBM Improper Preservation of Permissions vulnerability in IBM Spectrum Protect Plus Container Backup and Restore 10.1.10.2/10.1.5/10.1.7

IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information.

8.8
2022-06-30 CVE-2017-20124 Bestsoftinc SQL Injection vulnerability in Bestsoftinc Online Hotel Booking System 1.0

A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0.

8.8
2022-06-29 CVE-2017-20120 Trueconf Cross-Site Request Forgery (CSRF) vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability classified as problematic was found in TrueConf Server 4.3.7.

8.8
2022-06-28 CVE-2022-31883 Marvalglobal Authorization Bypass Through User-Controlled Key vulnerability in Marvalglobal Marval MSM 14.19.0.12476

Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference (IDOR) vulnerability.

8.8
2022-06-28 CVE-2021-40553 Piwigo Code Injection vulnerability in Piwigo 11.5.0

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

8.8
2022-06-28 CVE-2022-23763 Douzone Origin Validation Error vulnerability in Douzone Neors

Origin validation error vulnerability in NeoRS’s ActiveX moudle allows attackers to download and execute arbitrary files.

8.8
2022-06-28 CVE-2022-30707 Yokogawa Unspecified vulnerability in Yokogawa products

Violation of secure design principles exists in the communication of CAMS for HIS.

8.8
2022-06-28 CVE-2022-34134 Jorani Cross-Site Request Forgery (CSRF) vulnerability in Jorani 1.0.0

Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php.

8.8
2022-06-27 CVE-2022-31101 Prestashop Unspecified vulnerability in Prestashop Blockwishlist 2.0.0/2.0.1/2.1.0

prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists.

8.8
2022-06-27 CVE-2017-20103 WP Kama SQL Injection vulnerability in Wp-Kama Kama Click Counter

A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8.

8.8
2022-06-27 CVE-2022-33007 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-751Dr Firmware and Tew-752Dru Firmware

TRENDnet Wi-Fi routers TEW751DR v1.03 and TEW-752DRU v1.03 were discovered to contain a stack overflow via the function genacgi_main.

8.8
2022-06-27 CVE-2022-31086 Ldap Account Manager
Debian
Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.

8.8
2022-06-27 CVE-2022-2212 Library Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Library Management System Project Library Management System 1.0

A vulnerability was found in SourceCodester Library Management System 1.0.

8.8
2022-06-27 CVE-2022-2214 Library Management System Project Unspecified vulnerability in Library Management System Project Library Management System 1.0

A vulnerability was found in SourceCodester Library Management System 1.0.

8.8
2022-07-02 CVE-2022-28200 Nvidia Out-of-bounds Write vulnerability in Nvidia DGX A100 Firmware

NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure.

8.2
2022-06-30 CVE-2022-23720 Pingidentity Improper Privilege Management vulnerability in Pingidentity Pingid Integration for Windows Login

PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file.

8.2
2022-06-30 CVE-2022-31112 Parseplatform Improper Cross-boundary Removal of Sensitive Data vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

8.2
2022-06-30 CVE-2022-23718 Pingidentity Unspecified vulnerability in Pingidentity Pingid Integration for Windows Login

PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution.

8.1
2022-06-30 CVE-2021-38941 IBM Unspecified vulnerability in IBM Cloud PAK for Multicloud Management Monitoring 2.0.0/2.3.0

IBM CloudPak for Multicloud Monitoring 2.0 and 2.3 has a few containers running in privileged mode which is vulnerable to host information leakage or destruction if unauthorized access to these containers could execute arbitrary commands.

8.1
2022-06-28 CVE-2017-20105 Simplessus Path Traversal vulnerability in Simplessus 3.7.7

A vulnerability was found in Simplessus 3.7.7.

8.1
2022-06-27 CVE-2022-31092 Pimcore Unspecified vulnerability in Pimcore

Pimcore is an Open Source Data & Experience Management Platform.

8.1
2022-06-27 CVE-2022-31084 Ldap Account Manager
Debian
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.
8.1
2022-06-27 CVE-2022-31034 Argoproj Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

8.1
2022-06-27 CVE-2022-1572 Html2Wp Project Missing Authorization vulnerability in Html2Wp Project Html2Wp

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file

8.1
2022-06-27 CVE-2022-1903 Armemberplugin Unspecified vulnerability in Armemberplugin Armember

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

8.1
2022-06-27 CVE-2022-33202 Softcreate Improper Authentication vulnerability in Softcreate L2Blocker 4.8.5

Authentication bypass vulnerability in the setup screen of L2Blocker(on-premise) Ver4.8.5 and earlier and L2Blocker(Cloud) Ver4.8.5 and earlier allows an adjacent attacker to perform an unauthorized login and obtain the stored information or cause a malfunction of the device by using alternative paths or channels for Sensor.

8.1
2022-06-30 CVE-2022-34792 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Recipe 1.0/1.1/1.2

A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.

8.0
2022-07-03 CVE-2022-2289 VIM
Fedoraproject
Use After Free in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-03 CVE-2022-2288 VIM
Fedoraproject
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-02 CVE-2022-2286 VIM
Fedoraproject
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-02 CVE-2022-2285 VIM
Fedoraproject
Debian
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-02 CVE-2022-2284 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-01 CVE-2022-33103 Denx Out-of-bounds Write vulnerability in Denx U-Boot

Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().

7.8
2022-07-01 CVE-2022-2264 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8
2022-06-30 CVE-2022-2257 VIM
Fedoraproject
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.8
2022-06-30 CVE-2017-20121 Teradici Improper Privilege Management vulnerability in Teradici Pcoip Management Console 2.2.0

A vulnerability was found in Teradici Management Console 2.2.0.

7.8
2022-06-30 CVE-2017-20123 Sparklabs Uncontrolled Search Path Element vulnerability in Sparklabs Viscosity 1.6.7

A vulnerability was found in Viscosity 1.6.7.

7.8
2022-06-29 CVE-2022-33035 Netsarang Uncontrolled Search Path Element vulnerability in Netsarang Xlpd 7.0.0094

XLPD v7.0.0094 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.

7.8
2022-06-29 CVE-2022-33036 Embarcadero Uncontrolled Search Path Element vulnerability in Embarcadero Dev-C++ 6.3

A binary hijack in Embarcadero Dev-CPP v6.3 allows attackers to execute arbitrary code via a crafted .exe file.

7.8
2022-06-29 CVE-2022-33037 Orwell DEV CPP Project Uncontrolled Search Path Element vulnerability in Orwell-Dev-Cpp Project Orwell-Dev-Cpp 5.11

A binary hijack in Orwell-Dev-Cpp v5.11 allows attackers to execute arbitrary code via a crafted .exe file.

7.8
2022-06-29 CVE-2017-20112 Ivpn Unspecified vulnerability in Ivpn 2.6.6120.33863

A vulnerability has been found in IVPN Client 2.6.6120.33863 and classified as critical.

7.8
2022-06-28 CVE-2021-3434 Zephyrproject Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1

Stack based buffer overflow in le_ecred_conn_req().

7.8
2022-06-28 CVE-2022-2145 Cloudflare Link Following vulnerability in Cloudflare Warp

Cloudflare WARP client for Windows (up to v.

7.8
2022-06-28 CVE-2022-33108 Xpdfreader Out-of-bounds Write vulnerability in Xpdfreader Xpdf 4.04

XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

7.8
2022-06-28 CVE-2017-20107 Shadeyouvpn COM Project Improper Privilege Management vulnerability in Shadeyouvpn.Com Project Shadeyouvpn.Com 2.0.1.11

A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11.

7.8
2022-06-27 CVE-2022-31087 Ldap Account Manager
Debian
Incorrect Authorization vulnerability in multiple products

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.

7.8
2022-06-27 CVE-2022-2210 VIM
Fedoraproject
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
7.8
2022-06-27 CVE-2022-2207 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
7.8
2022-06-27 CVE-2022-31090 Guzzlephp
Debian
Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products

Guzzle, an extensible PHP HTTP client.

7.7
2022-06-27 CVE-2022-31091 Guzzlephp
Debian
Guzzle, an extensible PHP HTTP client.
7.7
2022-07-02 CVE-2022-32551 Zohocorp Path Traversal vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.5/10.6

Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

7.5
2022-07-01 CVE-2022-25758 Scss Tokenizer Project Unspecified vulnerability in Scss-Tokenizer Project Scss-Tokenizer

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

7.5
2022-07-01 CVE-2022-32081 Mariadb
Fedoraproject
Use After Free vulnerability in multiple products

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

7.5
2022-07-01 CVE-2022-32082 Mariadb
Fedoraproject
Reachable Assertion vulnerability in multiple products

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

7.5
2022-07-01 CVE-2022-32083 Mariadb
Debian
MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.
7.5
2022-07-01 CVE-2022-32084 Mariadb
Debian
Fedoraproject
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.
7.5
2022-07-01 CVE-2022-32085 Mariadb
Debian
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.
7.5
2022-07-01 CVE-2022-32086 Mariadb Unspecified vulnerability in Mariadb

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

7.5
2022-07-01 CVE-2022-32087 Mariadb
Debian
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.
7.5
2022-07-01 CVE-2022-32088 Mariadb
Debian
MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.
7.5
2022-07-01 CVE-2022-32089 Mariadb
Fedoraproject
MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.
7.5
2022-07-01 CVE-2022-32091 Mariadb
Debian
Fedoraproject
Use After Free vulnerability in multiple products

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

7.5
2022-07-01 CVE-2022-32030 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function formSetQosBand.

7.5
2022-07-01 CVE-2022-32031 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function fromSetRouteStatic.

7.5
2022-07-01 CVE-2022-32033 Tenda Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the function formSetVirtualSer.

7.5
2022-07-01 CVE-2022-32034 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the items parameter in the function formdelMasteraclist.

7.5
2022-07-01 CVE-2022-32035 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formMasterMng.

7.5
2022-07-01 CVE-2022-32036 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain multiple stack overflow vulnerabilities via the ssidList, storeName, and trademark parameters in the function formSetStoreWeb.

7.5
2022-07-01 CVE-2022-32037 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAPCfg.

7.5
2022-07-01 CVE-2022-32039 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the listN parameter in the function fromDhcpListClient.

7.5
2022-07-01 CVE-2022-32040 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetCfm.

7.5
2022-07-01 CVE-2022-32041 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formGetPassengerAnalyseData.

7.5
2022-07-01 CVE-2022-32043 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAccessCodeInfo.

7.5
2022-07-01 CVE-2022-32044 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the password parameter in the function FUN_00413f80.

7.5
2022-07-01 CVE-2022-32045 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_00413be4.

7.5
2022-07-01 CVE-2022-32046 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_0041880c.

7.5
2022-07-01 CVE-2022-32047 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_00412ef4.

7.5
2022-07-01 CVE-2022-32048 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the command parameter in the function FUN_0041cc88.

7.5
2022-07-01 CVE-2022-32049 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the url parameter in the function FUN_00418540.

7.5
2022-07-01 CVE-2022-32050 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041af40.

7.5
2022-07-01 CVE-2022-32051 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc, week, sTime, eTime parameters in the function FUN_004133c4.

7.5
2022-07-01 CVE-2022-32052 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_004137a4.

7.5
2022-07-01 CVE-2022-32053 Totolink Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015

TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041621c.

7.5
2022-07-01 CVE-2022-2229 Gitlab Unspecified vulnerability in Gitlab

An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.

7.5
2022-07-01 CVE-2014-3648 Redhat Resource Exhaustion vulnerability in Redhat Jboss Aerogear 1.0.0

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken.

7.5
2022-07-01 CVE-2022-33099 LUA
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

7.5
2022-06-30 CVE-2022-33087 TP Link Out-of-bounds Write vulnerability in Tp-Link Archer A5 Firmware and Archer C50 Firmware

A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

7.5
2022-06-30 CVE-2022-33082 Openpolicyagent Unspecified vulnerability in Openpolicyagent Open Policy Agent

An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.

7.5
2022-06-30 CVE-2021-41995 Pingidentity Improper Authentication vulnerability in Pingidentity Pingid Integration for mac Login

A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.

7.5
2022-06-30 CVE-2022-22474 IBM Unspecified vulnerability in IBM Spectrum Protect Client

IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets.

7.5
2022-06-29 CVE-2022-31110 Rsshub Unspecified vulnerability in Rsshub 20210125

RSSHub is an open source, extensible RSS feed generator.

7.5
2022-06-29 CVE-2022-33021 Openhwgroup Out-of-bounds Read vulnerability in Openhwgroup Cva6

CVA6 commit 909d85a accesses invalid memory when reading the value of MHPMCOUNTER30.

7.5
2022-06-29 CVE-2022-33023 Openhwgroup Incorrect Default Permissions vulnerability in Openhwgroup Cva6

CVA6 commit 909d85a gives incorrect permission to use special multiplication units when the format of instructions is wrong.

7.5
2022-06-29 CVE-2017-20110 Calabrio Unspecified vulnerability in Calabrio Teleopti Workforce Management 7.1.0

A vulnerability, which was classified as problematic, has been found in Teleopti WFM up to 7.1.0.

7.5
2022-06-28 CVE-2021-3430 Zephyrproject Reachable Assertion vulnerability in Zephyrproject Zephyr

Assertion reachable with repeated LL_CONNECTION_PARAM_REQ.

7.5
2022-06-28 CVE-2021-3431 Zephyrproject Reachable Assertion vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1

Assertion reachable with repeated LL_FEATURE_REQ.

7.5
2022-06-28 CVE-2021-3432 Zephyrproject Divide By Zero vulnerability in Zephyrproject Zephyr

Invalid interval in CONNECT_IND leads to Division by Zero.

7.5
2022-06-28 CVE-2022-28621 HPE Unspecified vulnerability in HPE Nonstop Distributed Systems Management / Software Configuration Manager T6031H03^Adp

A remote disclosure of sensitive information vulnerability was discovered in HPE NonStop DSM/SCM version: T6031H03^ADP.

7.5
2022-06-28 CVE-2021-41460 Shopex SQL Injection vulnerability in Shopex Ecshop 4.1.0

ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information.

7.5
2022-06-28 CVE-2021-41687 Offis Memory Leak vulnerability in Offis Dcmtk

DCMTK through 3.6.6 does not handle memory free properly.

7.5
2022-06-28 CVE-2021-41688 Offis Double Free vulnerability in Offis Dcmtk

DCMTK through 3.6.6 does not handle memory free properly.

7.5
2022-06-28 CVE-2021-41689 Offis NULL Pointer Dereference vulnerability in Offis Dcmtk

DCMTK through 3.6.6 does not handle string copy properly.

7.5
2022-06-28 CVE-2021-41690 Offis Memory Leak vulnerability in Offis Dcmtk

DCMTK through 3.6.6 does not handle memory free properly.

7.5
2022-06-28 CVE-2022-29519 Yokogawa Cleartext Transmission of Sensitive Information vulnerability in Yokogawa Stardom FCJ Firmware and Stardom FCN Firmware

Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware.

7.5
2022-06-28 CVE-2022-34750 Mediawiki Allocation of Resources Without Limits or Throttling vulnerability in Mediawiki

An issue was discovered in MediaWiki through 1.38.1.

7.5
2022-06-28 CVE-2017-20104 Simplessus SQL Injection vulnerability in Simplessus 3.7.7

A vulnerability was found in Simplessus 3.7.7.

7.5
2022-06-27 CVE-2022-31103 Lettersanitizer Project Unspecified vulnerability in Lettersanitizer Project Lettersanitizer 1.0.0/1.0.1

lettersanitizer is a DOM-based HTML email sanitizer for in-browser email rendering.

7.5
2022-06-27 CVE-2022-31093 Nextauth JS Unspecified vulnerability in Nextauth.Js Next-Auth

NextAuth.js is a complete open source authentication solution for Next.js applications.

7.5
2022-06-27 CVE-2022-31098 Weave Unspecified vulnerability in Weave Gitops

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise.

7.5
2022-06-27 CVE-2022-31089 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

7.5
2022-06-27 CVE-2022-28622 HPE Use of a Broken or Risky Cryptographic Algorithm vulnerability in HPE Storeonce 3640 Firmware 4.2.3/4.3.0

A potential security vulnerability has been identified in HPE StoreOnce Software.

7.5
2022-06-27 CVE-2021-40941 Axiosys Allocation of Resources Without Limits or Throttling vulnerability in Axiosys Bento4 1.6.0638

In Bento4 1.6.0-638, there is an allocator is out of memory in the function AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity in Ap4Array.h:172, as demonstrated by GPAC.

7.5
2022-06-27 CVE-2022-26477 Apache Resource Exhaustion vulnerability in Apache Systemds

The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion.

7.5
2022-06-27 CVE-2022-28166 Broadcom Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0

In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082.

7.5
2022-06-27 CVE-2022-28168 Broadcom Insecure Storage of Sensitive Information vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0

In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.

7.5
2022-06-27 CVE-2021-33647 Mindspore Out-of-bounds Write vulnerability in Mindspore

When performing the inference shape operation of the Tile operator, if the input data type is not int or int32, it will access data outside of bounds of heap allocated buffers.

7.5
2022-06-27 CVE-2021-33648 Mindspore Out-of-bounds Read vulnerability in Mindspore

When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers.

7.5
2022-06-27 CVE-2021-33649 Mindspore Out-of-bounds Read vulnerability in Mindspore

When performing the inference shape operation of the Transpose operator, if the value in the perm element is greater than or equal to the size of the input_shape, it will access data outside of bounds of input_shape which allocated from heap buffers.

7.5
2022-06-27 CVE-2021-33650 Mindspore Out-of-bounds Read vulnerability in Mindspore 1.2.0/1.2.1

When performing the inference shape operation of the SparseToDense operator, if the number of inputs is less than three, it will access data outside of bounds of inputs which allocated from heap buffers.

7.5
2022-06-27 CVE-2021-33651 Mindspore Divide By Zero vulnerability in Mindspore

When performing the analytical operation of the DepthwiseConv2D operator, if the attribute depth_multiplier is 0, it will cause a division by 0 exception.

7.5
2022-06-27 CVE-2021-33652 Mindspore Divide By Zero vulnerability in Mindspore

When the Reduce operator run operation is executed, if there is a value of 0 in the parameter axis_sizes element, it will cause a division by 0 exception.

7.5
2022-06-27 CVE-2021-33653 Mindspore Divide By Zero vulnerability in Mindspore

When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception.

7.5
2022-06-27 CVE-2021-33654 Mindspore Divide By Zero vulnerability in Mindspore

When performing the initialization operation of the Split operator, if a dimension in the input shape is 0, it will cause a division by 0 exception.

7.5
2022-06-27 CVE-2021-40900 Regexfn Project Unspecified vulnerability in Regexfn Project Regexfn 1.0.5

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in regexfn v1.0.5 when validating crafted invalid emails.

7.5
2022-06-27 CVE-2021-40901 Scniro Validator Project Unspecified vulnerability in Scniro-Validator Project Scniro-Validator 1.0.1

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scniro-validator v1.0.1 when validating crafted invalid emails.

7.5
2022-06-27 CVE-2021-40898 Scaffold Helper Project Unspecified vulnerability in Scaffold-Helper Project Scaffold-Helper 1.2.0

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper v1.2.0 when copying crafted invalid files.

7.5
2022-06-27 CVE-2021-40899 Repo GIT Downloader Project Unspecified vulnerability in Repo-Git-Downloader Project Repo-Git-Downloader 0.1.1

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in repo-git-downloader v0.1.1 when downloading crafted invalid git repositories.

7.5
2022-06-27 CVE-2022-0722 Parse URL Project Unspecified vulnerability in Parse-Url Project Parse-Url

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.

7.5
2022-06-27 CVE-2021-40895 Todo Regex Project Unspecified vulnerability in Todo-Regex Project Todo-Regex 0.1.1

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in todo-regex v0.1.1 when matching crafted invalid TODO statements.

7.5
2022-06-27 CVE-2021-40896 That Value Project Unspecified vulnerability in That-Value Project That-Value 0.1.3

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in that-value v0.1.3 when validating crafted invalid emails.

7.5
2022-06-27 CVE-2021-40897 Split Html TO Chars Project Unspecified vulnerability in Split-Html-To-Chars Project Split-Html-To-Chars 1.0.5

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars v1.0.5 when splitting crafted invalid htmls.

7.5
2022-06-28 CVE-2022-30560 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

When an attacker obtaining the administrative account and password, or through a man-in-the-middle attack, the attacker could send a specified crafted packet to the vulnerable interface then lead the device to crash.

7.4
2022-06-28 CVE-2022-30563 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet.

7.4
2022-06-29 CVE-2022-34043 Nomachine Incorrect Permission Assignment for Critical Resource vulnerability in Nomachine 7.9.2

Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perform a DLL hijacking attack and execute arbitrary code.

7.3
2022-06-28 CVE-2022-0624 Parse Path Project Unspecified vulnerability in Parse-Path Project Parse-Path

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

7.3
2022-07-01 CVE-2022-32411 Hongcms Project Unspecified vulnerability in Hongcms Project Hongcms 3.0.0

An issue in the languages config file of HongCMS v3.0 allows attackers to getshell.

7.2
2022-07-01 CVE-2022-32412 Hongcms Project Unspecified vulnerability in Hongcms Project Hongcms 3.0.0

An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell.

7.2
2022-06-30 CVE-2022-33085 Ecisp Unspecified vulnerability in Ecisp Espcms-P8

ESPCMS P8 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the fetch_filename function at \espcms_public\espcms_templates\ESPCMS_Templates.

7.2
2022-06-30 CVE-2021-37770 Nucleuscms Unrestricted Upload of File with Dangerous Type vulnerability in Nucleuscms Nucleus CMS 3.71

Nucleus CMS v3.71 is affected by a file upload vulnerability.

7.2
2022-06-29 CVE-2022-2073 Getgrav Code Injection vulnerability in Getgrav Grav

Code Injection in GitHub repository getgrav/grav prior to 1.7.34.

7.2
2022-06-29 CVE-2022-33057 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation.

7.2
2022-06-29 CVE-2022-33058 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_message.

7.2
2022-06-29 CVE-2022-33059 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_train.

7.2
2022-06-29 CVE-2022-33060 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule.

7.2
2022-06-29 CVE-2022-33061 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.

7.2
2022-06-29 CVE-2022-31058 Enalean Unspecified vulnerability in Enalean Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration.

7.2
2022-06-29 CVE-2022-33042 Online Railway Reservation System Project SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php.

7.2
2022-06-28 CVE-2022-30997 Yokogawa Use of Hard-coded Credentials vulnerability in Yokogawa Stardom FCJ Firmware and Stardom FCN Firmware

Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware.

7.2
2022-06-27 CVE-2022-1977 Smackcoders Server-Side Request Forgery (SSRF) vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks

7.2
2022-07-02 CVE-2022-2287 VIM
Fedoraproject
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
7.1
2022-07-01 CVE-2022-27904 Automox Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Automox

Automox Agent for macOS before version 39 was vulnerable to a time-of-check/time-of-use (TOCTOU) race-condition attack during the agent install process.

7.0

211 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-29 CVE-2022-30467 Joyebike Authentication Bypass by Capture-replay vulnerability in Joyebike Wolf 2022 Firmware

Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.

6.8
2022-07-01 CVE-2022-32325 Jpegoptim Project
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

JPEGOPTIM v1.4.7 was discovered to contain a segmentation violation which is caused by a READ memory access at jpegoptim.c.

6.5
2022-07-01 CVE-2022-34903 Gnupg
Fedoraproject
Debian
Netapp
Injection vulnerability in multiple products

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

6.5
2022-07-01 CVE-2022-2228 Gitlab Unspecified vulnerability in Gitlab

Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range

6.5
2022-06-30 CVE-2022-34780 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Release

A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-06-30 CVE-2022-34781 Jenkins Missing Authorization vulnerability in Jenkins Xebialabs XL Release

Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-06-30 CVE-2022-34789 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Matrix Reloaded

A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds.

6.5
2022-06-30 CVE-2022-34794 Jenkins Missing Authorization vulnerability in Jenkins Recipe 1.0/1.1/1.2

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

6.5
2022-06-30 CVE-2022-34805 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Skype Notifier 1.0/1.0.1/1.1.0

Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

6.5
2022-06-30 CVE-2022-34806 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Jigomerge

Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

6.5
2022-06-30 CVE-2022-34807 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Elasticsearch Query 1.1/1.2

Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

6.5
2022-06-30 CVE-2022-34809 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins RQM

Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

6.5
2022-06-30 CVE-2022-34810 Jenkins Missing Authorization vulnerability in Jenkins RQM

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

6.5
2022-06-30 CVE-2022-34816 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins HPE Network Virtualization 1.0

Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

6.5
2022-06-30 CVE-2022-22496 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Spectrum Protect Server

While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL.

6.5
2022-06-30 CVE-2022-2056 Libtiff
Netapp
Fedoraproject
Debian
Divide By Zero vulnerability in multiple products

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file.

6.5
2022-06-30 CVE-2022-2057 Libtiff
Netapp
Fedoraproject
Debian
Divide By Zero vulnerability in multiple products

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file.

6.5
2022-06-30 CVE-2022-2058 Libtiff
Netapp
Fedoraproject
Debian
Divide By Zero vulnerability in multiple products

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file.

6.5
2022-06-30 CVE-2022-26135 Atlassian Server-Side Request Forgery (SSRF) vulnerability in Atlassian products

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint.

6.5
2022-06-29 CVE-2017-20109 Calabrio Cleartext Transmission of Sensitive Information vulnerability in Calabrio Teleopti Workforce Management 7.1.0

A vulnerability classified as problematic was found in Teleopti WFM up to 7.1.0.

6.5
2022-06-29 CVE-2022-29269 Nagios Cross-site Scripting vulnerability in Nagios XI

In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address.

6.5
2022-06-29 CVE-2022-29271 Nagios Incorrect Authorization vulnerability in Nagios XI

In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services.

6.5
2022-06-28 CVE-2021-41559 Silverstripe XML Entity Expansion vulnerability in Silverstripe

Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.

6.5
2022-06-28 CVE-2022-24444 Silverstripe Session Fixation vulnerability in Silverstripe

Silverstripe silverstripe/framework through 4.10 allows Session Fixation.

6.5
2022-06-28 CVE-2022-31884 Marvalglobal Unspecified vulnerability in Marvalglobal Marval MSM 14.19.0.12476

Marval MSM v14.19.0.12476 has an Improper Access Control vulnerability which allows a low privilege user to delete other users API Keys including high privilege and the Administrator users API Keys.

6.5
2022-06-28 CVE-2022-31886 Marvalglobal Cross-Site Request Forgery (CSRF) vulnerability in Marvalglobal Marval MSM 14.19.0.12476

Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF).

6.5
2022-06-28 CVE-2021-3779 Ruby Mysql Project Externally Controlled Reference to a Resource in Another Sphere vulnerability in Ruby-Mysql Project Ruby-Mysql

A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user.

6.5
2022-06-28 CVE-2022-31052 Matrix
Fedoraproject
Synapse is an open source home server implementation for the Matrix chat network.
6.5
2022-06-27 CVE-2022-31099 Pomsky Lang Unspecified vulnerability in Pomsky-Lang Pomsky

rulex is a new, portable, regular expression language.

6.5
2022-06-27 CVE-2022-31100 Pomsky Lang Unspecified vulnerability in Pomsky-Lang Pomsky

rulex is a new, portable, regular expression language.

6.5
2022-06-27 CVE-2022-31081 Http
Debian
HTTP::Daemon is a simple http server class written in perl.
6.5
2022-06-27 CVE-2022-33116 Openeclass Path Traversal vulnerability in Openeclass

An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal.

6.5
2022-06-27 CVE-2022-2221 Devolutions Insufficiently Protected Credentials vulnerability in Devolutions Remote Desktop Manager

Information Exposure vulnerability in My Account Settings of Devolutions Remote Desktop Manager before 2022.1.8 allows authenticated users to access credentials of other users.

6.5
2022-06-27 CVE-2022-28167 Broadcom Insufficiently Protected Credentials vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0

Brocade SANnav before Brocade SANvav v.

6.5
2022-06-27 CVE-2022-1843 Mailpress Project Unspecified vulnerability in Mailpress Project Mailpress

The MailPress WordPress plugin through 7.2.1 does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks

6.5
2022-06-30 CVE-2022-23719 Pingidentity Missing Authentication for Critical Function vulnerability in Pingidentity Pingid Integration for Windows Login

PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests.

6.4
2022-07-03 CVE-2022-2290 Trilium Project Cross-site Scripting vulnerability in Trilium Project Trilium

Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.

6.1
2022-07-02 CVE-2022-34911 Mediawiki
Fedoraproject
Cross-site Scripting vulnerability in multiple products

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1.

6.1
2022-07-02 CVE-2022-34912 Mediawiki
Fedoraproject
An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1.
6.1
2022-07-01 CVE-2021-37524 Fusionpbx Cross-site Scripting vulnerability in Fusionpbx

Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php.

6.1
2022-07-01 CVE-2022-0167 Gitlab Cross-site Scripting vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2.

6.1
2022-07-01 CVE-2022-31113 Thinkst Unspecified vulnerability in Thinkst Canarytokens 20190301

Canarytokens is an open source tool which helps track activity and actions on your network.

6.1
2022-07-01 CVE-2022-2250 Gitlab Open Redirect vulnerability in Gitlab

An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.

6.1
2022-06-30 CVE-2013-4170 Emberjs Cross-site Scripting vulnerability in Emberjs Ember.Js

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML.

6.1
2022-06-29 CVE-2017-20119 Trueconf Open Redirect vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability classified as problematic has been found in TrueConf Server 4.3.7.

6.1
2022-06-29 CVE-2021-39074 IBM Cross-site Scripting vulnerability in IBM Security Guardium 11.4

IBM Security Guardium 11.4 is vulnerable to cross-site scripting.

6.1
2022-06-29 CVE-2022-2252 Microweber Unspecified vulnerability in Microweber

Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.

6.1
2022-06-29 CVE-2020-26877 Apifest Open Redirect vulnerability in Apifest Oauth 2.0 Server 0.3.1

ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack.

6.1
2022-06-29 CVE-2022-29272 Nagios Open Redirect vulnerability in Nagios XI

In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing.

6.1
2022-06-29 CVE-2022-31897 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0

SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=.

6.1
2022-06-28 CVE-2020-19897 Wuzhicms Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0

A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.

6.1
2022-06-28 CVE-2022-31108 Mermaid Project Cross-site Scripting vulnerability in Mermaid Project Mermaid

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams.

6.1
2022-06-28 CVE-2022-34133 Jorani Cross-site Scripting vulnerability in Jorani 1.0.0

Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php.

6.1
2022-06-27 CVE-2022-31085 Ldap Account Manager
Debian
Insufficiently Protected Credentials vulnerability in multiple products

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.

6.1
2022-06-27 CVE-2022-31094 Scratchstatus Unspecified vulnerability in Scratchstatus Scratchtools 2.4.0/2.5.0/2.5.1

ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier.

6.1
2022-06-27 CVE-2022-33005 Deltaww Cross-site Scripting vulnerability in Deltaww Diaenergie 1.08.00

A cross-site scripting (XSS) vulnerability in the System Settings/IOT Settings module of Delta Electronics DIAEnergie v1.08.00 allows attackers to execute arbitrary web scripts via a crafted payload injected into the Name text field.

6.1
2022-06-27 CVE-2022-31065 Bigbluebutton Unspecified vulnerability in Bigbluebutton

BigBlueButton is an open source web conferencing system.

6.1
2022-06-27 CVE-2022-28172 Hikvision Cross-site Scripting vulnerability in Hikvision products

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability.

6.1
2022-06-27 CVE-2020-21161 Ruckuswireless Cross-site Scripting vulnerability in Ruckuswireless Zonedirector Firmware 9.8.3.0

Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirector 9.8.3.0.

6.1
2022-06-27 CVE-2017-20100 AIR Transfer Project Cross-site Scripting vulnerability in AIR Transfer Project AIR Transfer 1.0.14/1.2.1

A vulnerability was found in Air Transfer 1.0.14/1.2.1.

6.1
2022-06-27 CVE-2022-2218 Parse URL Project Unspecified vulnerability in Parse-Url Project Parse-Url

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

6.1
2022-06-27 CVE-2022-2217 Parse URL Project Unspecified vulnerability in Parse-Url Project Parse-Url

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.

6.1
2022-06-27 CVE-2022-1470 Ultimate Woocommerce CSV Importer Project Unspecified vulnerability in Ultimate Woocommerce CSV Importer Project Ultimate Woocommerce CSV Importer

The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting

6.1
2022-06-27 CVE-2022-1593 Site Offline OR Coming Soon Project Cross-site Scripting vulnerability in Site Offline or Coming Soon Project Site Offline or Coming Soon

The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them.

6.1
2022-06-27 CVE-2022-1904 Fatcatapps Unspecified vulnerability in Fatcatapps Easy Pricing Tables

The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting

6.1
2022-06-27 CVE-2022-1916 Pluginus Unspecified vulnerability in Pluginus Woot

The Active Products Tables for WooCommerce.

6.1
2022-06-27 CVE-2022-33146 Web2Py Open Redirect vulnerability in Web2Py

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

6.1
2022-06-29 CVE-2022-32969 Metamask Improper Preservation of Permissions vulnerability in Metamask

MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue.

5.9
2022-06-28 CVE-2022-30561 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in, the attacker could log in to the device by replaying the user's login packet.

5.9
2022-06-27 CVE-2022-31096 Discourse Improper Preservation of Permissions vulnerability in Discourse

Discourse is an open source discussion platform.

5.7
2022-06-27 CVE-2022-31077 Linuxfoundation Unspecified vulnerability in Linuxfoundation Kubeedge

KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge.

5.7
2022-06-27 CVE-2022-31076 Linuxfoundation Unspecified vulnerability in Linuxfoundation Kubeedge

KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge.

5.7
2022-06-27 CVE-2017-20101 Projectsend Authorization Bypass Through User-Controlled Key vulnerability in Projectsend R754

A vulnerability, which was classified as problematic, was found in ProjectSend r754.

5.7
2022-06-28 CVE-2022-31104 Bytecodealliance Unspecified vulnerability in Bytecodealliance Cranelift-Codegen and Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

5.6
2022-07-01 CVE-2022-25876 Link Preview JS Project Server-Side Request Forgery (SSRF) vulnerability in Link-Preview-Js Project Link-Preview-Js

The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response.

5.5
2022-07-01 CVE-2022-22367 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 could disclose sensitive database information to a local user in plain text.

5.5
2022-07-01 CVE-2022-2279 Libmobi Project Unspecified vulnerability in Libmobi Project Libmobi

NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.

5.5
2022-06-30 CVE-2014-0068 Redhat Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Openshift-Origin-Node-Util

It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission.

5.5
2022-06-30 CVE-2022-23717 Pingidentity Improper Resource Shutdown or Release vulnerability in Pingidentity Pingid Integration for Windows Login

PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.

5.5
2022-06-30 CVE-2022-23725 Pingidentity Incorrect Permission Assignment for Critical Resource vulnerability in Pingidentity Pingid Integration for Windows Login

PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.

5.5
2022-06-30 CVE-2022-22478 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Spectrum Protect Client

IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user.

5.5
2022-06-30 CVE-2022-1852 Linux
Redhat
NULL Pointer Dereference vulnerability in multiple products

A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c.

5.5
2022-06-30 CVE-2022-2078 Linux
Redhat
Debian
A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.
5.5
2022-06-28 CVE-2022-2231 VIM
Fedoraproject
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
5.5
2022-06-28 CVE-2021-40606 Gpac Out-of-bounds Read vulnerability in Gpac

The gf_bs_write_data function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

5.5
2022-06-28 CVE-2021-40607 Gpac Allocation of Resources Without Limits or Throttling vulnerability in Gpac

The schm_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

5.5
2022-06-28 CVE-2021-40608 Gpac Use of Uninitialized Resource vulnerability in Gpac

The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

5.5
2022-06-28 CVE-2021-40609 Gpac Allocation of Resources Without Limits or Throttling vulnerability in Gpac

The GetHintFormat function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

5.5
2022-06-28 CVE-2021-40943 Axiosys NULL Pointer Dereference vulnerability in Axiosys Bento4 1.6.0638

In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC.

5.5
2022-06-28 CVE-2021-40944 Gpac NULL Pointer Dereference vulnerability in Gpac 1.1.0

In GPAC MP4Box 1.1.0, there is a Null pointer reference in the function gf_filter_pid_get_packet function in src/filter_core/filter_pid.c:5394, as demonstrated by GPAC.

5.5
2022-06-27 CVE-2021-40942 Gpac Out-of-bounds Write vulnerability in Gpac 1.1.0

In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC.

5.5
2022-06-27 CVE-2017-20102 Album Lock Project Path Traversal vulnerability in Album Lock Project Album Lock 4.0

A vulnerability was found in Album Lock 4.0 and classified as critical.

5.5
2022-06-27 CVE-2022-2208 VIM
Fedoraproject
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
5.5
2022-07-01 CVE-2022-22373 IBM Unspecified vulnerability in IBM Infosphere Information Server 11.7

An improper validation vulnerability in IBM InfoSphere Information Server 11.7 Pack for SAP Apps and BW Packs may lead to creation of directories and files on the server file system that may contain non-sensitive debugging information like stack traces.

5.4
2022-07-01 CVE-2022-2235 Gitlab Cross-site Scripting vulnerability in Gitlab

Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link

5.4
2022-07-01 CVE-2014-3650 Redhat Cross-site Scripting vulnerability in Redhat Jboss Aerogear 1.0.0

Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content.

5.4
2022-07-01 CVE-2022-2280 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

5.4
2022-07-01 CVE-2022-32988 Asus Cross-site Scripting vulnerability in Asus Dsl-N14U-B1 Firmware 1.1.2.3805

Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g.

5.4
2022-06-30 CVE-2022-34777 Jenkins Cross-site Scripting vulnerability in Jenkins Gitlab

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-06-30 CVE-2022-34778 Jenkins Cross-site Scripting vulnerability in Jenkins Testng Results

Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.

5.4
2022-06-30 CVE-2022-34783 Jenkins Cross-site Scripting vulnerability in Jenkins Plot

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-06-30 CVE-2022-34784 Jenkins Cross-site Scripting vulnerability in Jenkins Build-Metrics 1.3

Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.

5.4
2022-06-30 CVE-2022-34786 Jenkins Cross-site Scripting vulnerability in Jenkins Rich Text Publisher

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

5.4
2022-06-30 CVE-2022-34787 Jenkins Cross-site Scripting vulnerability in Jenkins Project Inheritance

Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.

5.4
2022-06-30 CVE-2022-34788 Jenkins Cross-site Scripting vulnerability in Jenkins Matrix Reloaded

Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

5.4
2022-06-30 CVE-2022-34790 Jenkins Cross-site Scripting vulnerability in Jenkins Extreme Feedback Panel

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-06-30 CVE-2022-34791 Jenkins Cross-site Scripting vulnerability in Jenkins Validating Email Parameter 1.10/1.8

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-06-30 CVE-2022-34795 Jenkins Cross-site Scripting vulnerability in Jenkins Deployment Dashboard

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

5.4
2022-06-30 CVE-2022-33043 Urtracker Cross-site Scripting vulnerability in Urtracker 4.0.1.1477

A cross-site scripting (XSS) vulnerability in the batch add function of Urtracker Premium v4.0.1.1477 allows attackers to execute arbitrary web scripts or HTML via a crafted excel file.

5.4
2022-06-30 CVE-2017-20122 Bitrix24 Cross-site Scripting vulnerability in Bitrix24 Bitrix Site Manager 12.06.2015

A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015.

5.4
2022-06-29 CVE-2022-31063 Enalean Unspecified vulnerability in Enalean Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration.

5.4
2022-06-29 CVE-2017-20113 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability, which was classified as problematic, was found in TrueConf Server 4.3.7.

5.4
2022-06-29 CVE-2017-20114 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability has been found in TrueConf Server 4.3.7 and classified as problematic.

5.4
2022-06-29 CVE-2017-20115 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability was found in TrueConf Server 4.3.7 and classified as problematic.

5.4
2022-06-29 CVE-2017-20116 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability was found in TrueConf Server 4.3.7.

5.4
2022-06-29 CVE-2017-20117 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability was found in TrueConf Server 4.3.7.

5.4
2022-06-29 CVE-2017-20118 Trueconf Cross-site Scripting vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255

A vulnerability was found in TrueConf Server 4.3.7.

5.4
2022-06-29 CVE-2017-20108 Easy Table Project Cross-site Scripting vulnerability in Easy Table Project Easy Table

A vulnerability classified as problematic has been found in Easy Table Plugin 1.6.

5.4
2022-06-29 CVE-2022-28803 Silverstripe Cross-site Scripting vulnerability in Silverstripe

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR).

5.4
2022-06-28 CVE-2022-25238 Silverstripe Cross-site Scripting vulnerability in Silverstripe Framework

Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.

5.4
2022-06-28 CVE-2022-23896 Admidio Cross-site Scripting vulnerability in Admidio

Admidio 4.1.2 version is affected by stored cross-site scripting (XSS).

5.4
2022-06-27 CVE-2022-31057 Shopware Unspecified vulnerability in Shopware

Shopware is an open source e-commerce software made in Germany.

5.4
2022-06-27 CVE-2022-31064 Bigbluebutton Unspecified vulnerability in Bigbluebutton

BigBlueButton is an open source web conferencing system.

5.4
2022-06-27 CVE-2022-31035 Argoproj Unspecified vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

5.4
2022-06-27 CVE-2022-1776 Icegram Unspecified vulnerability in Icegram Popups, Welcome Bar, Optins and Lead Generation Plugin

The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

5.4
2022-06-27 CVE-2022-1964 Easy SVG Support Project Unspecified vulnerability in Easy SVG Support Project Easy SVG Support

The Easy SVG Support WordPress plugin before 3.3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads

5.4
2022-06-27 CVE-2022-2040 Brizy Unspecified vulnerability in Brizy Brizy-Page Builder

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

5.4
2022-06-27 CVE-2022-2041 Brizy Cross-site Scripting vulnerability in Brizy Brizy-Page Builder

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

5.4
2022-06-27 CVE-2022-2213 Library Management System Project Cross-site Scripting vulnerability in Library Management System Project Library Management System 1.0

A vulnerability was found in SourceCodester Library Management System 1.0.

5.4
2022-07-01 CVE-2022-1954 Gitlab Unspecified vulnerability in Gitlab

A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers

5.3
2022-07-01 CVE-2022-1963 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1.

5.3
2022-07-01 CVE-2022-1999 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.

5.3
2022-07-01 CVE-2022-2270 Gitlab Incorrect Default Permissions vulnerability in Gitlab

An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1.

5.3
2022-07-01 CVE-2022-2281 Gitlab Unspecified vulnerability in Gitlab

An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases.

5.3
2022-07-01 CVE-2022-34894 Jetbrains Unspecified vulnerability in Jetbrains HUB

In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services

5.3
2022-06-30 CVE-2022-22494 IBM Unspecified vulnerability in IBM Spectrum Protect Operations Center

IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request.

5.3
2022-06-28 CVE-2022-31068 Glpi Project Unspecified vulnerability in Glpi-Project Glpi 10.0.0/10.0.1

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

5.3
2022-06-28 CVE-2022-0085 Dompdf Project Unspecified vulnerability in Dompdf Project Dompdf

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

5.3
2022-06-27 CVE-2022-31088 Ldap Account Manager
Debian
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.
5.3
2022-06-27 CVE-2022-31039 Bigbluebutton Incorrect Authorization vulnerability in Bigbluebutton Greenlight

Greenlight is a simple front-end interface for your BigBlueButton server.

5.3
2022-06-27 CVE-2020-9754 Navercorp Unspecified vulnerability in Navercorp Whale

NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode.

5.3
2022-06-30 CVE-2021-37791 Myadmin Project Unspecified vulnerability in Myadmin Project Myadmin 1.0

MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin.

4.9
2022-06-28 CVE-2022-31229 Dell Information Exposure Through an Error Message vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information.

4.9
2022-06-27 CVE-2022-2088 Smartics Unspecified vulnerability in Smartics 2.3.4.0

An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.

4.9
2022-07-01 CVE-2022-25896 Passport Project Session Fixation vulnerability in Passport Project Passport

This affects the package passport before 0.6.0.

4.8
2022-07-01 CVE-2022-2230 Gitlab Cross-site Scripting vulnerability in Gitlab

A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf.

4.8
2022-07-01 CVE-2022-2254 Webhmi Unspecified vulnerability in Webhmi Firmware

A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 can store a script that could impact other logged in users.

4.8
2022-06-27 CVE-2022-33009 Lightcms Project Cross-site Scripting vulnerability in Lightcms Project Lightcms 1.3.11

A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file.

4.8
2022-06-27 CVE-2017-20098 Weblizar Cross-site Scripting vulnerability in Weblizar Admin Custom Login 2.4.5.2

A vulnerability was found in Admin Custom Login Plugin 2.4.5.2.

4.8
2022-06-27 CVE-2022-1010 Miniorange Unspecified vulnerability in Miniorange Login Using Wordpress Users

The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1028 Miniorange Cross-site Scripting vulnerability in Miniorange Wordpress Security

The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1029 Miniorange Unspecified vulnerability in Miniorange Limit Login Attempts

The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1095 Mihdan Unspecified vulnerability in Mihdan: NO External Links Project Mihdan: NO External Links

The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1113 Floristone Unspecified vulnerability in Floristone Flower Delivery

The Flower Delivery by Florist One WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setups)

4.8
2022-06-27 CVE-2022-1321 Miniorange Unspecified vulnerability in Miniorange Google Authenticator

The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1326 Form Contact Form Project Unspecified vulnerability in Form - Contact Form Project Form - Contact Form

The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2022-06-27 CVE-2022-1327 Rich WEB Unspecified vulnerability in Rich-Web Image Gallery

The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2022-06-27 CVE-2022-1971 Wpgetready Unspecified vulnerability in Wpgetready Nextcellent Gallery

The NextCellent Gallery WordPress plugin through 1.9.35 does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-06-27 CVE-2022-1990 Kylephillips Unspecified vulnerability in Kylephillips Nested Pages

The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed

4.8
2022-06-27 CVE-2022-1994 Miniorange Unspecified vulnerability in Miniorange Login With OTP Over Sms, Email, Whatsapp and Google Authenticator

The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

4.8
2022-06-27 CVE-2022-1995 Miniorange Unspecified vulnerability in Miniorange Malware Scanner

The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)

4.8
2022-06-28 CVE-2022-30562 Dahuasecurity Open Redirect vulnerability in Dahuasecurity products

If the user enables the https function on the device, an attacker can modify the user’s request data packet through a man-in-the-middle attack ,Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page.

4.7
2022-06-30 CVE-2022-1955 Opft Improper Authentication vulnerability in Opft Session 1.13.0

Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data.

4.6
2022-07-01 CVE-2022-22366 IBM Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text which can be read by a local user.

4.4
2022-06-28 CVE-2017-20106 Khoros Server-Side Request Forgery (SSRF) vulnerability in Khoros Lithium Forum 2017

A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1.

4.4
2022-07-01 CVE-2022-1983 Gitlab Incorrect Authorization vulnerability in Gitlab

Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured.

4.3
2022-07-01 CVE-2022-2227 Gitlab Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab

Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions

4.3
2022-07-01 CVE-2022-2243 Gitlab Authorization Bypass Through User-Controlled Key vulnerability in Gitlab

An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects.

4.3
2022-07-01 CVE-2022-2244 Gitlab Unspecified vulnerability in Gitlab

An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature.

4.3
2022-06-30 CVE-2022-34779 Jenkins Missing Authorization vulnerability in Jenkins Xebialabs XL Release

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2022-06-30 CVE-2022-34782 Jenkins Incorrect Authorization vulnerability in Jenkins Requests

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

4.3
2022-06-30 CVE-2022-34785 Jenkins Incorrect Authorization vulnerability in Jenkins Build-Metrics

Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.

4.3
2022-06-30 CVE-2022-34796 Jenkins Missing Authorization vulnerability in Jenkins Deployment Dashboard

A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2022-06-30 CVE-2022-34797 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Deployment Dashboard

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

4.3
2022-06-30 CVE-2022-34798 Jenkins Missing Authorization vulnerability in Jenkins Deployment Dashboard

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

4.3
2022-06-30 CVE-2022-34799 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Deployment Dashboard

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

4.3
2022-06-30 CVE-2022-34800 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Build Notifications 1.4.2/1.4.3/1.5.0

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.3
2022-06-30 CVE-2022-34801 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Build Notifications 1.4.2/1.4.3/1.5.0

Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

4.3
2022-06-30 CVE-2022-34802 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Rocketchat Notifier

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.3
2022-06-30 CVE-2022-34803 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Opsgenie

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

4.3
2022-06-30 CVE-2022-34804 Jenkins Cleartext Transmission of Sensitive Information vulnerability in Jenkins Opsgenie

Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure.

4.3
2022-06-30 CVE-2022-34808 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Cisco Spark

Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.3
2022-06-30 CVE-2022-34811 Jenkins Missing Authorization vulnerability in Jenkins Xpath Configuration Viewer

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to access the XPath Configuration Viewer page.

4.3
2022-06-30 CVE-2022-34812 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xpath Configuration Viewer

A cross-site request forgery (CSRF) vulnerability in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers to create and delete XPath expressions.

4.3
2022-06-30 CVE-2022-34813 Jenkins Missing Authorization vulnerability in Jenkins Xpath Configuration Viewer

A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions.

4.3
2022-06-30 CVE-2022-34814 Jenkins Incorrect Authorization vulnerability in Jenkins Request Rename or Delete

Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests.

4.3
2022-06-30 CVE-2022-34815 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Request Rename or Delete

A cross-site request forgery (CSRF) vulnerability in Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier allows attackers to accept pending requests, thereby renaming or deleting jobs.

4.3
2022-06-30 CVE-2022-34817 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Failed JOB Deactivator

A cross-site request forgery (CSRF) vulnerability in Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier allows attackers to disable jobs.

4.3
2022-06-30 CVE-2022-34818 Jenkins Missing Authorization vulnerability in Jenkins Failed JOB Deactivator

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

4.3
2022-06-30 CVE-2021-38954 IBM Unspecified vulnerability in IBM Sterling B2B Integrator

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could disclose sensitive version information that could aid in future attacks against the system.

4.3
2022-06-29 CVE-2022-31032 Enalean Unspecified vulnerability in Enalean Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration.

4.3
2022-06-29 CVE-2021-40642 Textpattern Missing Encryption of Sensitive Data vulnerability in Textpattern

Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php.

4.3
2022-06-29 CVE-2022-29270 Nagios Missing Authentication for Critical Function vulnerability in Nagios XI

In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.

4.3
2022-06-29 CVE-2022-31266 Ilias Missing Authentication for Critical Function vulnerability in Ilias

In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.

4.3
2022-06-28 CVE-2022-29858 Silverstripe Improper Authentication vulnerability in Silverstripe Assets

Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content.

4.3
2022-06-27 CVE-2022-31036 Argoproj Link Following vulnerability in Argoproj Argo CD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

4.3
2022-06-27 CVE-2022-0444 Watchful Missing Authorization vulnerability in Watchful Xcloner

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

4.3
2022-06-27 CVE-2022-0875 Miniorange Unspecified vulnerability in Miniorange Google Authenticator

The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

4.3
2022-06-27 CVE-2022-1573 Html2Wp Project Unspecified vulnerability in Html2Wp Project Html2Wp

The HTML2WP WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them

4.3
2022-06-27 CVE-2022-1625 Wpexperts Cross-Site Request Forgery (CSRF) vulnerability in Wpexperts NEW User Approve

The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.

4.3
2022-06-27 CVE-2022-1627 Zatzlabs Unspecified vulnerability in Zatzlabs MY Private Site

The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-27 CVE-2022-1653 Supsystic Unspecified vulnerability in Supsystic Social Share Buttons

The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.

4.3
2022-06-27 CVE-2022-1842 Openbook Book Data Project Cross-Site Request Forgery (CSRF) vulnerability in Openbook Book Data Project Openbook Book Data

The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well

4.3
2022-06-27 CVE-2022-1844 WP Sentry Project Unspecified vulnerability in Wp-Sentry Project Wp-Sentry

The WP Sentry WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well

4.3
2022-06-27 CVE-2022-1845 WP Post Styling Project Unspecified vulnerability in WP Post Styling Project WP Post Styling

The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks

4.3
2022-06-27 CVE-2022-1846 Tiny Contact Form Project Unspecified vulnerability in Tiny Contact Form Project Tiny Contact Form

The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-27 CVE-2022-1847 Rotating Posts Project Unspecified vulnerability in Rotating Posts Project Rotating Posts

The Rotating Posts WordPress plugin through 1.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-27 CVE-2022-1885 Cimy Header Image Rotator Project Unspecified vulnerability in Cimy Header Image Rotator Project Cimy Header Image Rotator

The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2022-06-27 CVE-2022-1913 ADD Post URL Project Unspecified vulnerability in ADD Post URL Project ADD Post URL

The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

4.3
2022-06-27 CVE-2022-1914 Clean Contact Project Unspecified vulnerability in Clean-Contact Project Clean-Contact

The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well

4.3
2022-06-27 CVE-2022-1960 Mycss Project Unspecified vulnerability in Mycss Project Mycss

The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-06-28 CVE-2021-3433 Zephyrproject Unspecified vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1

Invalid channel map in CONNECT_IND results to Deadlock.

3.3
2022-06-28 CVE-2021-3435 Zephyrproject Use of Uninitialized Resource vulnerability in Zephyrproject Zephyr 2.4.0/2.5.0/2.5.1

Information leakage in le_ecred_conn_req().

3.3
2022-06-28 CVE-2022-0987 Packagekit Project
Redhat
A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files.
3.3
2022-06-27 CVE-2022-33879 Apache Unspecified vulnerability in Apache Tika

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler.

3.3
2022-07-01 CVE-2022-1981 Gitlab Incorrect Authorization vulnerability in Gitlab

An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.

2.7
2022-06-27 CVE-2022-2106 Smartics Path Traversal vulnerability in Smartics 2.3.4.0

Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files.

2.7