Weekly Vulnerabilities Reports > June 27 to July 3, 2022
Overview
434 new vulnerabilities reported during this period, including 20 critical vulnerabilities and 125 high severity vulnerabilities. This weekly summary report vulnerabilities in 329 products from 200 vendors including Jenkins, Fedoraproject, Debian, Gitlab, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", "SQL Injection", and "Insufficiently Protected Credentials".
- 378 reported vulnerabilities are remotely exploitables.
- 10 reported vulnerabilities have public exploit available.
- 165 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 286 reported vulnerabilities are exploitable by an anonymous user.
- Jenkins has the most reported vulnerabilities, with 42 reported vulnerabilities.
- Dlink has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
20 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-01 | CVE-2022-32032 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the deviceList parameter in the function formAddMacfilterRule. | 10.0 |
2022-06-30 | CVE-2022-2197 | Exemys | Improper Authentication vulnerability in Exemys Rme1 Firmware By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations. | 10.0 |
2022-06-30 | CVE-2021-40643 | Eyesofnetwork | Unspecified vulnerability in Eyesofnetwork EyesOfNetwork before 07-07-2021 has a Remote Code Execution vulnerability on the mail options configuration page. | 10.0 |
2022-06-29 | CVE-2021-40597 | Edimax | Use of Hard-coded Credentials vulnerability in Edimax Ic-3140W Firmware 3.11 The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password. | 10.0 |
2022-06-28 | CVE-2022-31230 | Dell | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm. | 10.0 |
2022-07-02 | CVE-2022-34913 | Md2Roff Project | Out-of-bounds Write vulnerability in Md2Roff Project Md2Roff 1.7 md2roff 1.7 has a stack-based buffer overflow via a Markdown file containing a large number of consecutive characters to be processed. | 9.8 |
2022-07-01 | CVE-2022-25900 | GIT Clone Project | Argument Injection or Modification vulnerability in Git-Clone Project Git-Clone All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git. | 9.8 |
2022-07-01 | CVE-2022-2274 | Openssl Netapp | Out-of-bounds Write vulnerability in multiple products The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. | 9.8 |
2022-07-01 | CVE-2022-32295 | Amperecomputing | Unspecified vulnerability in Amperecomputing Ampere Altra Firmware and Ampere Altra MAX Firmware On Ampere Altra and AltraMax devices before SRP 1.09, the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component. | 9.8 |
2022-06-30 | CVE-2022-22487 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Spectrum Protect Server An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. | 9.8 |
2022-06-30 | CVE-2021-41506 | Xiongmaitech | Improper Authentication vulnerability in Xiongmaitech products Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system. | 9.8 |
2022-06-30 | CVE-2022-34835 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function. | 9.8 |
2022-06-29 | CVE-2022-31266 | Ilias | Improper Validation of Integrity Check Value vulnerability in Ilias In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts. | 9.8 |
2022-06-28 | CVE-2022-34132 | Jorani | SQL Injection vulnerability in Jorani 1.0.0 Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php. | 9.8 |
2022-06-27 | CVE-2022-32092 | Dlink | OS Command Injection vulnerability in Dlink Dir-645 Firmware 1.03 D-Link DIR-645 v1.03 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter at __ajax_explorer.sgi. | 9.8 |
2022-06-27 | CVE-2022-28171 | Hikvision | Command Injection vulnerability in Hikvision products The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. | 9.8 |
2022-06-27 | CVE-2022-1574 | Html2Wp Project | Missing Authorization vulnerability in Html2Wp Project Html2Wp The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server | 9.8 |
2022-06-30 | CVE-2022-23718 | Pingidentity | Unspecified vulnerability in Pingidentity Pingid Integration for Windows Login PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. | 9.3 |
2022-06-30 | CVE-2022-28127 | Robustel | Path Traversal vulnerability in Robustel R1510 Firmware 3.3.0 A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. | 9.1 |
2022-07-01 | CVE-2022-2253 | Webhmi | OS Command Injection vulnerability in Webhmi Firmware A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server. | 9.0 |
125 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-01 | CVE-2022-2185 | Gitlab | OS Command Injection vulnerability in Gitlab A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. | 8.8 |
2022-06-30 | CVE-2022-34793 | Jenkins | XXE vulnerability in Jenkins Recipe 1.0/1.1/1.2 Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 8.8 |
2022-06-28 | CVE-2021-40553 | Piwigo | Code Injection vulnerability in Piwigo 11.5.0 piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor. | 8.8 |
2022-06-28 | CVE-2022-30707 | Yokogawa | Unspecified vulnerability in Yokogawa products Violation of secure design principles exists in the communication of CAMS for HIS. | 8.8 |
2022-06-28 | CVE-2022-34134 | Jorani | Cross-Site Request Forgery (CSRF) vulnerability in Jorani 1.0.0 Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. | 8.8 |
2022-06-27 | CVE-2022-31101 | Prestashop | SQL Injection vulnerability in Prestashop Blockwishlist 2.0.0/2.0.1/2.1.0 prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. | 8.8 |
2022-06-27 | CVE-2022-2214 | Library Management System Project | SQL Injection vulnerability in Library Management System Project Library Management System 1.0 A vulnerability was found in SourceCodester Library Management System 1.0. | 8.8 |
2022-06-29 | CVE-2022-30192 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 8.3 |
2022-06-29 | CVE-2022-33638 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 8.3 |
2022-06-29 | CVE-2022-33639 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 8.3 |
2022-06-30 | CVE-2022-31112 | Parseplatform | Improper Cross-boundary Removal of Sensitive Data vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 8.2 |
2022-06-27 | CVE-2022-31084 | Ldap Account Manager Debian | Argument Injection or Modification vulnerability in multiple products LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. | 8.1 |
2022-06-27 | CVE-2022-31034 | Argoproj | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 8.1 |
2022-06-27 | CVE-2022-1572 | Html2Wp Project | Missing Authorization vulnerability in Html2Wp Project Html2Wp The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file | 8.1 |
2022-06-30 | CVE-2022-34792 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Recipe 1.0/1.1/1.2 A cross-site request forgery (CSRF) vulnerability in Jenkins Recipe Plugin 1.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML. | 8.0 |
2022-06-28 | CVE-2022-29519 | Yokogawa | Cleartext Transmission of Sensitive Information vulnerability in Yokogawa Stardom FCJ Firmware and Stardom FCN Firmware Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware. | 7.9 |
2022-07-03 | CVE-2022-2289 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-03 | CVE-2022-2288 | VIM Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-02 | CVE-2022-2286 | VIM Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-02 | CVE-2022-2285 | VIM Fedoraproject Debian | Integer Overflow or Wraparound vulnerability in multiple products Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-02 | CVE-2022-2284 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-01 | CVE-2022-33103 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir(). | 7.8 |
2022-07-01 | CVE-2022-2264 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-06-30 | CVE-2022-33087 | TP Link | Out-of-bounds Write vulnerability in Tp-Link Archer A5 Firmware and Archer C50 Firmware A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 7.8 |
2022-06-30 | CVE-2022-2257 | VIM Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-06-27 | CVE-2022-31087 | Ldap Account Manager Debian | Incorrect Authorization vulnerability in multiple products LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. | 7.8 |
2022-06-27 | CVE-2022-2210 | VIM Fedoraproject | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-06-27 | CVE-2022-2207 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. | 7.8 |
2022-06-27 | CVE-2022-31090 | Guzzlephp Debian | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products Guzzle, an extensible PHP HTTP client. | 7.7 |
2022-06-27 | CVE-2022-31091 | Guzzlephp Debian | Information Exposure vulnerability in multiple products Guzzle, an extensible PHP HTTP client. | 7.7 |
2022-07-01 | CVE-2022-32324 | Pdfalto Project | Out-of-bounds Write vulnerability in Pdfalto Project Pdfalto 0.4 PDFAlto v0.4 was discovered to contain a heap buffer overflow via the component /pdfalto/src/pdfalto.cc. | 7.5 |
2022-07-01 | CVE-2022-31943 | Mingsoft | Unrestricted Upload of File with Dangerous Type vulnerability in Mingsoft Mcms 5.2.8 MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. | 7.5 |
2022-07-01 | CVE-2022-32093 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at adminlogin.php. | 7.5 |
2022-07-01 | CVE-2022-32094 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at doctorlogin.php. | 7.5 |
2022-07-01 | CVE-2022-32095 | Hospital Management System Project | SQL Injection vulnerability in Hospital Management System Project Hospital Management System 1.0 Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at orders.php. | 7.5 |
2022-07-01 | CVE-2022-25758 | Scss Tokenizer Project | Unspecified vulnerability in Scss-Tokenizer Project Scss-Tokenizer All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex. | 7.5 |
2022-07-01 | CVE-2022-25898 | Jsrsasign Project | Improper Verification of Cryptographic Signature vulnerability in Jsrsasign Project Jsrsasign The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. | 7.5 |
2022-07-01 | CVE-2022-32081 | Mariadb Fedoraproject | Use After Free vulnerability in multiple products MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc. | 7.5 |
2022-07-01 | CVE-2022-32082 | Mariadb Fedoraproject | Reachable Assertion vulnerability in multiple products MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc. | 7.5 |
2022-07-01 | CVE-2022-32083 | Mariadb Debian | MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker. | 7.5 |
2022-07-01 | CVE-2022-32084 | Mariadb Debian Fedoraproject | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select. | 7.5 |
2022-07-01 | CVE-2022-32085 | Mariadb Debian | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor. | 7.5 |
2022-07-01 | CVE-2022-32086 | Mariadb | Unspecified vulnerability in Mariadb MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field. | 7.5 |
2022-07-01 | CVE-2022-32087 | Mariadb Debian | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args. | 7.5 |
2022-07-01 | CVE-2022-32088 | Mariadb Debian | MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort. | 7.5 |
2022-07-01 | CVE-2022-32089 | Mariadb Fedoraproject | MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level. | 7.5 |
2022-07-01 | CVE-2022-32091 | Mariadb Debian Fedoraproject | Use After Free vulnerability in multiple products MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc. | 7.5 |
2022-07-01 | CVE-2022-31604 | Nvidia | Deserialization of Untrusted Data vulnerability in Nvidia Nvflare NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. | 7.5 |
2022-07-01 | CVE-2022-31605 | Nvidia | Deserialization of Untrusted Data vulnerability in Nvidia Nvflare NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). | 7.5 |
2022-07-01 | CVE-2022-32030 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function formSetQosBand. | 7.5 |
2022-07-01 | CVE-2022-32031 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the list parameter in the function fromSetRouteStatic. | 7.5 |
2022-07-01 | CVE-2022-32033 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the function formSetVirtualSer. | 7.5 |
2022-07-01 | CVE-2022-32034 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the items parameter in the function formdelMasteraclist. | 7.5 |
2022-07-01 | CVE-2022-32035 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formMasterMng. | 7.5 |
2022-07-01 | CVE-2022-32036 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain multiple stack overflow vulnerabilities via the ssidList, storeName, and trademark parameters in the function formSetStoreWeb. | 7.5 |
2022-07-01 | CVE-2022-32037 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAPCfg. | 7.5 |
2022-07-01 | CVE-2022-32039 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the listN parameter in the function fromDhcpListClient. | 7.5 |
2022-07-01 | CVE-2022-32040 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetCfm. | 7.5 |
2022-07-01 | CVE-2022-32041 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formGetPassengerAnalyseData. | 7.5 |
2022-07-01 | CVE-2022-32043 | Tenda | Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12 Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAccessCodeInfo. | 7.5 |
2022-07-01 | CVE-2022-32044 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the password parameter in the function FUN_00413f80. | 7.5 |
2022-07-01 | CVE-2022-32045 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_00413be4. | 7.5 |
2022-07-01 | CVE-2022-32046 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_0041880c. | 7.5 |
2022-07-01 | CVE-2022-32047 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_00412ef4. | 7.5 |
2022-07-01 | CVE-2022-32048 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the command parameter in the function FUN_0041cc88. | 7.5 |
2022-07-01 | CVE-2022-32049 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the url parameter in the function FUN_00418540. | 7.5 |
2022-07-01 | CVE-2022-32050 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041af40. | 7.5 |
2022-07-01 | CVE-2022-32051 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc, week, sTime, eTime parameters in the function FUN_004133c4. | 7.5 |
2022-07-01 | CVE-2022-32052 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the desc parameter in the function FUN_004137a4. | 7.5 |
2022-07-01 | CVE-2022-32053 | Totolink | Out-of-bounds Write vulnerability in Totolink T6 Firmware 4.1.9Cu.5179B20201015 TOTOLINK T6 V4.1.9cu.5179_B20201015 was discovered to contain a stack overflow via the cloneMac parameter in the function FUN_0041621c. | 7.5 |
2022-07-01 | CVE-2022-2229 | Gitlab | Unspecified vulnerability in Gitlab An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. | 7.5 |
2022-07-01 | CVE-2022-33099 | LUA Fedoraproject | Out-of-bounds Write vulnerability in multiple products An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. | 7.5 |
2022-07-01 | CVE-2021-32428 | Viaviweb | SQL Injection vulnerability in Viaviweb Ebook 10 SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php. | 7.5 |
2022-06-30 | CVE-2014-0156 | Manageiq | OS Command Injection vulnerability in Manageiq Awesomespawn Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. | 7.5 |
2022-06-30 | CVE-2022-32585 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.3.0 A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33312 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33313 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33314 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33325 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33326 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33327 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33328 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2022-33329 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.3.0 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. | 7.5 |
2022-06-30 | CVE-2013-4144 | Swfupload Project | Injection vulnerability in Swfupload Project Swfupload 3.5.2 There is an object injection vulnerability in swfupload plugin for wordpress. | 7.5 |
2022-06-30 | CVE-2021-37778 | GPS SDR SIM Project | Classic Buffer Overflow vulnerability in Gps-Sdr-Sim Project Gps-Sdr-Sim 1.0 There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution. | 7.5 |
2022-06-30 | CVE-2021-40663 | Deep Assign Project | Unspecified vulnerability in Deep.Assign Project Deep.Assign 0.0.0 deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | 7.5 |
2022-06-30 | CVE-2017-20125 | Bestsoftinc | SQL Injection vulnerability in Bestsoftinc Online Hotel Booking System 1.2 A vulnerability classified as critical was found in Online Hotel Booking System Pro 1.2. | 7.5 |
2022-06-29 | CVE-2022-31110 | Rsshub | Unspecified vulnerability in Rsshub 20210125 RSSHub is an open source, extensible RSS feed generator. | 7.5 |
2022-06-29 | CVE-2022-33107 | Thinkphp | Deserialization of Untrusted Data vulnerability in Thinkphp 6.0.12 ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. | 7.5 |
2022-06-29 | CVE-2017-20111 | Calabrio | Unspecified vulnerability in Calabrio Teleopti Workforce Management 7.1.0 A vulnerability, which was classified as critical, was found in Teleopti WFM 7.1.0. | 7.5 |
2022-06-29 | CVE-2022-32532 | Apache | Incorrect Authorization vulnerability in Apache Shiro Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. | 7.5 |
2022-06-28 | CVE-2020-19896 | 1234N | Unspecified vulnerability in 1234N Minicms 1.9 File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php. | 7.5 |
2022-06-28 | CVE-2022-31885 | Marvalglobal | OS Command Injection vulnerability in Marvalglobal Marval MSM 14.19.0.12476 Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts. | 7.5 |
2022-06-28 | CVE-2022-31056 | Glpi Project | SQL Injection vulnerability in Glpi-Project Glpi 10.0.0/10.0.1 GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. | 7.5 |
2022-06-28 | CVE-2022-31061 | Glpi Project | SQL Injection vulnerability in Glpi-Project Glpi GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. | 7.5 |
2022-06-28 | CVE-2022-31106 | Clever | Unspecified vulnerability in Clever Underscore.Deep Underscore.deep is a collection of Underscore mixins that operate on nested objects. | 7.5 |
2022-06-28 | CVE-2021-41687 | Offis | Memory Leak vulnerability in Offis Dcmtk DCMTK through 3.6.6 does not handle memory free properly. | 7.5 |
2022-06-28 | CVE-2021-41688 | Offis | Double Free vulnerability in Offis Dcmtk DCMTK through 3.6.6 does not handle memory free properly. | 7.5 |
2022-06-28 | CVE-2021-41689 | Offis | NULL Pointer Dereference vulnerability in Offis Dcmtk DCMTK through 3.6.6 does not handle string copy properly. | 7.5 |
2022-06-28 | CVE-2021-41690 | Offis | Memory Leak vulnerability in Offis Dcmtk DCMTK through 3.6.6 does not handle memory free properly. | 7.5 |
2022-06-28 | CVE-2022-0624 | Parse Path Project | Authorization Bypass Through User-Controlled Key vulnerability in Parse-Path Project Parse-Path Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0. | 7.5 |
2022-06-27 | CVE-2022-32994 | Halo | Unrestricted Upload of File with Dangerous Type vulnerability in Halo 1.5.3 Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload. | 7.5 |
2022-06-27 | CVE-2022-32995 | Halo | Server-Side Request Forgery (SSRF) vulnerability in Halo 1.5.3 Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. | 7.5 |
2022-06-27 | CVE-2022-31082 | Glpi Project | SQL Injection vulnerability in Glpi-Project Glpi Inventory 1.0.0/1.0.1 GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. | 7.5 |
2022-06-27 | CVE-2017-20099 | Analytics Stats Counter Statistics Project | Code Injection vulnerability in Analytics Stats Counter Statistics Project Analytics Stats Counter Statistics 1.2.2.5 A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. | 7.5 |
2022-06-27 | CVE-2022-26477 | Apache | Resource Exhaustion vulnerability in Apache Systemds The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. | 7.5 |
2022-06-27 | CVE-2022-28166 | Broadcom | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0 In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082. | 7.5 |
2022-06-27 | CVE-2021-40900 | Regexfn Project | Unspecified vulnerability in Regexfn Project Regexfn 1.0.5 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in regexfn v1.0.5 when validating crafted invalid emails. | 7.5 |
2022-06-27 | CVE-2021-40901 | Scniro Validator Project | Unspecified vulnerability in Scniro-Validator Project Scniro-Validator 1.0.1 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scniro-validator v1.0.1 when validating crafted invalid emails. | 7.5 |
2022-06-27 | CVE-2022-2216 | Parse URL Project | Server-Side Request Forgery (SSRF) vulnerability in Parse-Url Project Parse-Url Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0. | 7.5 |
2022-06-27 | CVE-2021-40898 | Scaffold Helper Project | Unspecified vulnerability in Scaffold-Helper Project Scaffold-Helper 1.2.0 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper v1.2.0 when copying crafted invalid files. | 7.5 |
2022-06-27 | CVE-2021-40899 | Repo GIT Downloader Project | Unspecified vulnerability in Repo-Git-Downloader Project Repo-Git-Downloader 0.1.1 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in repo-git-downloader v0.1.1 when downloading crafted invalid git repositories. | 7.5 |
2022-06-27 | CVE-2021-40895 | Todo Regex Project | Unspecified vulnerability in Todo-Regex Project Todo-Regex 0.1.1 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in todo-regex v0.1.1 when matching crafted invalid TODO statements. | 7.5 |
2022-06-27 | CVE-2021-40896 | That Value Project | Unspecified vulnerability in That-Value Project That-Value 0.1.3 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in that-value v0.1.3 when validating crafted invalid emails. | 7.5 |
2022-06-27 | CVE-2021-40897 | Split Html TO Chars Project | Unspecified vulnerability in Split-Html-To-Chars Project Split-Html-To-Chars 1.0.5 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars v1.0.5 when splitting crafted invalid htmls. | 7.5 |
2022-06-29 | CVE-2022-34043 | Nomachine | Incorrect Permission Assignment for Critical Resource vulnerability in Nomachine 7.9.2 Incorrect permissions for the folder C:\ProgramData\NoMachine\var\uninstall of Nomachine v7.9.2 allows attackers to perform a DLL hijacking attack and execute arbitrary code. | 7.3 |
2022-06-30 | CVE-2017-20121 | Teradici | Improper Privilege Management vulnerability in Teradici Pcoip Management Console 2.2.0 A vulnerability was found in Teradici Management Console 2.2.0. | 7.2 |
2022-06-29 | CVE-2022-33035 | Netsarang | Uncontrolled Search Path Element vulnerability in Netsarang Xlpd XLPD v7.0.0094 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges. | 7.2 |
2022-06-29 | CVE-2017-20112 | Ivpn | Unspecified vulnerability in Ivpn 2.6.6120.33863 A vulnerability has been found in IVPN Client 2.6.6120.33863 and classified as critical. | 7.2 |
2022-06-28 | CVE-2022-2145 | Cloudflare | Link Following vulnerability in Cloudflare Warp Cloudflare WARP client for Windows (up to v. | 7.2 |
2022-06-28 | CVE-2022-30997 | Yokogawa | Use of Hard-coded Credentials vulnerability in Yokogawa Stardom FCJ Firmware and Stardom FCN Firmware Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware. | 7.2 |
2022-06-28 | CVE-2017-20107 | Shadeyouvpn COM Project | Improper Privilege Management vulnerability in Shadeyouvpn.Com Project Shadeyouvpn.Com 2.0.1.11 A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. | 7.2 |
2022-06-27 | CVE-2022-1977 | Smackcoders | Server-Side Request Forgery (SSRF) vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks | 7.2 |
2022-07-02 | CVE-2022-2287 | VIM Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. | 7.1 |
2022-07-01 | CVE-2022-27904 | Automox | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Automox Automox Agent for macOS before version 39 was vulnerable to a time-of-check/time-of-use (TOCTOU) race-condition attack during the agent install process. | 7.0 |
237 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-06-30 | CVE-2017-20123 | Sparklabs | Uncontrolled Search Path Element vulnerability in Sparklabs Viscosity 1.6.7 A vulnerability was found in Viscosity 1.6.7. | 6.9 |
2022-07-01 | CVE-2022-32420 | College Management System Project | Unspecified vulnerability in College Management System Project College Management System 1.0 College Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /College/admin/teacher.php. | 6.8 |
2022-06-30 | CVE-2022-31115 | Amazon | Deserialization of Untrusted Data vulnerability in Amazon Opensearch 1.0.0/2.0.0/2.0.1 opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. | 6.8 |
2022-06-29 | CVE-2017-20120 | Trueconf | Cross-Site Request Forgery (CSRF) vulnerability in Trueconf Server 4.3.7.12219/4.3.7.12255 A vulnerability classified as problematic was found in TrueConf Server 4.3.7. | 6.8 |
2022-06-28 | CVE-2022-33108 | Xpdfreader | Out-of-bounds Write vulnerability in Xpdfreader Xpdf 4.04 XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files. | 6.8 |
2022-06-28 | CVE-2022-23763 | Douzone | Origin Validation Error vulnerability in Douzone Neors Origin validation error vulnerability in NeoRS’s ActiveX moudle allows attackers to download and execute arbitrary files. | 6.8 |
2022-06-28 | CVE-2022-31104 | Bytecodealliance | Incorrect Calculation vulnerability in Bytecodealliance Cranelift-Codegen and Wasmtime Wasmtime is a standalone runtime for WebAssembly. | 6.8 |
2022-06-27 | CVE-2022-31092 | Pimcore | SQL Injection vulnerability in Pimcore Pimcore is an Open Source Data & Experience Management Platform. | 6.8 |
2022-06-27 | CVE-2022-1903 | Armemberplugin | Missing Authorization vulnerability in Armemberplugin Armember The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username | 6.8 |
2022-07-01 | CVE-2022-32325 | Jpegoptim Project Fedoraproject | Out-of-bounds Read vulnerability in multiple products JPEGOPTIM v1.4.7 was discovered to contain a segmentation violation which is caused by a READ memory access at jpegoptim.c. | 6.5 |
2022-07-01 | CVE-2022-32411 | Hongcms Project | Unspecified vulnerability in Hongcms Project Hongcms 3.0.0 An issue in the languages config file of HongCMS v3.0 allows attackers to getshell. | 6.5 |
2022-07-01 | CVE-2022-32412 | Hongcms Project | Unspecified vulnerability in Hongcms Project Hongcms 3.0.0 An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell. | 6.5 |
2022-07-01 | CVE-2022-34903 | Gnupg Fedoraproject Debian Netapp | Injection vulnerability in multiple products GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | 6.5 |
2022-06-30 | CVE-2022-33085 | Ecisp | Unspecified vulnerability in Ecisp Espcms-P8 ESPCMS P8 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the fetch_filename function at \espcms_public\espcms_templates\ESPCMS_Templates. | 6.5 |
2022-06-30 | CVE-2022-34780 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xebialabs XL Release A cross-site request forgery (CSRF) vulnerability in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-06-30 | CVE-2022-34781 | Jenkins | Missing Authorization vulnerability in Jenkins Xebialabs XL Release Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-06-30 | CVE-2022-34789 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Matrix Reloaded A cross-site request forgery (CSRF) vulnerability in Jenkins Matrix Reloaded Plugin 1.1.3 and earlier allows attackers to rebuild previous matrix builds. | 6.5 |
2022-06-30 | CVE-2022-34794 | Jenkins | Missing Authorization vulnerability in Jenkins Recipe 1.0/1.1/1.2 Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. | 6.5 |
2022-06-30 | CVE-2022-34805 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Skype Notifier 1.0/1.0.1/1.1.0 Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-06-30 | CVE-2022-34806 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Jigomerge Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |
2022-06-30 | CVE-2022-34807 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Elasticsearch Query 1.1/1.2 Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-06-30 | CVE-2022-34809 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins RQM Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-06-30 | CVE-2022-34810 | Jenkins | Missing Authorization vulnerability in Jenkins RQM A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 6.5 |
2022-06-30 | CVE-2022-34816 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins HPE Network Virtualization 1.0 Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-06-30 | CVE-2022-22472 | IBM | Improper Preservation of Permissions vulnerability in IBM Spectrum Protect Plus Container Backup and Restore IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. | 6.5 |
2022-06-30 | CVE-2022-2056 | Libtiff Netapp Fedoraproject Debian | Divide By Zero vulnerability in multiple products Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-06-30 | CVE-2022-2057 | Libtiff Netapp Fedoraproject Debian | Divide By Zero vulnerability in multiple products Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-06-30 | CVE-2022-2058 | Libtiff Netapp Fedoraproject Debian | Divide By Zero vulnerability in multiple products Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-06-30 | CVE-2021-37770 | Nucleuscms | Unrestricted Upload of File with Dangerous Type vulnerability in Nucleuscms Nucleus CMS 3.71 Nucleus CMS v3.71 is affected by a file upload vulnerability. | 6.5 |
2022-06-30 | CVE-2017-20124 | Bestsoftinc | SQL Injection vulnerability in Bestsoftinc Online Hotel Booking System 1.0 A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. | 6.5 |
2022-06-29 | CVE-2022-2073 | Getgrav | Code Injection vulnerability in Getgrav Grav Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | 6.5 |
2022-06-29 | CVE-2022-33057 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation. | 6.5 |
2022-06-29 | CVE-2022-33058 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_message. | 6.5 |
2022-06-29 | CVE-2022-33059 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_train. | 6.5 |
2022-06-29 | CVE-2022-33060 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule. | 6.5 |
2022-06-29 | CVE-2022-33061 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service. | 6.5 |
2022-06-29 | CVE-2022-31058 | Enalean | SQL Injection vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 6.5 |
2022-06-29 | CVE-2022-33042 | Online Railway Reservation System Project | SQL Injection vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php. | 6.5 |
2022-06-29 | CVE-2022-29269 | Nagios | Cross-site Scripting vulnerability in Nagios XI In Nagios XI through 5.8.5, in the schedule report function, an authenticated attacker is able to inject HTML tags that lead to the reformatting/editing of emails from an official email address. | 6.5 |
2022-06-29 | CVE-2022-29271 | Nagios | Incorrect Authorization vulnerability in Nagios XI In Nagios XI through 5.8.5, a read-only Nagios user (due to an incorrect permission check) is able to schedule downtime for any host/services. | 6.5 |
2022-06-28 | CVE-2021-41559 | Silverstripe | XML Entity Expansion vulnerability in Silverstripe Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document. | 6.5 |
2022-06-28 | CVE-2022-31884 | Marvalglobal | Unspecified vulnerability in Marvalglobal Marval MSM 14.19.0.12476 Marval MSM v14.19.0.12476 has an Improper Access Control vulnerability which allows a low privilege user to delete other users API Keys including high privilege and the Administrator users API Keys. | 6.5 |
2022-06-28 | CVE-2022-31052 | Matrix Fedoraproject | Uncontrolled Recursion vulnerability in multiple products Synapse is an open source home server implementation for the Matrix chat network. | 6.5 |
2022-06-27 | CVE-2017-20103 | WP Kama | SQL Injection vulnerability in Wp-Kama Kama Click Counter A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8. | 6.5 |
2022-06-27 | CVE-2022-31081 | Http Debian | HTTP Request Smuggling vulnerability in multiple products HTTP::Daemon is a simple http server class written in perl. | 6.5 |
2022-06-27 | CVE-2022-28167 | Broadcom | Insufficiently Protected Credentials vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0 Brocade SANnav before Brocade SANvav v. | 6.5 |
2022-06-27 | CVE-2022-2212 | Library Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Library Management System Project Library Management System 1.0 A vulnerability was found in SourceCodester Library Management System 1.0. | 6.5 |
2022-06-30 | CVE-2022-23719 | Pingidentity | Missing Authentication for Critical Function vulnerability in Pingidentity Pingid Integration for Windows Login PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. | 6.4 |
2022-06-30 | CVE-2013-4561 | Redhat | Exposure of Resource to Wrong Sphere vulnerability in Redhat Openshift In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. | 6.4 |
2022-06-28 | CVE-2022-24444 | Silverstripe | Session Fixation vulnerability in Silverstripe Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | 6.4 |
2022-06-27 | CVE-2022-1953 | Product Configurator FOR Woocommerce Project | Path Traversal vulnerability in Product Configurator for Woocommerce Project Product Configurator for Woocommerce The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first | 6.4 |
2022-07-02 | CVE-2022-34911 | Mediawiki Fedoraproject | Cross-site Scripting vulnerability in multiple products An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. | 6.1 |
2022-07-02 | CVE-2022-34912 | Mediawiki Fedoraproject | An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. | 6.1 |
2022-06-29 | CVE-2017-20119 | Trueconf | Open Redirect vulnerability in Trueconf Server A vulnerability classified as problematic has been found in TrueConf Server 4.3.7. | 6.1 |
2022-06-29 | CVE-2022-31897 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0 SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=. | 6.1 |
2022-06-28 | CVE-2022-31108 | Mermaid Project | Cross-site Scripting vulnerability in Mermaid Project Mermaid Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. | 6.1 |
2022-06-28 | CVE-2022-34133 | Jorani | Cross-site Scripting vulnerability in Jorani 1.0.0 Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. | 6.1 |
2022-06-27 | CVE-2022-31085 | Ldap Account Manager Debian | Insufficiently Protected Credentials vulnerability in multiple products LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. | 6.1 |
2022-06-27 | CVE-2022-28172 | Hikvision | Cross-site Scripting vulnerability in Hikvision products The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. | 6.1 |
2022-06-27 | CVE-2022-1593 | Site Offline OR Coming Soon Project | Cross-site Scripting vulnerability in Site Offline or Coming Soon Project Site Offline or Coming Soon The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. | 6.1 |
2022-06-27 | CVE-2022-1916 | Pluginus | Cross-site Scripting vulnerability in Pluginus Woot The Active Products Tables for WooCommerce. | 6.1 |
2022-06-27 | CVE-2022-31086 | Ldap Account Manager Debian | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. | 6.0 |
2022-06-27 | CVE-2022-2140 | Smartics | Cross-site Scripting vulnerability in Smartics 2.3.4.0 Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters. | 6.0 |
2022-07-01 | CVE-2022-32384 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44 Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the security_5g parameter in the function formWifiBasicSet. | 5.8 |
2022-07-01 | CVE-2022-25896 | Passport Project | Session Fixation vulnerability in Passport Project Passport This affects the package passport before 0.6.0. | 5.8 |
2022-07-01 | CVE-2022-2250 | Gitlab | Open Redirect vulnerability in Gitlab An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL. | 5.8 |
2022-06-29 | CVE-2022-2252 | Microweber | Open Redirect vulnerability in Microweber Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. | 5.8 |
2022-06-29 | CVE-2020-26877 | Apifest | Open Redirect vulnerability in Apifest Oauth 2.0 Server 0.3.1 ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. | 5.8 |
2022-06-29 | CVE-2022-29272 | Nagios | Open Redirect vulnerability in Nagios XI In Nagios XI through 5.8.5, an open redirect vulnerability exists in the login function that could lead to spoofing. | 5.8 |
2022-06-28 | CVE-2022-30560 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products When an attacker obtaining the administrative account and password, or through a man-in-the-middle attack, the attacker could send a specified crafted packet to the vulnerable interface then lead the device to crash. | 5.8 |
2022-06-28 | CVE-2022-30563 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet. | 5.8 |
2022-06-27 | CVE-2022-33007 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-751Dr Firmware and Tew-752Dru Firmware TRENDnet Wi-Fi routers TEW751DR v1.03 and TEW-752DRU v1.03 were discovered to contain a stack overflow via the function genacgi_main. | 5.8 |
2022-06-27 | CVE-2022-33146 | Web2Py | Open Redirect vulnerability in Web2Py Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | 5.8 |
2022-06-30 | CVE-2022-23725 | Pingidentity | Incorrect Permission Assignment for Critical Resource vulnerability in Pingidentity Pingid Integration for Windows Login PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | 5.5 |
2022-06-30 | CVE-2021-38941 | IBM | Unspecified vulnerability in IBM Cloud PAK for Multicloud Management Monitoring 2.0.0/2.3.0 IBM CloudPak for Multicloud Monitoring 2.0 and 2.3 has a few containers running in privileged mode which is vulnerable to host information leakage or destruction if unauthorized access to these containers could execute arbitrary commands. | 5.5 |
2022-06-30 | CVE-2022-1852 | Linux Redhat | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. | 5.5 |
2022-06-30 | CVE-2022-2078 | Linux Redhat Debian | Stack-based Buffer Overflow vulnerability in multiple products A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code. | 5.5 |
2022-06-28 | CVE-2022-2231 | VIM Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. | 5.5 |
2022-06-28 | CVE-2021-40606 | Gpac | Out-of-bounds Read vulnerability in Gpac The gf_bs_write_data function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command. | 5.5 |
2022-06-28 | CVE-2021-40608 | Gpac | Use of Uninitialized Resource vulnerability in Gpac The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command. | 5.5 |
2022-06-28 | CVE-2021-40609 | Gpac | Allocation of Resources Without Limits or Throttling vulnerability in Gpac The GetHintFormat function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command. | 5.5 |
2022-06-28 | CVE-2021-40944 | Gpac | NULL Pointer Dereference vulnerability in Gpac 1.1.0 In GPAC MP4Box 1.1.0, there is a Null pointer reference in the function gf_filter_pid_get_packet function in src/filter_core/filter_pid.c:5394, as demonstrated by GPAC. | 5.5 |
2022-06-28 | CVE-2017-20105 | Simplessus | Path Traversal vulnerability in Simplessus 3.7.7 A vulnerability was found in Simplessus 3.7.7. | 5.5 |
2022-06-27 | CVE-2022-2208 | VIM Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163. | 5.5 |
2022-07-01 | CVE-2022-22373 | IBM | Unspecified vulnerability in IBM Infosphere Information Server 11.7 An improper validation vulnerability in IBM InfoSphere Information Server 11.7 Pack for SAP Apps and BW Packs may lead to creation of directories and files on the server file system that may contain non-sensitive debugging information like stack traces. | 5.4 |
2022-06-30 | CVE-2022-34777 | Jenkins | Cross-site Scripting vulnerability in Jenkins Gitlab Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-06-30 | CVE-2022-34778 | Jenkins | Cross-site Scripting vulnerability in Jenkins Testng Results Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results. | 5.4 |
2022-06-30 | CVE-2022-34783 | Jenkins | Cross-site Scripting vulnerability in Jenkins Plot Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-06-30 | CVE-2022-34784 | Jenkins | Cross-site Scripting vulnerability in Jenkins Build-Metrics 1.3 Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission. | 5.4 |
2022-06-30 | CVE-2022-34786 | Jenkins | Cross-site Scripting vulnerability in Jenkins Rich Text Publisher Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | 5.4 |
2022-06-30 | CVE-2022-34787 | Jenkins | Cross-site Scripting vulnerability in Jenkins Project Inheritance Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked. | 5.4 |
2022-06-30 | CVE-2022-34788 | Jenkins | Cross-site Scripting vulnerability in Jenkins Matrix Reloaded Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | 5.4 |
2022-06-30 | CVE-2022-34790 | Jenkins | Cross-site Scripting vulnerability in Jenkins Extreme Feedback Panel Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-06-30 | CVE-2022-34791 | Jenkins | Cross-site Scripting vulnerability in Jenkins Validating Email Parameter 1.10/1.8 Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-06-30 | CVE-2022-34795 | Jenkins | Cross-site Scripting vulnerability in Jenkins Deployment Dashboard Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | 5.4 |
2022-06-29 | CVE-2017-20113 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability, which was classified as problematic, was found in TrueConf Server 4.3.7. | 5.4 |
2022-06-29 | CVE-2017-20114 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability has been found in TrueConf Server 4.3.7 and classified as problematic. | 5.4 |
2022-06-29 | CVE-2017-20115 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability was found in TrueConf Server 4.3.7 and classified as problematic. | 5.4 |
2022-06-29 | CVE-2017-20116 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability was found in TrueConf Server 4.3.7. | 5.4 |
2022-06-29 | CVE-2017-20117 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability was found in TrueConf Server 4.3.7. | 5.4 |
2022-06-29 | CVE-2017-20118 | Trueconf | Cross-site Scripting vulnerability in Trueconf Server A vulnerability was found in TrueConf Server 4.3.7. | 5.4 |
2022-06-27 | CVE-2022-31035 | Argoproj | Cross-site Scripting vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 5.4 |
2022-06-27 | CVE-2022-2213 | Library Management System Project | Cross-site Scripting vulnerability in Library Management System Project Library Management System 1.0 A vulnerability was found in SourceCodester Library Management System 1.0. | 5.4 |
2022-07-01 | CVE-2022-1954 | Gitlab | Unspecified vulnerability in Gitlab A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers | 5.3 |
2022-06-30 | CVE-2022-22494 | IBM | Unspecified vulnerability in IBM Spectrum Protect Operations Center IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. | 5.3 |
2022-07-02 | CVE-2022-32551 | Zohocorp | Path Traversal vulnerability in Zohocorp Manageengine Servicedesk Plus MSP 10.5/10.6 Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). | 5.0 |
2022-07-01 | CVE-2022-1963 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. | 5.0 |
2022-07-01 | CVE-2022-2270 | Gitlab | Incorrect Default Permissions vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. | 5.0 |
2022-07-01 | CVE-2014-3648 | Redhat | Resource Exhaustion vulnerability in Redhat Jboss Aerogear 1.0.0 The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. | 5.0 |
2022-07-01 | CVE-2022-34894 | Jetbrains | Unspecified vulnerability in Jetbrains HUB In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services | 5.0 |
2022-06-30 | CVE-2022-33082 | Openpolicyagent | Unspecified vulnerability in Openpolicyagent Open Policy Agent An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 5.0 |
2022-06-30 | CVE-2021-41995 | Pingidentity | Improper Authentication vulnerability in Pingidentity Pingid Integration for mac Login A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. | 5.0 |
2022-06-30 | CVE-2022-22474 | IBM | Unspecified vulnerability in IBM Spectrum Protect Client IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. | 5.0 |
2022-06-29 | CVE-2022-33021 | Openhwgroup | Out-of-bounds Read vulnerability in Openhwgroup Cva6 CVA6 commit 909d85a accesses invalid memory when reading the value of MHPMCOUNTER30. | 5.0 |
2022-06-29 | CVE-2022-33023 | Openhwgroup | Incorrect Default Permissions vulnerability in Openhwgroup Cva6 CVA6 commit 909d85a gives incorrect permission to use special multiplication units when the format of instructions is wrong. | 5.0 |
2022-06-29 | CVE-2017-20110 | Calabrio | Unspecified vulnerability in Calabrio Teleopti Workforce Management 7.1.0 A vulnerability, which was classified as problematic, has been found in Teleopti WFM up to 7.1.0. | 5.0 |
2022-06-28 | CVE-2022-31887 | Marvalglobal | Insufficiently Protected Credentials vulnerability in Marvalglobal Marval MSM 14.19.0.12476 Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password. | 5.0 |
2022-06-28 | CVE-2021-3430 | Zephyrproject | Reachable Assertion vulnerability in Zephyrproject Zephyr Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. | 5.0 |
2022-06-28 | CVE-2021-3431 | Zephyrproject | Reachable Assertion vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1 Assertion reachable with repeated LL_FEATURE_REQ. | 5.0 |
2022-06-28 | CVE-2021-3432 | Zephyrproject | Divide By Zero vulnerability in Zephyrproject Zephyr Invalid interval in CONNECT_IND leads to Division by Zero. | 5.0 |
2022-06-28 | CVE-2022-28621 | HPE | Unspecified vulnerability in HPE Nonstop Distributed Systems Management / Software Configuration Manager T6031H03^Adp A remote disclosure of sensitive information vulnerability was discovered in HPE NonStop DSM/SCM version: T6031H03^ADP. | 5.0 |
2022-06-28 | CVE-2022-31068 | Glpi Project | Unspecified vulnerability in Glpi-Project Glpi 10.0.0/10.0.1 GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. | 5.0 |
2022-06-28 | CVE-2021-41460 | Shopex | SQL Injection vulnerability in Shopex Ecshop 4.1.0 ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information. | 5.0 |
2022-06-28 | CVE-2022-34750 | Mediawiki | Allocation of Resources Without Limits or Throttling vulnerability in Mediawiki An issue was discovered in MediaWiki through 1.38.1. | 5.0 |
2022-06-28 | CVE-2017-20104 | Simplessus | SQL Injection vulnerability in Simplessus 3.7.7 A vulnerability was found in Simplessus 3.7.7. | 5.0 |
2022-06-27 | CVE-2022-31103 | Lettersanitizer Project | Improper Check for Unusual or Exceptional Conditions vulnerability in Lettersanitizer Project Lettersanitizer 1.0.0/1.0.1 lettersanitizer is a DOM-based HTML email sanitizer for in-browser email rendering. | 5.0 |
2022-06-27 | CVE-2022-31093 | Nextauth JS | Improper Check for Unusual or Exceptional Conditions vulnerability in Nextauth.Js Next-Auth NextAuth.js is a complete open source authentication solution for Next.js applications. | 5.0 |
2022-06-27 | CVE-2022-31088 | Ldap Account Manager Debian | Injection vulnerability in multiple products LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. | 5.0 |
2022-06-27 | CVE-2022-31089 | Parseplatform | Use of Incorrectly-Resolved Name or Reference vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 5.0 |
2022-06-27 | CVE-2022-31039 | Bigbluebutton | Incorrect Authorization vulnerability in Bigbluebutton Greenlight Greenlight is a simple front-end interface for your BigBlueButton server. | 5.0 |
2022-06-27 | CVE-2022-28622 | HPE | Use of a Broken or Risky Cryptographic Algorithm vulnerability in HPE Storeonce 3640 Firmware 4.2.3/4.3.0 A potential security vulnerability has been identified in HPE StoreOnce Software. | 5.0 |
2022-06-27 | CVE-2021-40941 | Axiosys | Allocation of Resources Without Limits or Throttling vulnerability in Axiosys Bento4 1.6.0638 In Bento4 1.6.0-638, there is an allocator is out of memory in the function AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity in Ap4Array.h:172, as demonstrated by GPAC. | 5.0 |
2022-06-27 | CVE-2022-28168 | Broadcom | Insecure Storage of Sensitive Information vulnerability in Broadcom Sannav 2.1.0/2.1.1/2.2.0.0 In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords. | 5.0 |
2022-06-27 | CVE-2021-33647 | Mindspore | Out-of-bounds Write vulnerability in Mindspore When performing the inference shape operation of the Tile operator, if the input data type is not int or int32, it will access data outside of bounds of heap allocated buffers. | 5.0 |
2022-06-27 | CVE-2021-33648 | Mindspore | Out-of-bounds Read vulnerability in Mindspore When performing the inference shape operation of Affine, Concat, MatMul, ArgMinMax, EmbeddingLookup, and Gather operators, if the input shape size is 0, it will access data outside of bounds of shape which allocated from heap buffers. | 5.0 |
2022-06-27 | CVE-2021-33649 | Mindspore | Out-of-bounds Read vulnerability in Mindspore When performing the inference shape operation of the Transpose operator, if the value in the perm element is greater than or equal to the size of the input_shape, it will access data outside of bounds of input_shape which allocated from heap buffers. | 5.0 |
2022-06-27 | CVE-2021-33650 | Mindspore | Out-of-bounds Read vulnerability in Mindspore 1.2.0/1.2.1 When performing the inference shape operation of the SparseToDense operator, if the number of inputs is less than three, it will access data outside of bounds of inputs which allocated from heap buffers. | 5.0 |
2022-06-27 | CVE-2021-33651 | Mindspore | Divide By Zero vulnerability in Mindspore When performing the analytical operation of the DepthwiseConv2D operator, if the attribute depth_multiplier is 0, it will cause a division by 0 exception. | 5.0 |
2022-06-27 | CVE-2021-33652 | Mindspore | Divide By Zero vulnerability in Mindspore When the Reduce operator run operation is executed, if there is a value of 0 in the parameter axis_sizes element, it will cause a division by 0 exception. | 5.0 |
2022-06-27 | CVE-2021-33653 | Mindspore | Divide By Zero vulnerability in Mindspore When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception. | 5.0 |
2022-06-27 | CVE-2021-33654 | Mindspore | Divide By Zero vulnerability in Mindspore When performing the initialization operation of the Split operator, if a dimension in the input shape is 0, it will cause a division by 0 exception. | 5.0 |
2022-06-27 | CVE-2022-0722 | Parse URL Project | Information Exposure vulnerability in Parse-Url Project Parse-Url Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0. | 5.0 |
2022-06-27 | CVE-2020-9754 | Navercorp | Unspecified vulnerability in Navercorp Whale NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode. | 5.0 |
2022-06-30 | CVE-2022-23717 | Pingidentity | Improper Resource Shutdown or Release vulnerability in Pingidentity Pingid Integration for Windows Login PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication. | 4.9 |
2022-06-30 | CVE-2021-37791 | Myadmin Project | Unspecified vulnerability in Myadmin Project Myadmin 1.0 MyAdmin v1.0 is affected by an incorrect access control vulnerability in viewing personal center in /api/user/userData?userCode=admin. | 4.9 |
2022-06-27 | CVE-2022-2088 | Smartics | Unspecified vulnerability in Smartics 2.3.4.0 An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0. | 4.9 |
2022-06-27 | CVE-2022-1095 | Mihdan | Cross-site Scripting vulnerability in Mihdan: NO External Links Project Mihdan: NO External Links The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-06-27 | CVE-2022-1113 | Floristone | Unspecified vulnerability in Floristone Flower Delivery The Flower Delivery by Florist One WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setups) | 4.8 |
2022-06-27 | CVE-2022-1327 | Rich WEB | Cross-site Scripting vulnerability in Rich-Web Image Gallery The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 4.8 |
2022-06-27 | CVE-2022-1990 | Kylephillips | Cross-site Scripting vulnerability in Kylephillips Nested Pages The Nested Pages WordPress plugin before 3.1.21 does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltered_html is disallowed | 4.8 |
2022-06-27 | CVE-2022-33202 | Softcreate | Improper Authentication vulnerability in Softcreate L2Blocker Authentication bypass vulnerability in the setup screen of L2Blocker(on-premise) Ver4.8.5 and earlier and L2Blocker(Cloud) Ver4.8.5 and earlier allows an adjacent attacker to perform an unauthorized login and obtain the stored information or cause a malfunction of the device by using alternative paths or channels for Sensor. | 4.8 |
2022-07-02 | CVE-2022-28200 | Nvidia | Out-of-bounds Write vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. | 4.6 |
2022-06-28 | CVE-2021-3434 | Zephyrproject | Out-of-bounds Write vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1 Stack based buffer overflow in le_ecred_conn_req(). | 4.6 |
2022-06-30 | CVE-2022-23720 | Pingidentity | Improper Privilege Management vulnerability in Pingidentity Pingid Integration for Windows Login PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. | 4.4 |
2022-06-29 | CVE-2022-33036 | Embarcadero | Uncontrolled Search Path Element vulnerability in Embarcadero Dev-C++ 6.3 A binary hijack in Embarcadero Dev-CPP v6.3 allows attackers to execute arbitrary code via a crafted .exe file. | 4.4 |
2022-06-29 | CVE-2022-33037 | Orwell DEV CPP Project | Uncontrolled Search Path Element vulnerability in Orwell-Dev-Cpp Project Orwell-Dev-Cpp A binary hijack in Orwell-Dev-Cpp v5.11 allows attackers to execute arbitrary code via a crafted .exe file. | 4.4 |
2022-07-03 | CVE-2022-2290 | Trilium Project | Cross-site Scripting vulnerability in Trilium Project Trilium Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta. | 4.3 |
2022-07-01 | CVE-2021-37524 | Fusionpbx | Cross-site Scripting vulnerability in Fusionpbx Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. | 4.3 |
2022-07-01 | CVE-2022-0167 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. | 4.3 |
2022-07-01 | CVE-2022-1999 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. | 4.3 |
2022-07-01 | CVE-2022-31113 | Thinkst | Cross-site Scripting vulnerability in Thinkst Canarytokens 20190301 Canarytokens is an open source tool which helps track activity and actions on your network. | 4.3 |
2022-07-01 | CVE-2022-1983 | Gitlab | Incorrect Authorization vulnerability in Gitlab Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. | 4.3 |
2022-07-01 | CVE-2022-2243 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. | 4.3 |
2022-07-01 | CVE-2022-2244 | Gitlab | Unspecified vulnerability in Gitlab An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature. | 4.3 |
2022-07-01 | CVE-2022-2281 | Gitlab | Unspecified vulnerability in Gitlab An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. | 4.3 |
2022-07-01 | CVE-2022-2279 | Libmobi Project | NULL Pointer Dereference vulnerability in Libmobi Project Libmobi NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11. | 4.3 |
2022-06-30 | CVE-2022-34779 | Jenkins | Missing Authorization vulnerability in Jenkins Xebialabs XL Release A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-06-30 | CVE-2022-34782 | Jenkins | Incorrect Authorization vulnerability in Jenkins Requests An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests. | 4.3 |
2022-06-30 | CVE-2022-34785 | Jenkins | Incorrect Authorization vulnerability in Jenkins Build-Metrics Jenkins build-metrics Plugin 1.3 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. | 4.3 |
2022-06-30 | CVE-2022-34796 | Jenkins | Missing Authorization vulnerability in Jenkins Deployment Dashboard A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-06-30 | CVE-2022-34797 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Deployment Dashboard A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials. | 4.3 |
2022-06-30 | CVE-2022-34798 | Jenkins | Missing Authorization vulnerability in Jenkins Deployment Dashboard Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials. | 4.3 |
2022-06-30 | CVE-2022-34799 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Deployment Dashboard Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 4.3 |
2022-06-30 | CVE-2022-34800 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Build Notifications 1.4.2/1.4.3/1.5.0 Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 4.3 |
2022-06-30 | CVE-2022-34801 | Jenkins | Cleartext Transmission of Sensitive Information vulnerability in Jenkins Build Notifications 1.4.2/1.4.3/1.5.0 Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | 4.3 |
2022-06-30 | CVE-2022-34802 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Rocketchat Notifier Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 4.3 |
2022-06-30 | CVE-2022-34803 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Opsgenie Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system. | 4.3 |
2022-06-30 | CVE-2022-34804 | Jenkins | Cleartext Transmission of Sensitive Information vulnerability in Jenkins Opsgenie Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. | 4.3 |
2022-06-30 | CVE-2022-34808 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Cisco Spark Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 4.3 |
2022-06-30 | CVE-2022-34811 | Jenkins | Missing Authorization vulnerability in Jenkins Xpath Configuration Viewer A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. | 4.3 |
2022-06-30 | CVE-2022-34812 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Xpath Configuration Viewer A cross-site request forgery (CSRF) vulnerability in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers to create and delete XPath expressions. | 4.3 |
2022-06-30 | CVE-2022-34813 | Jenkins | Missing Authorization vulnerability in Jenkins Xpath Configuration Viewer A missing permission check in Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to create and delete XPath expressions. | 4.3 |
2022-06-30 | CVE-2022-34814 | Jenkins | Incorrect Authorization vulnerability in Jenkins Request Rename or Delete Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view an administrative configuration page listing pending requests. | 4.3 |
2022-06-30 | CVE-2022-34815 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Request Rename or Delete A cross-site request forgery (CSRF) vulnerability in Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier allows attackers to accept pending requests, thereby renaming or deleting jobs. | 4.3 |
2022-06-30 | CVE-2022-34817 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Failed JOB Deactivator A cross-site request forgery (CSRF) vulnerability in Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier allows attackers to disable jobs. | 4.3 |
2022-06-30 | CVE-2022-34818 | Jenkins | Missing Authorization vulnerability in Jenkins Failed JOB Deactivator Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs. | 4.3 |
2022-06-30 | CVE-2021-38954 | IBM | Unspecified vulnerability in IBM Sterling B2B Integrator IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could disclose sensitive version information that could aid in future attacks against the system. | 4.3 |
2022-06-29 | CVE-2022-30467 | Joyebike | Authentication Bypass by Capture-replay vulnerability in Joyebike Wolf 2022 Firmware Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF. | 4.3 |
2022-06-29 | CVE-2022-31032 | Enalean | Unspecified vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 4.3 |
2022-06-29 | CVE-2021-39074 | IBM | Cross-site Scripting vulnerability in IBM Security Guardium 11.4 IBM Security Guardium 11.4 is vulnerable to cross-site scripting. | 4.3 |
2022-06-29 | CVE-2022-32969 | Metamask | Improper Preservation of Permissions vulnerability in Metamask MetaMask before 10.11.3 might allow an attacker to access a user's secret recovery phrase because an input field is used for a BIP39 mnemonic, and Firefox and Chromium save such fields to disk in order to support the Restore Session feature, aka the Demonic issue. | 4.3 |
2022-06-29 | CVE-2021-40642 | Textpattern | Missing Encryption of Sensitive Data vulnerability in Textpattern Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. | 4.3 |
2022-06-29 | CVE-2022-29270 | Nagios | Missing Authentication for Critical Function vulnerability in Nagios XI In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address. | 4.3 |
2022-06-28 | CVE-2020-19897 | Wuzhicms | Cross-site Scripting vulnerability in Wuzhicms Wuzhi CMS 4.1.0 A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter. | 4.3 |
2022-06-28 | CVE-2022-31886 | Marvalglobal | Cross-Site Request Forgery (CSRF) vulnerability in Marvalglobal Marval MSM 14.19.0.12476 Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). | 4.3 |
2022-06-28 | CVE-2021-3779 | Ruby Mysql Project | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Ruby-Mysql Project Ruby-Mysql A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. | 4.3 |
2022-06-28 | CVE-2022-0085 | Dompdf Project | Server-Side Request Forgery (SSRF) vulnerability in Dompdf Project Dompdf Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0. | 4.3 |
2022-06-28 | CVE-2022-30561 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in, the attacker could log in to the device by replaying the user's login packet. | 4.3 |
2022-06-28 | CVE-2021-40607 | Gpac | Allocation of Resources Without Limits or Throttling vulnerability in Gpac The schm_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command. | 4.3 |
2022-06-28 | CVE-2021-40943 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.6.0638 In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC. | 4.3 |
2022-06-27 | CVE-2022-31098 | Weave | Information Exposure Through Log Files vulnerability in Weave Gitops Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. | 4.3 |
2022-06-27 | CVE-2021-40942 | Gpac | Out-of-bounds Write vulnerability in Gpac 1.1.0 In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC. | 4.3 |
2022-06-27 | CVE-2022-31094 | Scratchstatus | Cross-site Scripting vulnerability in Scratchstatus Scratchtools 2.4.0/2.5.0/2.5.1 ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. | 4.3 |
2022-06-27 | CVE-2022-33005 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie 1.08.00 A cross-site scripting (XSS) vulnerability in the System Settings/IOT Settings module of Delta Electronics DIAEnergie v1.08.00 allows attackers to execute arbitrary web scripts via a crafted payload injected into the Name text field. | 4.3 |
2022-06-27 | CVE-2022-31036 | Argoproj | Link Following vulnerability in Argoproj Argo CD Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. | 4.3 |
2022-06-27 | CVE-2022-31065 | Bigbluebutton | Cross-site Scripting vulnerability in Bigbluebutton BigBlueButton is an open source web conferencing system. | 4.3 |
2022-06-27 | CVE-2020-21161 | Ruckuswireless | Cross-site Scripting vulnerability in Ruckuswireless Zonedirector Firmware 9.8.3.0 Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirector 9.8.3.0. | 4.3 |
2022-06-27 | CVE-2017-20100 | AIR Transfer Project | Cross-site Scripting vulnerability in AIR Transfer Project AIR Transfer 1.0.14/1.2.1 A vulnerability was found in Air Transfer 1.0.14/1.2.1. | 4.3 |
2022-06-27 | CVE-2022-2218 | Parse URL Project | Cross-site Scripting vulnerability in Parse-Url Project Parse-Url Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0. | 4.3 |
2022-06-27 | CVE-2022-2217 | Parse URL Project | Cross-site Scripting vulnerability in Parse-Url Project Parse-Url Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0. | 4.3 |
2022-06-27 | CVE-2022-0444 | Watchful | Missing Authorization vulnerability in Watchful Xcloner The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. | 4.3 |
2022-06-27 | CVE-2022-0875 | Miniorange | Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Google Authenticator The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks | 4.3 |
2022-06-27 | CVE-2022-1470 | Ultimate Woocommerce CSV Importer Project | Cross-site Scripting vulnerability in Ultimate Woocommerce CSV Importer Project Ultimate Woocommerce CSV Importer The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-06-27 | CVE-2022-1573 | Html2Wp Project | Cross-Site Request Forgery (CSRF) vulnerability in Html2Wp Project Html2Wp The HTML2WP WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them | 4.3 |
2022-06-27 | CVE-2022-1625 | Wpexperts | Cross-Site Request Forgery (CSRF) vulnerability in Wpexperts NEW User Approve The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. | 4.3 |
2022-06-27 | CVE-2022-1627 | Zatzlabs | Cross-Site Request Forgery (CSRF) vulnerability in Zatzlabs MY Private Site The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2022-06-27 | CVE-2022-1653 | Supsystic | Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Social Share Buttons The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. | 4.3 |
2022-06-27 | CVE-2022-1842 | Openbook Book Data Project | Cross-Site Request Forgery (CSRF) vulnerability in Openbook Book Data Project Openbook Book Data The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well | 4.3 |
2022-06-27 | CVE-2022-1843 | Mailpress Project | Cross-Site Request Forgery (CSRF) vulnerability in Mailpress Project Mailpress The MailPress WordPress plugin through 7.2.1 does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks | 4.3 |
2022-06-27 | CVE-2022-1844 | WP Sentry Project | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Sentry Project Wp-Sentry The WP Sentry WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well | 4.3 |
2022-06-27 | CVE-2022-1845 | WP Post Styling Project | Cross-Site Request Forgery (CSRF) vulnerability in WP Post Styling Project WP Post Styling The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks | 4.3 |
2022-06-27 | CVE-2022-1846 | Tiny Contact Form Project | Cross-Site Request Forgery (CSRF) vulnerability in Tiny Contact Form Project Tiny Contact Form The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2022-06-27 | CVE-2022-1847 | Rotating Posts Project | Cross-Site Request Forgery (CSRF) vulnerability in Rotating Posts Project Rotating Posts The Rotating Posts WordPress plugin through 1.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2022-06-27 | CVE-2022-1885 | Cimy Header Image Rotator Project | Cross-Site Request Forgery (CSRF) vulnerability in Cimy Header Image Rotator Project Cimy Header Image Rotator The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2022-06-27 | CVE-2022-1913 | ADD Post URL Project | Cross-Site Request Forgery (CSRF) vulnerability in ADD Post URL Project ADD Post URL The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | 4.3 |
2022-06-27 | CVE-2022-1914 | Clean Contact Project | Cross-Site Request Forgery (CSRF) vulnerability in Clean-Contact Project Clean-Contact The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well | 4.3 |
2022-06-27 | CVE-2022-1960 | Mycss Project | Cross-Site Request Forgery (CSRF) vulnerability in Mycss Project Mycss The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2022-07-01 | CVE-2022-2228 | Gitlab | Unspecified vulnerability in Gitlab Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range | 4.0 |
2022-06-30 | CVE-2022-26135 | Atlassian | Server-Side Request Forgery (SSRF) vulnerability in Atlassian products A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. | 4.0 |
2022-06-29 | CVE-2017-20109 | Calabrio | Cleartext Transmission of Sensitive Information vulnerability in Calabrio Teleopti Workforce Management 7.1.0 A vulnerability classified as problematic was found in Teleopti WFM up to 7.1.0. | 4.0 |
2022-06-28 | CVE-2022-29858 | Silverstripe | Improper Authentication vulnerability in Silverstripe Assets Silverstripe silverstripe/assets through 1.10 is vulnerable to improper access control that allows protected images to be published by changing an existing image short code on website content. | 4.0 |
2022-06-28 | CVE-2022-31883 | Marvalglobal | Authorization Bypass Through User-Controlled Key vulnerability in Marvalglobal Marval MSM 14.19.0.12476 Marval MSM v14.19.0.12476 is has an Insecure Direct Object Reference (IDOR) vulnerability. | 4.0 |
2022-06-28 | CVE-2022-31229 | Dell | Information Exposure Through an Error Message vulnerability in Dell Powerscale Onefs Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. | 4.0 |
2022-06-28 | CVE-2022-30562 | Dahuasecurity | Open Redirect vulnerability in Dahuasecurity products If the user enables the https function on the device, an attacker can modify the user’s request data packet through a man-in-the-middle attack ,Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page. | 4.0 |
2022-06-27 | CVE-2022-31099 | Pomsky Lang | Uncontrolled Recursion vulnerability in Pomsky-Lang Pomsky rulex is a new, portable, regular expression language. | 4.0 |
2022-06-27 | CVE-2022-31100 | Pomsky Lang | Reachable Assertion vulnerability in Pomsky-Lang Pomsky rulex is a new, portable, regular expression language. | 4.0 |
2022-06-27 | CVE-2022-2221 | Devolutions | Insufficiently Protected Credentials vulnerability in Devolutions Remote Desktop Manager Information Exposure vulnerability in My Account Settings of Devolutions Remote Desktop Manager before 2022.1.8 allows authenticated users to access credentials of other users. | 4.0 |
52 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-06-28 | CVE-2017-20106 | Khoros | Server-Side Request Forgery (SSRF) vulnerability in Khoros Lithium Forum 2017 A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. | 3.6 |
2022-07-01 | CVE-2022-1981 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. | 3.5 |
2022-07-01 | CVE-2022-2227 | Gitlab | Incorrect Permission Assignment for Critical Resource vulnerability in Gitlab Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions | 3.5 |
2022-07-01 | CVE-2022-2230 | Gitlab | Cross-site Scripting vulnerability in Gitlab A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. | 3.5 |
2022-07-01 | CVE-2022-2235 | Gitlab | Cross-site Scripting vulnerability in Gitlab Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link | 3.5 |
2022-07-01 | CVE-2022-2254 | Webhmi | Cross-site Scripting vulnerability in Webhmi Firmware A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 can store a script that could impact other logged in users. | 3.5 |
2022-07-01 | CVE-2014-3650 | Redhat | Cross-site Scripting vulnerability in Redhat Jboss Aerogear 1.0.0 Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. | 3.5 |
2022-07-01 | CVE-2022-2280 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. | 3.5 |
2022-07-01 | CVE-2022-32988 | Asus | Cross-site Scripting vulnerability in Asus Dsl-N14U-B1 Firmware 1.1.2.3805 Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. | 3.5 |
2022-06-30 | CVE-2022-33043 | Urtracker | Cross-site Scripting vulnerability in Urtracker 4.0.1.1477 A cross-site scripting (XSS) vulnerability in the batch add function of Urtracker Premium v4.0.1.1477 allows attackers to execute arbitrary web scripts or HTML via a crafted excel file. | 3.5 |
2022-06-30 | CVE-2017-20122 | Bitrix24 | Cross-site Scripting vulnerability in Bitrix24 Bitrix Site Manager 12.06.2015 A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015. | 3.5 |
2022-06-29 | CVE-2022-31063 | Enalean | Cross-site Scripting vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 3.5 |
2022-06-29 | CVE-2017-20108 | Easy Table Project | Cross-site Scripting vulnerability in Easy Table Project Easy Table A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. | 3.5 |
2022-06-29 | CVE-2022-28803 | Silverstripe | Cross-site Scripting vulnerability in Silverstripe In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest (XHR). | 3.5 |
2022-06-28 | CVE-2022-25238 | Silverstripe | Cross-site Scripting vulnerability in Silverstripe Framework Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code. | 3.5 |
2022-06-28 | CVE-2022-23896 | Admidio | Cross-site Scripting vulnerability in Admidio Admidio 4.1.2 version is affected by stored cross-site scripting (XSS). | 3.5 |
2022-06-27 | CVE-2022-33009 | Lightcms Project | Cross-site Scripting vulnerability in Lightcms Project Lightcms 1.3.11 A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file. | 3.5 |
2022-06-27 | CVE-2022-31077 | Linuxfoundation | NULL Pointer Dereference vulnerability in Linuxfoundation Kubeedge KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. | 3.5 |
2022-06-27 | CVE-2022-33116 | Openeclass | Path Traversal vulnerability in Openeclass An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal. | 3.5 |
2022-06-27 | CVE-2022-31057 | Shopware | Cross-site Scripting vulnerability in Shopware Shopware is an open source e-commerce software made in Germany. | 3.5 |
2022-06-27 | CVE-2017-20098 | Weblizar | Cross-site Scripting vulnerability in Weblizar Admin Custom Login 2.4.5.2 A vulnerability was found in Admin Custom Login Plugin 2.4.5.2. | 3.5 |
2022-06-27 | CVE-2017-20101 | Projectsend | Authorization Bypass Through User-Controlled Key vulnerability in Projectsend R754 A vulnerability, which was classified as problematic, was found in ProjectSend r754. | 3.5 |
2022-06-27 | CVE-2022-1010 | Miniorange | Cross-site Scripting vulnerability in Miniorange Login Using Wordpress Users The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-1028 | Miniorange | Cross-site Scripting vulnerability in Miniorange Wordpress Security The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-1029 | Miniorange | Cross-site Scripting vulnerability in Miniorange Limit Login Attempts The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-1321 | Miniorange | Cross-site Scripting vulnerability in Miniorange Google Authenticator The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-1326 | Form Contact Form Project | Cross-site Scripting vulnerability in Form - Contact Form Project Form - Contact Form The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
2022-06-27 | CVE-2022-1776 | Icegram | Cross-site Scripting vulnerability in Icegram Popups, Welcome Bar, Optins and Lead Generation Plugin The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | 3.5 |
2022-06-27 | CVE-2022-1964 | Easy SVG Support Project | Cross-site Scripting vulnerability in Easy SVG Support Project Easy SVG Support The Easy SVG Support WordPress plugin before 3.3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads | 3.5 |
2022-06-27 | CVE-2022-1971 | Wpgetready | Cross-site Scripting vulnerability in Wpgetready Nextcellent Gallery The NextCellent Gallery WordPress plugin through 1.9.35 does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-1994 | Miniorange | Cross-site Scripting vulnerability in Miniorange Login With OTP Over Sms, Email, Whatsapp and Google Authenticator The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2022-06-27 | CVE-2022-1995 | Miniorange | Cross-site Scripting vulnerability in Miniorange Malware Scanner The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | 3.5 |
2022-06-27 | CVE-2022-2040 | Brizy | Cross-site Scripting vulnerability in Brizy Brizy-Page Builder The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | 3.5 |
2022-06-27 | CVE-2022-2041 | Brizy | Cross-site Scripting vulnerability in Brizy Brizy-Page Builder The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | 3.5 |
2022-06-30 | CVE-2022-22496 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Spectrum Protect Server While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. | 3.3 |
2022-06-28 | CVE-2021-3433 | Zephyrproject | Unspecified vulnerability in Zephyrproject Zephyr 2.5.0/2.5.1 Invalid channel map in CONNECT_IND results to Deadlock. | 3.3 |
2022-06-27 | CVE-2022-33879 | Apache | Unspecified vulnerability in Apache Tika The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. | 3.3 |
2022-06-27 | CVE-2022-31076 | Linuxfoundation | NULL Pointer Dereference vulnerability in Linuxfoundation Kubeedge KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. | 2.7 |
2022-06-27 | CVE-2022-2106 | Smartics | Path Traversal vulnerability in Smartics 2.3.4.0 Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files. | 2.7 |
2022-06-30 | CVE-2013-4170 | Emberjs | Cross-site Scripting vulnerability in Emberjs Ember.Js In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. | 2.6 |
2022-06-27 | CVE-2022-1904 | Fatcatapps | Cross-site Scripting vulnerability in Fatcatapps Easy Pricing Tables The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting | 2.6 |
2022-07-01 | CVE-2022-25876 | Link Preview JS Project | Server-Side Request Forgery (SSRF) vulnerability in Link-Preview-Js Project Link-Preview-Js The package link-preview-js before 2.1.16 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. | 2.1 |
2022-07-01 | CVE-2022-22366 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2022-07-01 | CVE-2022-22367 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 could disclose sensitive database information to a local user in plain text. | 2.1 |
2022-06-30 | CVE-2014-0068 | Redhat | Incorrect Permission Assignment for Critical Resource vulnerability in Redhat Openshift-Origin-Node-Util It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission. | 2.1 |
2022-06-30 | CVE-2022-22478 | IBM | Cleartext Storage of Sensitive Information vulnerability in IBM Spectrum Protect Client IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2022-06-30 | CVE-2022-1955 | Opft | Improper Authentication vulnerability in Opft Session 1.13.0 Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. | 2.1 |
2022-06-28 | CVE-2021-3435 | Zephyrproject | Use of Uninitialized Resource vulnerability in Zephyrproject Zephyr 2.4.0/2.5.0/2.5.1 Information leakage in le_ecred_conn_req(). | 2.1 |
2022-06-28 | CVE-2022-0987 | Packagekit Project Redhat | A flaw was found in PackageKit in the way some of the methods exposed by the Transaction interface examines files. | 2.1 |
2022-06-27 | CVE-2022-31096 | Discourse | Improper Preservation of Permissions vulnerability in Discourse Discourse is an open source discussion platform. | 2.1 |
2022-06-27 | CVE-2022-31064 | Bigbluebutton | Cross-site Scripting vulnerability in Bigbluebutton BigBlueButton is an open source web conferencing system. | 2.1 |
2022-06-27 | CVE-2017-20102 | Album Lock Project | Path Traversal vulnerability in Album Lock Project Album Lock 4.0 A vulnerability was found in Album Lock 4.0 and classified as critical. | 2.1 |