Weekly Vulnerabilities Reports > July 4 to 10, 2022
Overview
238 new vulnerabilities reported during this period, including 25 critical vulnerabilities and 51 high severity vulnerabilities. This weekly summary report vulnerabilities in 340 products from 116 vendors including Google, Debian, Fedoraproject, Cybozu, and Netapp. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "OS Command Injection", and "Cross-Site Request Forgery (CSRF)".
- 180 reported vulnerabilities are remotely exploitables.
- 3 reported vulnerabilities have public exploit available.
- 95 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 149 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 25 reported vulnerabilities.
- Tenda has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
25 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-07 | CVE-2022-33936 | Dell | Unspecified vulnerability in Dell Cloud Mobility for Dell EMC Storage 1.3.0 Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains a RCE vulnerability. | 10.0 |
2022-07-06 | CVE-2022-20083 | Mediatek | Out-of-bounds Write vulnerability in Mediatek products In Modem 2G/3G CC, there is a possible out of bounds write due to a missing bounds check. | 10.0 |
2022-07-06 | CVE-2022-21744 | Mediatek | Out-of-bounds Write vulnerability in Mediatek products In Modem 2G RR, there is a possible out of bounds write due to a missing bounds check. | 10.0 |
2022-07-08 | CVE-2022-31137 | Roxy WI | OS Command Injection vulnerability in Roxy-Wi Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. | 9.8 |
2022-07-08 | CVE-2022-35411 | RPC PY Project | Insufficiently Protected Credentials vulnerability in Rpc.Py Project Rpc.Py rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. | 9.8 |
2022-07-08 | CVE-2022-1245 | Redhat | Authorization Bypass Through User-Controlled Key vulnerability in Redhat Keycloak A privilege escalation flaw was found in the token exchange feature of keycloak. | 9.8 |
2022-07-07 | CVE-2022-32054 | Tenda | OS Command Injection vulnerability in Tenda Ac10 Firmware 15.03.06.26 Tenda AC10 US_AC10V1.0RTL_V15.03.06.26_multi_TD01 was discovered to contain a remote code execution (RCE) vulnerability via the lanIp parameter. | 9.8 |
2022-07-07 | CVE-2022-32449 | Totolink | Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.7484 TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. | 9.8 |
2022-07-07 | CVE-2022-34592 | Wavlink | Command Injection vulnerability in Wavlink Wl-Wn575A3 Firmware Rpt75A3.V4300.201217 Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. | 9.8 |
2022-07-07 | CVE-2022-32207 | Haxx Fedoraproject Debian Netapp Apple Splunk | Incorrect Default Permissions vulnerability in multiple products When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. | 9.8 |
2022-07-07 | CVE-2022-25046 | Control Webpanel | Path Traversal vulnerability in Control-Webpanel Webpanel A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | 9.8 |
2022-07-06 | CVE-2022-33047 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c. | 9.8 |
2022-07-06 | CVE-2022-34595 | Tenda | OS Command Injection vulnerability in Tenda Ax1803 Firmware 1.0.0.12890 Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status. | 9.8 |
2022-07-06 | CVE-2022-34596 | Tenda | OS Command Injection vulnerability in Tenda Ax1803 Firmware 1.0.0.12890 Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting. | 9.8 |
2022-07-06 | CVE-2022-34597 | Tenda | OS Command Injection vulnerability in Tenda Ax1806 Firmware 1.0.0.1 Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting. | 9.8 |
2022-07-06 | CVE-2022-33980 | Apache Netapp Debian | Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. | 9.8 |
2022-07-06 | CVE-2022-32533 | Apache | Unspecified vulnerability in Apache Jetspeed Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. | 9.8 |
2022-07-05 | CVE-2022-32310 | Ingredient Stock Management System Project | Incorrect Authorization vulnerability in Ingredient Stock Management System Project Ingredient Stock Management System 1.0 An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php. | 9.8 |
2022-07-05 | CVE-2022-31836 | Beego | Path Traversal vulnerability in Beego The leafInfo.match() function in Beego v2.0.3 and below uses path.join() to deal with wildcardvalues which can lead to cross directory risk. | 9.8 |
2022-07-04 | CVE-2022-33171 | Typeorm | SQL Injection vulnerability in Typeorm The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. | 9.8 |
2022-07-04 | CVE-2022-34265 | Djangoproject | SQL Injection vulnerability in Djangoproject Django An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. | 9.8 |
2022-07-07 | CVE-2021-46825 | Broadcom | HTTP Request Smuggling vulnerability in Broadcom Advanced Secure Gateway and Proxysg Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability. | 9.1 |
2022-07-07 | CVE-2022-25048 | Control Webpanel | OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.1126 Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user. | 9.0 |
2022-07-05 | CVE-2022-34877 | Vicidial | SQL Injection vulnerability in Vicidial 2.14B0.5 SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. | 9.0 |
2022-07-05 | CVE-2022-34878 | Vicidial | SQL Injection vulnerability in Vicidial 2.14B0.5 SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. | 9.0 |
51 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-06 | CVE-2022-20859 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to. | 8.8 |
2022-07-05 | CVE-2022-34876 | Vicidial | SQL Injection vulnerability in Vicidial 2.14B0.5 SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. | 8.5 |
2022-07-07 | CVE-2022-33680 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 8.3 |
2022-07-06 | CVE-2022-21767 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 8.3 | |
2022-07-06 | CVE-2022-21768 | Out-of-bounds Write vulnerability in Google Android In Bluetooth, there is a possible out of bounds write due to a missing bounds check. | 8.3 | |
2022-07-04 | CVE-2022-33948 | Kddi | OS Command Injection vulnerability in Kddi Home Spot Cube 2 Firmware V100/V101/V102 HOME SPOT CUBE2 V102 contains an OS command injection vulnerability due to improper processing of data received from DHCP server. | 8.3 |
2022-07-04 | CVE-2022-29484 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Space of Cybozu Garoon 4.0.0 to 5.9.0 allows a remote authenticated attacker to delete the data of Space. | 8.1 |
2022-07-04 | CVE-2022-34151 | Omron | Use of Hard-coded Credentials vulnerability in Omron products Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller. | 8.1 |
2022-07-08 | CVE-2021-41037 | Eclipse | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Equinox P2 In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. | 8.0 |
2022-07-08 | CVE-2022-2345 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0046. | 7.8 |
2022-07-08 | CVE-2022-2344 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045. | 7.8 |
2022-07-08 | CVE-2022-2343 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044. | 7.8 |
2022-07-07 | CVE-2022-32481 | Dell | Unspecified vulnerability in Dell Powerprotect Cyber Recovery Dell PowerProtect Cyber Recovery, versions prior to 19.11, contain a privilege escalation vulnerability on virtual appliance deployments. | 7.8 |
2022-07-07 | CVE-2022-32058 | TP Link | Infinite Loop vulnerability in Tp-Link Tl-Wr741N Firmware and Tl-Wr742N Firmware An infinite loop in the function httpRpmPass of TP-Link TL-WR741N/TL-WR742N V1/V2/V3_130415 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 7.8 |
2022-07-07 | CVE-2022-31135 | Aceattorneyonline | Improper Validation of Array Index vulnerability in Aceattorneyonline Akashi 1.3 Akashi is an open source server implementation of the Attorney Online video game based on the Ace Attorney universe. | 7.8 |
2022-07-06 | CVE-2022-26078 | Gallagher | Unspecified vulnerability in Gallagher Controller 6000 Firmware Gallagher Controller 6000 is vulnerable to a Denial of Service attack via conflicting ARP packets with a duplicate IP address. | 7.8 |
2022-07-06 | CVE-2022-23714 | Elastic | Unspecified vulnerability in Elastic Endpoint Security A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | 7.8 |
2022-07-05 | CVE-2022-2304 | VIM Fedoraproject Debian | Stack-based Buffer Overflow vulnerability in multiple products Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. | 7.8 |
2022-07-05 | CVE-2022-33743 | XEN Linux Debian | network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. | 7.8 |
2022-07-04 | CVE-2022-34918 | Linux Debian Canonical Netapp | Type Confusion vulnerability in multiple products An issue was discovered in the Linux kernel through 5.18.9. | 7.8 |
2022-07-04 | CVE-2022-32284 | Yokogawa | Use of Insufficiently Random Values vulnerability in Yokogawa Aw810D Firmware R12 Use of insufficiently random values vulnerability exists in Vnet/IP communication module VI461 of YOKOGAWA Wide Area Communication Router (WAC Router) AW810D, which may allow a remote attacker to cause denial-of-service (DoS) condition by sending a specially crafted packet. | 7.8 |
2022-07-08 | CVE-2022-28623 | HPE | SQL Injection vulnerability in HPE Icewall SSO Certd 10.0 Security vulnerabilities in HPE IceWall SSO 10.0 certd could be exploited remotely to allow SQL injection or unauthorized data injection. | 7.5 |
2022-07-07 | CVE-2021-29281 | GFI | Unrestricted Upload of File with Dangerous Type vulnerability in GFI Archiver File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317. | 7.5 |
2022-07-07 | CVE-2021-35283 | Atoms183 CMS Project | SQL Injection vulnerability in Atoms183 CMS Project Atoms183 CMS 1.0 SQL Injection vulnerability in product_admin.php in atoms183 CMS 1.0, allows attackers to execute arbitrary commands via the Name, Fname, and ID parameters to search.php. | 7.5 |
2022-07-07 | CVE-2022-2048 | Eclipse Debian Netapp Jenkins | In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. | 7.5 |
2022-07-07 | CVE-2022-32056 | Online Accreditation Management System Project | SQL Injection vulnerability in Online Accreditation Management System Project Online Accreditation Management System 1.0 Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php. | 7.5 |
2022-07-06 | CVE-2022-31125 | Roxy WI | Improper Authentication vulnerability in Roxy-Wi Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. | 7.5 |
2022-07-06 | CVE-2022-31126 | Roxy WI | Injection vulnerability in Roxy-Wi Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. | 7.5 |
2022-07-06 | CVE-2022-31129 | Momentjs Fedoraproject Debian | moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. | 7.5 |
2022-07-06 | CVE-2022-34598 | H3C | Unspecified vulnerability in H3C Magic R100 Firmware V100R005/V200R004 The udpserver in H3C Magic R100 V200R004 and V100R005 has the 9034 port opened, allowing attackers to execute arbitrary commands. | 7.5 |
2022-07-06 | CVE-2022-33737 | Openvpn | Information Exposure Through Log Files vulnerability in Openvpn Access Server The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password | 7.5 |
2022-07-06 | CVE-2022-30591 | Quic GO Project | Resource Exhaustion vulnerability in Quic-Go Project Quic-Go quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. | 7.5 |
2022-07-06 | CVE-2022-32383 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44 Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the AdvSetMacMtuWan function. | 7.5 |
2022-07-06 | CVE-2022-32385 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44 Tenda AC23 v16.03.07.44 is vulnerable to Stack Overflow that will allow for the execution of arbitrary code (remote). | 7.5 |
2022-07-06 | CVE-2022-32386 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44 Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. | 7.5 |
2022-07-05 | CVE-2022-31856 | Newsletter Module Project | SQL Injection vulnerability in Newsletter Module Project Newsletter Module 3.0.2.0 Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php. | 7.5 |
2022-07-05 | CVE-2022-32311 | Ingredient Stock Management System Project | SQL Injection vulnerability in Ingredient Stock Management System Project Ingredient Stock Management System 1.0 Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php. | 7.5 |
2022-07-05 | CVE-2022-32413 | Dice Project | Unrestricted Upload of File with Dangerous Type vulnerability in Dice Project Dice 4.2.0 An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file. | 7.5 |
2022-07-05 | CVE-2022-34972 | SO Filter Shop BY Project | SQL Injection vulnerability in SO Filter Shop BY Project SO Filter Shop BY 3.0 So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data. | 7.5 |
2022-07-05 | CVE-2022-31116 | Ultrajson Project Fedoraproject | Always-Incorrect Control Flow Implementation vulnerability in multiple products UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. | 7.5 |
2022-07-05 | CVE-2022-30290 | Citeum | Unspecified vulnerability in Citeum Opencti In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. | 7.5 |
2022-07-05 | CVE-2022-2309 | Lxml Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). | 7.5 |
2022-07-07 | CVE-2022-31854 | Codologic | Unrestricted Upload of File with Dangerous Type vulnerability in Codologic Codoforum 5.1 Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel. | 7.2 |
2022-07-06 | CVE-2022-24138 | Iobit | Files or Directories Accessible to External Parties vulnerability in Iobit Advanced Systemcare 15 IOBit Advanced System Care (Asc.exe) 15 and Action Download Center both download components of IOBit suite into ProgramData folder, ProgramData folder has "rwx" permissions for unprivileged users. | 7.2 |
2022-07-06 | CVE-2022-24139 | Iobit | Exposure of Resource to Wrong Sphere vulnerability in Iobit Advanced System Care 15 In IOBit Advanced System Care (AscService.exe) 15, an attacker with SEImpersonatePrivilege can create a named pipe with the same name as one of ASCService's named pipes. | 7.2 |
2022-07-04 | CVE-2022-2268 | Soflyy | Unrestricted Upload of File with Dangerous Type vulnerability in Soflyy WP ALL Import The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. | 7.2 |
2022-07-05 | CVE-2022-26365 | Linux XEN Debian Fedoraproject | Memory Leak vulnerability in multiple products Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). | 7.1 |
2022-07-05 | CVE-2022-33740 | Fedoraproject Debian Linux XEN | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). | 7.1 |
2022-07-05 | CVE-2022-33741 | Fedoraproject Debian Linux XEN | Information Exposure vulnerability in multiple products Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). | 7.1 |
2022-07-05 | CVE-2022-33742 | Fedoraproject Debian Linux XEN | Information Exposure vulnerability in multiple products Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). | 7.1 |
2022-07-06 | CVE-2021-3697 | GNU Redhat | Out-of-bounds Write vulnerability in multiple products A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. | 7.0 |
132 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-06 | CVE-2022-20082 | Race Condition vulnerability in Google Android 10.0/11.0/12.0 In GPU, there is a possible use after free due to a race condition. | 6.9 | |
2022-07-08 | CVE-2022-34914 | Webswing | Injection vulnerability in Webswing Webswing before 22.1.3 allows X-Forwarded-For header injection. | 6.8 |
2022-07-08 | CVE-2022-33011 | Withknown | Injection vulnerability in Withknown Known Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header injection attack. | 6.8 |
2022-07-06 | CVE-2021-23163 | Jfrog | Cross-Site Request Forgery (CSRF) vulnerability in Jfrog Artifactory JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. | 6.8 |
2022-07-06 | CVE-2021-46687 | Jfrog | Exposure of Resource to Wrong Sphere vulnerability in Jfrog Artifactory JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. | 6.8 |
2022-07-04 | CVE-2022-33208 | Omron | Authentication Bypass by Capture-replay vulnerability in Omron products Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software 'Sysmac Studio' and/or a Programmable Terminal (PT) to access the controller. | 6.8 |
2022-07-06 | CVE-2022-21765 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In CCCI, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-07-06 | CVE-2022-21766 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 In CCCI, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-07-06 | CVE-2022-21784 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-07-07 | CVE-2015-1784 | Imagely | Unrestricted Upload of File with Dangerous Type vulnerability in Imagely Nextgen Gallery In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. | 6.5 |
2022-07-07 | CVE-2022-32206 | Haxx Fedoraproject Debian Netapp Siemens Splunk | Allocation of Resources Without Limits or Throttling vulnerability in multiple products curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. | 6.5 |
2022-07-07 | CVE-2022-33996 | Devolutions | Incorrect Default Permissions vulnerability in Devolutions Server Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the permissions of that previous user. | 6.5 |
2022-07-06 | CVE-2022-20791 | Cisco | Path Traversal vulnerability in Cisco Unified Communications Manager A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. | 6.5 |
2022-07-06 | CVE-2022-20808 | Cisco | Resource Exhaustion vulnerability in Cisco Smart Software Manager On-Prem 8202004/8202108 A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 6.5 |
2022-07-06 | CVE-2022-20812 | Cisco | Path Traversal vulnerability in Cisco Telepresence Video Communication Server Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. | 6.5 |
2022-07-06 | CVE-2015-3173 | Custom Content Type Manager Project | Code Injection vulnerability in Custom Content Type Manager Project Custom Content Type Manager custom-content-type-manager Wordpress plugin can be used by an administrator to achieve arbitrary PHP remote code execution. | 6.5 |
2022-07-06 | CVE-2022-30929 | Mini Tmall Project | Incorrect Permission Assignment for Critical Resource vulnerability in Mini Tmall Project Mini Tmall 1.0 Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper. | 6.5 |
2022-07-06 | CVE-2022-23173 | Priority Software | Authorization Bypass Through User-Controlled Key vulnerability in Priority-Software Priority this vulnerability affect user that even not allowed to access via the web interface. | 6.5 |
2022-07-06 | CVE-2022-30619 | Agilepoint | SQL Injection vulnerability in Agilepoint NX 6.0/7.0 Editable SQL Queries behind Base64 encoding sending from the Client-Side to The Server-Side for a particular API used in legacy Work Center module. | 6.5 |
2022-07-06 | CVE-2021-31677 | Pescms | Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3 An issue was discovered in PESCMS-V2.3.3. | 6.5 |
2022-07-06 | CVE-2021-31679 | Pescms | Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3 An issue was discovered in PESCMS-V2.3.3. | 6.5 |
2022-07-06 | CVE-2022-28935 | Totolink | Command Injection vulnerability in Totolink products Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2cu.5161_B20200903, Totolink A800R V4.1.2cu.5137_B20200730, Totolink A3000RU V5.9c.5185_B20201128, Totolink A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability. | 6.5 |
2022-07-05 | CVE-2021-44915 | Taogogo | SQL Injection vulnerability in Taogogo Taocms 3.0.2 Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category. | 6.5 |
2022-07-05 | CVE-2021-43116 | Alibaba | Improper Authentication vulnerability in Alibaba Nacos An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | 6.5 |
2022-07-04 | CVE-2022-29892 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to repeatedly display errors in certain functions and cause a denial-of-service (DoS). | 6.5 |
2022-07-08 | CVE-2022-22463 | IBM | SQL Injection vulnerability in IBM Security Verify Access IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection. | 6.4 |
2022-07-06 | CVE-2014-8164 | Redhat | Improper Certificate Validation vulnerability in Redhat Cloudforms Management Engine 5.0 A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red Hat CloudForms 5.x. | 6.4 |
2022-07-09 | CVE-2022-2353 | Microweber | Cross-Site Request Forgery (CSRF) vulnerability in Microweber Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. | 6.1 |
2022-07-07 | CVE-2022-34007 | EQS | Cross-site Scripting vulnerability in EQS Integrity Line EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry. | 6.1 |
2022-07-06 | CVE-2022-20800 | Cisco | Cross-site Scripting vulnerability in Cisco Unified Communications Manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2022-07-06 | CVE-2022-20815 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2022-07-06 | CVE-2021-31676 | Pescms | Cross-site Scripting vulnerability in Pescms Team 2.3.3 A reflected XSS was discovered in PESCMS-V2.3.3. | 6.1 |
2022-07-08 | CVE-2022-22476 | IBM | Authentication Bypass by Spoofing vulnerability in IBM Open Liberty and Websphere Application Server IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. | 6.0 |
2022-07-06 | CVE-2022-24140 | Iobit | Download of Code Without Integrity Check vulnerability in Iobit products IOBit Advanced System Care 15, iTop Screen Recorder 2.1, iTop VPN 3.2, Driver Booster 9, and iTop Screenshot sends HTTP requests in their update procedure in order to download a config file. | 6.0 |
2022-07-07 | CVE-2022-32208 | Haxx Fedoraproject Debian Netapp Apple Splunk | Out-of-bounds Write vulnerability in multiple products When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. | 5.9 |
2022-07-07 | CVE-2022-25047 | Control Webpanel | Use of Insufficiently Random Values vulnerability in Control-Webpanel Webpanel 0.9.8.1126 The password reset token in CWP v0.9.8.1126 is generated using known or predictable values. | 5.9 |
2022-07-06 | CVE-2022-20813 | Cisco | Improper Certificate Validation vulnerability in Cisco Telepresence Video Communication Server Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device. | 5.9 |
2022-07-05 | CVE-2022-31117 | Ultrajson Project Fedoraproject | Double Free vulnerability in multiple products UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. | 5.9 |
2022-07-06 | CVE-2022-27549 | Hcltechsw | Cleartext Storage of Sensitive Information vulnerability in Hcltechsw HCL Launch 7.0.5.10/7.1.2.6/7.2.2.1 HCL Launch may store certain data for recurring activities in a plain text format. | 5.5 |
2022-07-06 | CVE-2022-2318 | Linux Debian Netapp | Use After Free vulnerability in multiple products There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. | 5.5 |
2022-07-06 | CVE-2022-24141 | Iobit | Unspecified vulnerability in Iobit Itop VPN 3.2 The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. | 5.5 |
2022-07-08 | CVE-2022-34160 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTML injection. | 5.4 |
2022-07-08 | CVE-2022-34306 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. | 5.4 |
2022-07-06 | CVE-2022-35229 | Zabbix | Cross-site Scripting vulnerability in Zabbix An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. | 5.4 |
2022-07-05 | CVE-2022-33075 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0 A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors. | 5.4 |
2022-07-04 | CVE-2022-26368 | Cybozu | Unspecified vulnerability in Cybozu Garoon Browse restriction bypass and operation restriction bypass vulnerability in Cabinet of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter and/or obtain the data of Cabinet. | 5.4 |
2022-07-04 | CVE-2022-33971 | Omron | Authentication Bypass by Capture-replay vulnerability in Omron products Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program. | 5.4 |
2022-07-07 | CVE-2021-41042 | Eclipse | XXE vulnerability in Eclipse LYO 1.0.0/4.1.0 In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. | 5.3 |
2022-07-06 | CVE-2022-20752 | Cisco | Information Exposure Through Discrepancy vulnerability in Cisco Unified Communications Manager and Unity Connection A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack. | 5.3 |
2022-07-05 | CVE-2022-2097 | Openssl Fedoraproject Netapp Siemens Debian | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. | 5.3 |
2022-07-04 | CVE-2022-28713 | Cybozu | Improper Authentication vulnerability in Cybozu Garoon Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product. | 5.3 |
2022-07-08 | CVE-2022-22464 | IBM | Inadequate Encryption Strength vulnerability in IBM Security Verify Access IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 5.0 |
2022-07-08 | CVE-2022-35410 | 0Xacab Debian | Path Traversal vulnerability in multiple products mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. | 5.0 |
2022-07-07 | CVE-2022-2191 | Eclipse | Improper Resource Shutdown or Release vulnerability in Eclipse Jetty In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. | 5.0 |
2022-07-07 | CVE-2021-31645 | Glftpd | Allocation of Resources Without Limits or Throttling vulnerability in Glftpd 2.11A An issue was discovered in glFTPd 2.11a that allows remote attackers to cause a denial of service via exceeding the connection limit. | 5.0 |
2022-07-07 | CVE-2022-32055 | Nesote | SQL Injection vulnerability in Nesote Inout Homestay 2.2 Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals. | 5.0 |
2022-07-07 | CVE-2022-31121 | Hyperledger | Improper Input Validation vulnerability in Hyperledger Fabric Hyperledger Fabric is a permissioned distributed ledger framework. | 5.0 |
2022-07-07 | CVE-2015-5236 | Icedtea WEB Project | Insufficient Verification of Data Authenticity vulnerability in Icedtea-Web Project Icedtea-Web It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. | 5.0 |
2022-07-07 | CVE-2015-3207 | Openshift | Missing Encryption of Sensitive Data vulnerability in Openshift Origin 3.0.0 In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes. | 5.0 |
2022-07-07 | CVE-2022-2339 | Xgenecloud | Server-Side Request Forgery (SSRF) vulnerability in Xgenecloud Nocodb With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. | 5.0 |
2022-07-06 | CVE-2021-4234 | Openvpn | Unspecified vulnerability in Openvpn Access Server OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack. | 5.0 |
2022-07-06 | CVE-2022-31111 | Parity | Always-Incorrect Control Flow Implementation vulnerability in Parity Frontier Frontier is Substrate's Ethereum compatibility layer. | 5.0 |
2022-07-06 | CVE-2022-33738 | Openvpn | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Openvpn Access Server OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal | 5.0 |
2022-07-06 | CVE-2022-22681 | Synology | Session Fixation vulnerability in Synology Photo Station Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | 5.0 |
2022-07-05 | CVE-2022-2321 | Heroiclabs | Improper Restriction of Excessive Authentication Attempts vulnerability in Heroiclabs Nakama Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. | 5.0 |
2022-07-05 | CVE-2022-2306 | Heroiclabs | Insufficient Session Expiration vulnerability in Heroiclabs Nakama Old session tokens can be used to authenticate to the application and send authenticated requests. | 5.0 |
2022-07-04 | CVE-2022-34829 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | 5.0 |
2022-07-06 | CVE-2022-20768 | Cisco | Information Exposure Through Log Files vulnerability in Cisco Telepresence Collaboration Endpoint A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. | 4.9 |
2022-07-07 | CVE-2022-32060 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It 6.0.2 An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | 4.8 |
2022-07-07 | CVE-2022-31029 | PI Hole | Cross-site Scripting vulnerability in Pi-Hole Adminlte AdminLTE is a Pi-hole Dashboard for stats and configuration. | 4.8 |
2022-07-05 | CVE-2022-33744 | Linux Debian | Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. | 4.7 |
2022-07-08 | CVE-2022-22465 | IBM | Unspecified vulnerability in IBM Security Verify Access IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 could allow a local user to obtain elevated privileges due to improper access permissions. | 4.6 |
2022-07-06 | CVE-2022-21770 | Link Following vulnerability in Google Android 11.0/12.0 In sound driver, there is a possible information disclosure due to symlink following. | 4.6 | |
2022-07-06 | CVE-2022-21771 | Race Condition vulnerability in Google Android 11.0/12.0 In GED driver, there is a possible use after free due to a race condition. | 4.6 | |
2022-07-06 | CVE-2022-21772 | Race Condition vulnerability in Google Android 11.0/12.0 In TEEI driver, there is a possible type confusion due to a race condition. | 4.6 | |
2022-07-06 | CVE-2022-21773 | Race Condition vulnerability in Google Android 11.0/12.0 In TEEI driver, there is a possible use after free due to a race condition. | 4.6 | |
2022-07-06 | CVE-2022-21774 | Race Condition vulnerability in Google Android 11.0/12.0 In TEEI driver, there is a possible use after free due to a race condition. | 4.6 | |
2022-07-06 | CVE-2022-21775 | Improper Locking vulnerability in Google Android 11.0/12.0 In sched driver, there is a possible use after free due to improper locking. | 4.6 | |
2022-07-06 | CVE-2022-21777 | Missing Authorization vulnerability in Google Android 11.0/12.0 In Autoboot, there is a possible permission bypass due to a missing permission check. | 4.6 | |
2022-07-06 | CVE-2022-21779 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21780 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21781 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21782 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21783 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21785 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In WLAN driver, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-06 | CVE-2022-21786 | Incorrect Type Conversion or Cast vulnerability in Google Android 11.0/12.0 In audio DSP, there is a possible memory corruption due to improper casting. | 4.6 | |
2022-07-06 | CVE-2022-21787 | Out-of-bounds Write vulnerability in Google Android 11.0/12.0 In audio DSP, there is a possible out of bounds write due to a missing bounds check. | 4.6 | |
2022-07-04 | CVE-2022-31599 | Nvidia | Access of Uninitialized Pointer vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the Ofbd, where a local user with elevated privileges can cause access to an uninitialized pointer, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. | 4.6 |
2022-07-04 | CVE-2022-31600 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and information disclosure. | 4.6 |
2022-07-04 | CVE-2022-31601 | Nvidia | Out-of-bounds Write vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmbiosPei, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, compromised integrity, and information disclosure. | 4.6 |
2022-07-06 | CVE-2021-3695 | GNU Fedoraproject Redhat Netapp | Out-of-bounds Write vulnerability in multiple products A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. | 4.5 |
2022-07-06 | CVE-2021-3696 | GNU Redhat Netapp | Out-of-bounds Write vulnerability in multiple products A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. | 4.5 |
2022-07-06 | CVE-2022-21776 | Race Condition vulnerability in Google Android 11.0/12.0 In MDP, there is a possible use after free due to a race condition. | 4.4 | |
2022-07-04 | CVE-2022-31602 | Nvidia | Out-of-bounds Write vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with elevated privileges and a preconditioned heap can exploit an out-of-bounds write vulnerability, which may lead to code execution, denial of service, data integrity impact, and information disclosure. | 4.4 |
2022-07-04 | CVE-2022-31603 | Nvidia | Improper Validation of Array Index vulnerability in Nvidia DGX A100 Firmware NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with high privileges and preconditioned IpSecDxe global data can exploit improper validation of an array index to cause code execution, which may lead to denial of service, data integrity impact, and information disclosure. | 4.4 |
2022-07-10 | CVE-2022-27910 | Joomlatools | Cross-site Scripting vulnerability in Joomlatools Docman In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function | 4.3 |
2022-07-08 | CVE-2022-35406 | Portswigger | Open Redirect vulnerability in Portswigger Burp Suite A URL disclosure issue was discovered in Burp Suite before 2022.6. | 4.3 |
2022-07-08 | CVE-2022-32115 | Withknown | Cross-site Scripting vulnerability in Withknown Known An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file. | 4.3 |
2022-07-07 | CVE-2021-44791 | Apache | Cross-site Scripting vulnerability in Apache Druid In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. | 4.3 |
2022-07-07 | CVE-2022-28889 | Apache | Improper Restriction of Rendered UI Layers or Frames vulnerability in Apache Druid In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. | 4.3 |
2022-07-07 | CVE-2022-33098 | Magnolia CMS | Cross-site Scripting vulnerability in Magnolia-Cms Magnolia CMS 6.2.19 Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. | 4.3 |
2022-07-07 | CVE-2022-31136 | Joinbookwyrm | Cross-site Scripting vulnerability in Joinbookwyrm Bookwyrm Bookwyrm is an open source social reading and reviewing program. | 4.3 |
2022-07-07 | CVE-2022-32441 | HEX Rays | Out-of-bounds Write vulnerability in Hex-Rays IDA 6.6 A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. | 4.3 |
2022-07-07 | CVE-2015-1785 | Imagely | Cross-Site Request Forgery (CSRF) vulnerability in Imagely Nextgen Gallery In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. | 4.3 |
2022-07-07 | CVE-2022-32205 | Haxx Fedoraproject Debian Netapp Apple Siemens Splunk | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. | 4.3 |
2022-07-06 | CVE-2022-20862 | Cisco | Path Traversal vulnerability in Cisco Unified Communications Manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. | 4.3 |
2022-07-06 | CVE-2022-31127 | Nextauth JS | Cross-site Scripting vulnerability in Nextauth.Js Next-Auth NextAuth.js is a complete open source authentication solution for Next.js applications. | 4.3 |
2022-07-06 | CVE-2022-31131 | Nextcloud | Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Mail Nextcloud mail is a Mail app for the Nextcloud home server product. | 4.3 |
2022-07-06 | CVE-2022-23713 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. | 4.3 |
2022-07-06 | CVE-2021-31678 | Pescms | Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3 An issue was discovered in PESCMS-V2.3.3. | 4.3 |
2022-07-06 | CVE-2021-45721 | Jfrog | Cross-site Scripting vulnerability in Jfrog Artifactory JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in Users REST API endpoint. | 4.3 |
2022-07-05 | CVE-2022-34879 | Vicidial | Cross-site Scripting vulnerability in Vicidial 2.14B0.5 Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. | 4.3 |
2022-07-04 | CVE-2022-0250 | Redirection FOR Contact Form7 | Cross-site Scripting vulnerability in Redirection-For-Contact-Form7 Redirection for Contact Form 7 The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting | 4.3 |
2022-07-04 | CVE-2022-1946 | Wpdevart | Cross-site Scripting vulnerability in Wpdevart Gallery The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue | 4.3 |
2022-07-04 | CVE-2022-1967 | WP Championship Project | Cross-Site Request Forgery (CSRF) vulnerability in Wp-Championship Project Wp-Championship The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. | 4.3 |
2022-07-04 | CVE-2022-2301 | Chafa Project | Out-of-bounds Read vulnerability in Chafa Project Chafa Buffer Over-read in GitHub repository hpjansson/chafa prior to 1.10.3. | 4.3 |
2022-07-04 | CVE-2022-26051 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Portal. | 4.3 |
2022-07-04 | CVE-2022-26054 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Link of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Link. | 4.3 |
2022-07-04 | CVE-2022-27627 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Organization's Information of Cybozu Garoon 4.10.2 to 5.5.1 allows a remote attacker to execute an arbitrary script on the logged-in user's web browser. | 4.3 |
2022-07-04 | CVE-2022-27661 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Workflow. | 4.3 |
2022-07-04 | CVE-2022-27807 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Link of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to disable to add Categories. | 4.3 |
2022-07-04 | CVE-2022-28692 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Scheduler. | 4.3 |
2022-07-04 | CVE-2022-28718 | Cybozu | Unspecified vulnerability in Cybozu Garoon Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin. | 4.3 |
2022-07-04 | CVE-2022-29467 | Cybozu | Information Exposure vulnerability in Cybozu Garoon Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address. | 4.3 |
2022-07-04 | CVE-2022-29471 | Cybozu | Unspecified vulnerability in Cybozu Garoon Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin. | 4.3 |
2022-07-08 | CVE-2022-30852 | Withknown | Authorization Bypass Through User-Controlled Key vulnerability in Withknown Known Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR). | 4.0 |
2022-07-07 | CVE-2015-5298 | Jenkins | Improper Authentication vulnerability in Jenkins Google Login 1.0/1.1 The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification. | 4.0 |
2022-07-06 | CVE-2022-31124 | Openssh KEY Parser Project | Information Exposure Through an Error Message vulnerability in Openssh KEY Parser Project Openssh KEY Parser openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. | 4.0 |
2022-07-06 | CVE-2022-23172 | Priority Software | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Priority-Software Priority An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. | 4.0 |
2022-07-06 | CVE-2021-37839 | Apache | Improper Check for Dropped Privileges vulnerability in Apache Superset Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. | 4.0 |
2022-07-05 | CVE-2022-31770 | IBM | Unspecified vulnerability in IBM APP Connect Enterprise Certified Container 4.2 IBM App Connect Enterprise Certified Container 4.2 could allow a user from the administration console to cause a denial of service by creating a specially crafted request. | 4.0 |
2022-07-04 | CVE-2022-27803 | Cybozu | Improper Input Validation vulnerability in Cybozu Garoon Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Space. | 4.0 |
30 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-07-08 | CVE-2022-35412 | Digitalguardian | Unspecified vulnerability in Digitalguardian Digital Guardian 7.7.4.0042 Digital Guardian Agent 7.7.4.0042 allows an administrator (who ordinarily does not have a supported way to uninstall the product) to disable some of the agent functionality and then exfiltrate files to an external USB device. | 3.6 |
2022-07-10 | CVE-2022-2365 | Trilium Project | Cross-site Scripting vulnerability in Trilium Project Trilium Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3. | 3.5 |
2022-07-08 | CVE-2022-22370 | IBM | Cross-site Scripting vulnerability in IBM Security Verify Access IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting. | 3.5 |
2022-07-08 | CVE-2022-34166 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-site scripting. | 3.5 |
2022-07-08 | CVE-2022-34167 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX Standard and Advanced 11.1 is vulnerable to stored cross-site scripting. | 3.5 |
2022-07-08 | CVE-2022-28624 | HPE | Cross-site Scripting vulnerability in HPE products A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products. | 3.5 |
2022-07-08 | CVE-2022-31290 | Withknown | Cross-site Scripting vulnerability in Withknown Known A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Your Name text field. | 3.5 |
2022-07-07 | CVE-2022-32061 | Snipeitapp | Cross-site Scripting vulnerability in Snipeitapp Snipe-It 6.0.2 An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | 3.5 |
2022-07-07 | CVE-2022-31133 | Humhub | Cross-site Scripting vulnerability in Humhub HumHub is an Open Source Enterprise Social Network. | 3.5 |
2022-07-07 | CVE-2022-32567 | Appfire | Cross-site Scripting vulnerability in Appfire Jira Misc Custom Fields 2.4.6 The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function. | 3.5 |
2022-07-07 | CVE-2022-2342 | Getoutline | Cross-site Scripting vulnerability in Getoutline Outline Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. | 3.5 |
2022-07-06 | CVE-2015-3172 | Eidogo | Cross-site Scripting vulnerability in Eidogo EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input. | 3.5 |
2022-07-06 | CVE-2022-2316 | Devolutions | Cross-site Scripting vulnerability in Devolutions Server HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site. | 3.5 |
2022-07-06 | CVE-2022-35230 | Zabbix | Cross-site Scripting vulnerability in Zabbix An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. | 3.5 |
2022-07-05 | CVE-2022-31014 | Nextcloud | Injection vulnerability in Nextcloud Server Nextcloud server is an open source personal cloud server. | 3.5 |
2022-07-05 | CVE-2021-43702 | Asus | Cross-site Scripting vulnerability in Asus products ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). | 3.5 |
2022-07-05 | CVE-2022-30289 | Citeum | Cross-site Scripting vulnerability in Citeum Opencti A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4. | 3.5 |
2022-07-04 | CVE-2021-25056 | Ninjaforms | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-07-04 | CVE-2021-25066 | Ninjaforms | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
2022-07-04 | CVE-2022-1301 | Wpexperts | Cross-site Scripting vulnerability in Wpexperts WP Contact Slider The WP Contact Slider WordPress plugin before 2.4.7 does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | 3.5 |
2022-07-04 | CVE-2022-2300 | Microweber | Cross-site Scripting vulnerability in Microweber Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. | 3.5 |
2022-07-04 | CVE-2022-29513 | Cybozu | Cross-site Scripting vulnerability in Cybozu Garoon Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script. | 3.5 |
2022-07-06 | CVE-2022-32290 | Northern Tech | Incorrect Authorization vulnerability in Northern.Tech Mender 3.2.0/3.2.1/3.2.2 The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. | 3.3 |
2022-07-07 | CVE-2022-2047 | Eclipse Debian Netapp | Improper Input Validation vulnerability in multiple products In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. | 2.7 |
2022-07-07 | CVE-2022-23744 | Checkpoint | Unspecified vulnerability in Checkpoint Endpoint Security and Harmony Endpoint Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator. | 2.1 |
2022-07-06 | CVE-2022-27548 | Hcltechsw | Insufficiently Protected Credentials vulnerability in Hcltechsw HCL Launch 7.0.5.10/7.1.2.6/7.2.2.1 HCL Launch stores user credentials in plain clear text which can be read by a local user. | 2.1 |
2022-07-06 | CVE-2022-26348 | Gallagher | SQL Injection vulnerability in Gallagher Command Centre Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. | 2.1 |
2022-07-06 | CVE-2022-21763 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In telecom service, there is a possible information disclosure due to a missing permission check. | 2.1 | |
2022-07-06 | CVE-2022-21764 | Missing Authorization vulnerability in Google Android 10.0/11.0/12.0 In telecom service, there is a possible information disclosure due to a missing permission check. | 2.1 | |
2022-07-06 | CVE-2022-21769 | Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0 In CCCI, there is a possible out of bounds read due to a missing bounds check. | 2.1 |