Weekly Vulnerabilities Reports > July 4 to 10, 2022

Overview

235 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 69 high severity vulnerabilities. This weekly summary report vulnerabilities in 339 products from 115 vendors including Google, Debian, Fedoraproject, Cybozu, and Netapp. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "OS Command Injection", and "Path Traversal".

  • 177 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 80 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 116 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 25 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

40 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-08 CVE-2022-31137 Roxy WI Unspecified vulnerability in Roxy-Wi

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers.

9.8
2022-07-08 CVE-2022-34914 Webswing Injection vulnerability in Webswing

Webswing before 22.1.3 allows X-Forwarded-For header injection.

9.8
2022-07-08 CVE-2022-35411 RPC PY Project Insufficiently Protected Credentials vulnerability in Rpc.Py Project Rpc.Py

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent.

9.8
2022-07-08 CVE-2022-28623 HPE SQL Injection vulnerability in HPE Icewall SSO Certd 10.0

Security vulnerabilities in HPE IceWall SSO 10.0 certd could be exploited remotely to allow SQL injection or unauthorized data injection.

9.8
2022-07-08 CVE-2022-1245 Redhat Authorization Bypass Through User-Controlled Key vulnerability in Redhat Keycloak

A privilege escalation flaw was found in the token exchange feature of keycloak.

9.8
2022-07-07 CVE-2022-33936 Dell Unspecified vulnerability in Dell Cloud Mobility for Dell EMC Storage 1.3.0

Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains a RCE vulnerability.

9.8
2022-07-07 CVE-2021-29281 GFI Unrestricted Upload of File with Dangerous Type vulnerability in GFI Archiver

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

9.8
2022-07-07 CVE-2021-35283 Atoms183 CMS Project SQL Injection vulnerability in Atoms183 CMS Project Atoms183 CMS 1.0

SQL Injection vulnerability in product_admin.php in atoms183 CMS 1.0, allows attackers to execute arbitrary commands via the Name, Fname, and ID parameters to search.php.

9.8
2022-07-07 CVE-2022-32054 Tenda OS Command Injection vulnerability in Tenda Ac10 Firmware 15.03.06.26

Tenda AC10 US_AC10V1.0RTL_V15.03.06.26_multi_TD01 was discovered to contain a remote code execution (RCE) vulnerability via the lanIp parameter.

9.8
2022-07-07 CVE-2022-32056 Online Accreditation Management System Project SQL Injection vulnerability in Online Accreditation Management System Project Online Accreditation Management System 1.0

Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php.

9.8
2022-07-07 CVE-2022-32449 Totolink Command Injection vulnerability in Totolink Ex300 V2 Firmware 4.0.3C.7484

TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function.

9.8
2022-07-07 CVE-2022-34592 Wavlink Command Injection vulnerability in Wavlink Wl-Wn575A3 Firmware Rpt75A3.V4300.201217

Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw.

9.8
2022-07-07 CVE-2022-32207 Haxx
Fedoraproject
Debian
Netapp
Apple
Splunk
Incorrect Default Permissions vulnerability in multiple products

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

9.8
2022-07-07 CVE-2022-25046 Control Webpanel Path Traversal vulnerability in Control-Webpanel Webpanel

A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request.

9.8
2022-07-06 CVE-2022-33047 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 0.10.4

OTFCC v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c.

9.8
2022-07-06 CVE-2022-31125 Roxy WI Unspecified vulnerability in Roxy-Wi

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers.

9.8
2022-07-06 CVE-2022-31126 Roxy WI Unspecified vulnerability in Roxy-Wi

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers.

9.8
2022-07-06 CVE-2022-34595 Tenda OS Command Injection vulnerability in Tenda Ax1803 Firmware 1.0.0.12890

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

9.8
2022-07-06 CVE-2022-34596 Tenda OS Command Injection vulnerability in Tenda Ax1803 Firmware 1.0.0.12890

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

9.8
2022-07-06 CVE-2022-34597 Tenda OS Command Injection vulnerability in Tenda Ax1806 Firmware 1.0.0.1

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

9.8
2022-07-06 CVE-2022-34598 H3C Unspecified vulnerability in H3C Magic R100 Firmware V100R005/V200R004

The udpserver in H3C Magic R100 V200R004 and V100R005 has the 9034 port opened, allowing attackers to execute arbitrary commands.

9.8
2022-07-06 CVE-2022-20083 Mediatek Out-of-bounds Write vulnerability in Mediatek products

In Modem 2G/3G CC, there is a possible out of bounds write due to a missing bounds check.

9.8
2022-07-06 CVE-2022-21744 Mediatek Out-of-bounds Write vulnerability in Mediatek products

In Modem 2G RR, there is a possible out of bounds write due to a missing bounds check.

9.8
2022-07-06 CVE-2022-33980 Apache
Netapp
Debian
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded.
9.8
2022-07-06 CVE-2022-32383 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44

Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the AdvSetMacMtuWan function.

9.8
2022-07-06 CVE-2022-32385 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44

Tenda AC23 v16.03.07.44 is vulnerable to Stack Overflow that will allow for the execution of arbitrary code (remote).

9.8
2022-07-06 CVE-2022-32386 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac23 Ac2100 Firmware 16.03.07.44

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan.

9.8
2022-07-06 CVE-2022-32533 Apache Unspecified vulnerability in Apache Jetspeed

Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF.

9.8
2022-07-05 CVE-2022-31856 Newsletter Module Project SQL Injection vulnerability in Newsletter Module Project Newsletter Module 3.0.2.0

Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.

9.8
2022-07-05 CVE-2022-32310 Ingredient Stock Management System Project Incorrect Authorization vulnerability in Ingredient Stock Management System Project Ingredient Stock Management System 1.0

An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php.

9.8
2022-07-05 CVE-2022-32311 Ingredient Stock Management System Project SQL Injection vulnerability in Ingredient Stock Management System Project Ingredient Stock Management System 1.0

Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php.

9.8
2022-07-05 CVE-2022-32413 Dice Project Unrestricted Upload of File with Dangerous Type vulnerability in Dice Project Dice 4.2.0

An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file.

9.8
2022-07-05 CVE-2022-34972 SO Filter Shop BY Project SQL Injection vulnerability in SO Filter Shop BY Project SO Filter Shop BY 3.0

So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.

9.8
2022-07-05 CVE-2022-2321 Heroiclabs Unspecified vulnerability in Heroiclabs Nakama

Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0.

9.8
2022-07-05 CVE-2022-31836 Beego Path Traversal vulnerability in Beego

The leafInfo.match() function in Beego v2.0.3 and below uses path.join() to deal with wildcardvalues which can lead to cross directory risk.

9.8
2022-07-04 CVE-2022-33171 Typeorm SQL Injection vulnerability in Typeorm

The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object.

9.8
2022-07-04 CVE-2022-34265 Djangoproject SQL Injection vulnerability in Djangoproject Django

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6.

9.8
2022-07-07 CVE-2021-46825 Broadcom HTTP Request Smuggling vulnerability in Broadcom Advanced Secure Gateway and Proxysg

Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability.

9.1
2022-07-06 CVE-2014-8164 Redhat Improper Certificate Validation vulnerability in Redhat Cloudforms Management Engine 5.0

A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red Hat CloudForms 5.x.

9.1
2022-07-05 CVE-2021-43702 Asus Cross-site Scripting vulnerability in Asus products

ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS).

9.0

69 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-08 CVE-2022-22476 IBM Authentication Bypass by Spoofing vulnerability in IBM Open Liberty and Websphere Application Server

IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request.

8.8
2022-07-08 CVE-2022-33011 Withknown Injection vulnerability in Withknown Known

Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header injection attack.

8.8
2022-07-07 CVE-2015-1784 Imagely Unrestricted Upload of File with Dangerous Type vulnerability in Imagely Nextgen Gallery

In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application.

8.8
2022-07-07 CVE-2022-25048 Control Webpanel OS Command Injection vulnerability in Control-Webpanel Webpanel 0.9.8.1126

Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.

8.8
2022-07-07 CVE-2022-33996 Devolutions Incorrect Default Permissions vulnerability in Devolutions Server

Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the permissions of that previous user.

8.8
2022-07-06 CVE-2022-20859 Cisco Unspecified vulnerability in Cisco products

A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P), and Cisco Unity Connection could allow an authenticated, remote attacker to perform certain administrative actions they should not be able to.

8.8
2022-07-06 CVE-2022-30929 Mini Tmall Project Incorrect Permission Assignment for Critical Resource vulnerability in Mini Tmall Project Mini Tmall 1.0

Mini-Tmall v1.0 is vulnerable to Insecure Permissions via tomcat-embed-jasper.

8.8
2022-07-06 CVE-2022-21767 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

8.8
2022-07-06 CVE-2022-21768 Google Out-of-bounds Write vulnerability in Google Android

In Bluetooth, there is a possible out of bounds write due to a missing bounds check.

8.8
2022-07-06 CVE-2022-30619 Agilepoint SQL Injection vulnerability in Agilepoint NX 6.0/7.0

Editable SQL Queries behind Base64 encoding sending from the Client-Side to The Server-Side for a particular API used in legacy Work Center module.

8.8
2022-07-06 CVE-2021-23163 Jfrog Cross-Site Request Forgery (CSRF) vulnerability in Jfrog Artifactory

JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints.

8.8
2022-07-05 CVE-2022-34876 Vicidial SQL Injection vulnerability in Vicidial 2.14B0.5

SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

8.8
2022-07-05 CVE-2022-34877 Vicidial SQL Injection vulnerability in Vicidial 2.14B0.5

SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

8.8
2022-07-05 CVE-2022-34878 Vicidial SQL Injection vulnerability in Vicidial 2.14B0.5

SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

8.8
2022-07-05 CVE-2021-43116 Alibaba Improper Authentication vulnerability in Alibaba Nacos

An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

8.8
2022-07-04 CVE-2022-33948 Kddi OS Command Injection vulnerability in Kddi Home Spot Cube 2 Firmware V100/V101/V102

HOME SPOT CUBE2 V102 contains an OS command injection vulnerability due to improper processing of data received from DHCP server.

8.8
2022-07-04 CVE-2022-31600 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia DGX A100 Firmware

NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and information disclosure.

8.2
2022-07-04 CVE-2022-29484 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Space of Cybozu Garoon 4.0.0 to 5.9.0 allows a remote authenticated attacker to delete the data of Space.

8.1
2022-07-04 CVE-2022-33208 Omron Authentication Bypass by Capture-replay vulnerability in Omron products

Authentication bypass by capture-replay vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who can analyze the communication between the affected controller and automation software 'Sysmac Studio' and/or a Programmable Terminal (PT) to access the controller.

8.1
2022-07-04 CVE-2022-34151 Omron Use of Hard-coded Credentials vulnerability in Omron products

Use of hard-coded credentials vulnerability exists in Machine automation controller NJ series all models V 1.48 and earlier, Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, Automation software 'Sysmac Studio' all models V1.49 and earlier, and Programmable Terminal (PT) NA series NA5-15W/NA5-12W/NA5-9W/NA5-7W models Runtime V1.15 and earlier, which may allow a remote attacker who successfully obtained the user credentials by analyzing the affected product to access the controller.

8.1
2022-07-08 CVE-2021-41037 Eclipse Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Equinox P2

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation.

8.0
2022-07-08 CVE-2022-2345 VIM
Fedoraproject
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
7.8
2022-07-08 CVE-2022-2344 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
7.8
2022-07-08 CVE-2022-22465 IBM Unspecified vulnerability in IBM Security Verify Access

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 could allow a local user to obtain elevated privileges due to improper access permissions.

7.8
2022-07-08 CVE-2022-2343 VIM
Fedoraproject
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0044.
7.8
2022-07-07 CVE-2022-32481 Dell Unspecified vulnerability in Dell Powerprotect Cyber Recovery

Dell PowerProtect Cyber Recovery, versions prior to 19.11, contain a privilege escalation vulnerability on virtual appliance deployments.

7.8
2022-07-06 CVE-2022-21777 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In Autoboot, there is a possible permission bypass due to a missing permission check.

7.8
2022-07-06 CVE-2022-23714 Elastic Unspecified vulnerability in Elastic Endpoint Security

A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

7.8
2022-07-06 CVE-2022-24138 Iobit Files or Directories Accessible to External Parties vulnerability in Iobit Advanced Systemcare 15

IOBit Advanced System Care (Asc.exe) 15 and Action Download Center both download components of IOBit suite into ProgramData folder, ProgramData folder has "rwx" permissions for unprivileged users.

7.8
2022-07-06 CVE-2022-24139 Iobit Exposure of Resource to Wrong Sphere vulnerability in Iobit Advanced System Care 15

In IOBit Advanced System Care (AscService.exe) 15, an attacker with SEImpersonatePrivilege can create a named pipe with the same name as one of ASCService's named pipes.

7.8
2022-07-05 CVE-2022-2304 VIM
Fedoraproject
Debian
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
7.8
2022-07-05 CVE-2022-33743 XEN
Linux
Debian
network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.
7.8
2022-07-04 CVE-2022-34918 Linux
Debian
Canonical
Netapp
Type Confusion vulnerability in multiple products

An issue was discovered in the Linux kernel through 5.18.9.

7.8
2022-07-08 CVE-2022-22464 IBM Inadequate Encryption Strength vulnerability in IBM Security Verify Access

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2022-07-08 CVE-2022-35410 0Xacab
Debian
Path Traversal vulnerability in multiple products

mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process.

7.5
2022-07-07 CVE-2022-2048 Eclipse
Debian
Netapp
Jenkins
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources.
7.5
2022-07-07 CVE-2022-2191 Eclipse Improper Resource Shutdown or Release vulnerability in Eclipse Jetty

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

7.5
2022-07-07 CVE-2021-31645 Glftpd Allocation of Resources Without Limits or Throttling vulnerability in Glftpd 2.11A

An issue was discovered in glFTPd 2.11a that allows remote attackers to cause a denial of service via exceeding the connection limit.

7.5
2022-07-07 CVE-2022-32055 Nesote SQL Injection vulnerability in Nesote Inout Homestay 2.2

Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals.

7.5
2022-07-07 CVE-2022-32058 TP Link Infinite Loop vulnerability in Tp-Link Tl-Wr741N Firmware and Tl-Wr742N Firmware

An infinite loop in the function httpRpmPass of TP-Link TL-WR741N/TL-WR742N V1/V2/V3_130415 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

7.5
2022-07-07 CVE-2022-31121 Hyperledger Unspecified vulnerability in Hyperledger Fabric

Hyperledger Fabric is a permissioned distributed ledger framework.

7.5
2022-07-07 CVE-2022-31135 Aceattorneyonline Improper Validation of Array Index vulnerability in Aceattorneyonline Akashi 1.3

Akashi is an open source server implementation of the Attorney Online video game based on the Ace Attorney universe.

7.5
2022-07-07 CVE-2015-5236 Icedtea WEB Project Insufficient Verification of Data Authenticity vulnerability in Icedtea-Web Project Icedtea-Web

It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks.

7.5
2022-07-07 CVE-2022-2339 Xgenecloud Unspecified vulnerability in Xgenecloud Nocodb

With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents.

7.5
2022-07-06 CVE-2021-4234 Openvpn Unspecified vulnerability in Openvpn Access Server

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

7.5
2022-07-06 CVE-2022-31129 Momentjs
Fedoraproject
Debian
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates.
7.5
2022-07-06 CVE-2022-26078 Gallagher Unspecified vulnerability in Gallagher Controller 6000 Firmware

Gallagher Controller 6000 is vulnerable to a Denial of Service attack via conflicting ARP packets with a duplicate IP address.

7.5
2022-07-06 CVE-2022-33737 Openvpn Information Exposure Through Log Files vulnerability in Openvpn Access Server

The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password

7.5
2022-07-06 CVE-2022-33738 Openvpn Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Openvpn Access Server

OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal

7.5
2022-07-06 CVE-2022-30591 Quic GO Project Resource Exhaustion vulnerability in Quic-Go Project Quic-Go

quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent.

7.5
2022-07-06 CVE-2022-22681 Synology Unspecified vulnerability in Synology Photo Station

Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors.

7.5
2022-07-05 CVE-2022-31116 Ultrajson Project
Fedoraproject
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+.
7.5
2022-07-05 CVE-2022-30290 Citeum Unspecified vulnerability in Citeum Opencti

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint.

7.5
2022-07-05 CVE-2022-2309 Lxml
Fedoraproject
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash).
7.5
2022-07-05 CVE-2022-2306 Heroiclabs Unspecified vulnerability in Heroiclabs Nakama

Old session tokens can be used to authenticate to the application and send authenticated requests.

7.5
2022-07-04 CVE-2022-34829 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

7.5
2022-07-04 CVE-2022-32284 Yokogawa Use of Insufficiently Random Values vulnerability in Yokogawa Aw810D Firmware R12

Use of insufficiently random values vulnerability exists in Vnet/IP communication module VI461 of YOKOGAWA Wide Area Communication Router (WAC Router) AW810D, which may allow a remote attacker to cause denial-of-service (DoS) condition by sending a specially crafted packet.

7.5
2022-07-04 CVE-2022-33971 Omron Authentication Bypass by Capture-replay vulnerability in Omron products

Authentication bypass by capture-replay vulnerability exists in Machine automation controller NX7 series all models V1.28 and earlier, Machine automation controller NX1 series all models V1.48 and earlier, and Machine automation controller NJ series all models V 1.48 and earlier, which may allow an adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally to cause a denial-of-service (DoS) condition or execute a malicious program.

7.5
2022-07-07 CVE-2022-31854 Codologic Unrestricted Upload of File with Dangerous Type vulnerability in Codologic Codoforum 5.1

Codoforum v5.1 was discovered to contain an arbitrary file upload vulnerability via the logo change option in the admin panel.

7.2
2022-07-06 CVE-2015-3173 Custom Content Type Manager Project Code Injection vulnerability in Custom Content Type Manager Project Custom Content Type Manager

custom-content-type-manager Wordpress plugin can be used by an administrator to achieve arbitrary PHP remote code execution.

7.2
2022-07-06 CVE-2022-28935 Totolink Command Injection vulnerability in Totolink products

Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2cu.5161_B20200903, Totolink A800R V4.1.2cu.5137_B20200730, Totolink A3000RU V5.9c.5185_B20201128, Totolink A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability.

7.2
2022-07-05 CVE-2021-44915 Taogogo SQL Injection vulnerability in Taogogo Taocms 3.0.2

Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.

7.2
2022-07-04 CVE-2022-2268 Soflyy Unspecified vulnerability in Soflyy WP ALL Import

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type.

7.2
2022-07-05 CVE-2022-26365 Linux
XEN
Debian
Fedoraproject
Memory Leak vulnerability in multiple products

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).

7.1
2022-07-05 CVE-2022-33740 Fedoraproject
Debian
Linux
XEN
Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).

7.1
2022-07-05 CVE-2022-33741 Fedoraproject
Debian
Linux
XEN
Information Exposure vulnerability in multiple products

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).

7.1
2022-07-05 CVE-2022-33742 Fedoraproject
Debian
Linux
XEN
Information Exposure vulnerability in multiple products

Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).

7.1
2022-07-06 CVE-2021-3697 GNU
Redhat
Out-of-bounds Write vulnerability in multiple products

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap.

7.0
2022-07-06 CVE-2022-20082 Google Race Condition vulnerability in Google Android 10.0/11.0/12.0

In GPU, there is a possible use after free due to a race condition.

7.0

123 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-06 CVE-2022-21765 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In CCCI, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21766 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In CCCI, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21770 Google Link Following vulnerability in Google Android 11.0/12.0

In sound driver, there is a possible information disclosure due to symlink following.

6.7
2022-07-06 CVE-2022-21771 Google Race Condition vulnerability in Google Android 11.0/12.0

In GED driver, there is a possible use after free due to a race condition.

6.7
2022-07-06 CVE-2022-21772 Google Race Condition vulnerability in Google Android 11.0/12.0

In TEEI driver, there is a possible type confusion due to a race condition.

6.7
2022-07-06 CVE-2022-21773 Google Race Condition vulnerability in Google Android 11.0/12.0

In TEEI driver, there is a possible use after free due to a race condition.

6.7
2022-07-06 CVE-2022-21774 Google Race Condition vulnerability in Google Android 11.0/12.0

In TEEI driver, there is a possible use after free due to a race condition.

6.7
2022-07-06 CVE-2022-21775 Google Improper Locking vulnerability in Google Android 11.0/12.0

In sched driver, there is a possible use after free due to improper locking.

6.7
2022-07-06 CVE-2022-21779 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21780 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21781 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21782 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21783 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21784 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21785 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In WLAN driver, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-06 CVE-2022-21786 Google Incorrect Type Conversion or Cast vulnerability in Google Android 11.0/12.0

In audio DSP, there is a possible memory corruption due to improper casting.

6.7
2022-07-06 CVE-2022-21787 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In audio DSP, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-07-04 CVE-2022-31602 Nvidia Out-of-bounds Write vulnerability in Nvidia DGX A100 Firmware

NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with elevated privileges and a preconditioned heap can exploit an out-of-bounds write vulnerability, which may lead to code execution, denial of service, data integrity impact, and information disclosure.

6.7
2022-07-04 CVE-2022-31603 Nvidia Improper Validation of Array Index vulnerability in Nvidia DGX A100 Firmware

NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with high privileges and preconditioned IpSecDxe global data can exploit improper validation of an array index to cause code execution, which may lead to denial of service, data integrity impact, and information disclosure.

6.7
2022-07-06 CVE-2022-24140 Iobit Download of Code Without Integrity Check vulnerability in Iobit products

IOBit Advanced System Care 15, iTop Screen Recorder 2.1, iTop VPN 3.2, Driver Booster 9, and iTop Screenshot sends HTTP requests in their update procedure in order to download a config file.

6.6
2022-07-08 CVE-2022-22463 IBM SQL Injection vulnerability in IBM Security Verify Access

IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection.

6.5
2022-07-07 CVE-2015-5298 Jenkins Improper Authentication vulnerability in Jenkins Google Login 1.0/1.1

The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

6.5
2022-07-07 CVE-2015-1785 Imagely Cross-Site Request Forgery (CSRF) vulnerability in Imagely Nextgen Gallery

In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application.

6.5
2022-07-07 CVE-2022-32206 Haxx
Fedoraproject
Debian
Netapp
Siemens
Splunk
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms.

6.5
2022-07-06 CVE-2022-20791 Cisco Path Traversal vulnerability in Cisco Unified Communications Manager

A vulnerability in the database user privileges of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device.

6.5
2022-07-06 CVE-2022-20808 Cisco Resource Exhaustion vulnerability in Cisco Smart Software Manager On-Prem 8202004/8202108

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

6.5
2022-07-06 CVE-2022-20812 Cisco Path Traversal vulnerability in Cisco Telepresence Video Communication Server

Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device.

6.5
2022-07-06 CVE-2022-31124 Openssh KEY Parser Project Information Exposure Through an Error Message vulnerability in Openssh KEY Parser Project Openssh KEY Parser

openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files.

6.5
2022-07-06 CVE-2021-31677 Pescms Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3

An issue was discovered in PESCMS-V2.3.3.

6.5
2022-07-06 CVE-2021-31678 Pescms Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3

An issue was discovered in PESCMS-V2.3.3.

6.5
2022-07-06 CVE-2021-31679 Pescms Cross-Site Request Forgery (CSRF) vulnerability in Pescms Team 2.3.3

An issue was discovered in PESCMS-V2.3.3.

6.5
2022-07-04 CVE-2022-1967 WP Championship Project Unspecified vulnerability in Wp-Championship Project Wp-Championship

The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings.

6.5
2022-07-04 CVE-2022-29892 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to repeatedly display errors in certain functions and cause a denial-of-service (DoS).

6.5
2022-07-06 CVE-2022-21776 Google Race Condition vulnerability in Google Android 11.0/12.0

In MDP, there is a possible use after free due to a race condition.

6.4
2022-07-06 CVE-2022-23173 Priority Software Authorization Bypass Through User-Controlled Key vulnerability in Priority-Software Priority 19.1.0.68

this vulnerability affect user that even not allowed to access via the web interface.

6.3
2022-07-10 CVE-2022-27910 Joomlatools Cross-site Scripting vulnerability in Joomlatools Docman

In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function

6.1
2022-07-09 CVE-2022-2353 Microweber Unspecified vulnerability in Microweber

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

6.1
2022-07-08 CVE-2022-32115 Withknown Cross-site Scripting vulnerability in Withknown Known

An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file.

6.1
2022-07-07 CVE-2021-44791 Apache Cross-site Scripting vulnerability in Apache Druid

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses.

6.1
2022-07-07 CVE-2022-33098 Magnolia CMS Cross-site Scripting vulnerability in Magnolia-Cms Magnolia CMS 6.2.19

Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function.

6.1
2022-07-07 CVE-2022-31136 Joinbookwyrm Unspecified vulnerability in Joinbookwyrm Bookwyrm

Bookwyrm is an open source social reading and reviewing program.

6.1
2022-07-07 CVE-2022-34007 EQS Cross-site Scripting vulnerability in EQS Integrity Line 20220701

EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry.

6.1
2022-07-06 CVE-2022-20800 Cisco Cross-site Scripting vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P), and Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-07-06 CVE-2022-20815 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified CM Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &amp; Presence Service (Unified CM IM&amp;P) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-07-06 CVE-2022-31127 Nextauth JS Unspecified vulnerability in Nextauth.Js Next-Auth

NextAuth.js is a complete open source authentication solution for Next.js applications.

6.1
2022-07-06 CVE-2022-23713 Elastic Cross-site Scripting vulnerability in Elastic Kibana

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.

6.1
2022-07-06 CVE-2021-31676 Pescms Cross-site Scripting vulnerability in Pescms Team 2.3.3

A reflected XSS was discovered in PESCMS-V2.3.3.

6.1
2022-07-06 CVE-2021-45721 Jfrog Cross-site Scripting vulnerability in Jfrog Artifactory

JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in Users REST API endpoint.

6.1
2022-07-05 CVE-2022-34879 Vicidial Cross-site Scripting vulnerability in Vicidial 2.14B0.5

Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters.

6.1
2022-07-04 CVE-2022-0250 Redirection FOR Contact Form7 Unspecified vulnerability in Redirection-For-Contact-Form7 Redirection for Contact Form 7

The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting

6.1
2022-07-04 CVE-2022-1946 Wpdevart Unspecified vulnerability in Wpdevart Gallery

The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue

6.1
2022-07-04 CVE-2022-27627 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Organization's Information of Cybozu Garoon 4.10.2 to 5.5.1 allows a remote attacker to execute an arbitrary script on the logged-in user's web browser.

6.1
2022-07-07 CVE-2022-32208 Haxx
Fedoraproject
Debian
Netapp
Apple
Splunk
Out-of-bounds Write vulnerability in multiple products

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.

5.9
2022-07-07 CVE-2022-25047 Control Webpanel Use of Insufficiently Random Values vulnerability in Control-Webpanel Webpanel 0.9.8.1126

The password reset token in CWP v0.9.8.1126 is generated using known or predictable values.

5.9
2022-07-06 CVE-2022-20813 Cisco Improper Certificate Validation vulnerability in Cisco Telepresence Video Communication Server

Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device.

5.9
2022-07-05 CVE-2022-31117 Ultrajson Project
Fedoraproject
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+.
5.9
2022-07-07 CVE-2022-32441 HEX Rays Out-of-bounds Write vulnerability in Hex-Rays IDA 6.6

A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file.

5.5
2022-07-06 CVE-2022-27548 Hcltechsw Insufficiently Protected Credentials vulnerability in Hcltechsw HCL Launch 7.0.5.10/7.1.2.6/7.2.2.1

HCL Launch stores user credentials in plain clear text which can be read by a local user.

5.5
2022-07-06 CVE-2022-27549 Hcltechsw Cleartext Storage of Sensitive Information vulnerability in Hcltechsw HCL Launch 7.0.5.10/7.1.2.6/7.2.2.1

HCL Launch may store certain data for recurring activities in a plain text format.

5.5
2022-07-06 CVE-2022-2318 Linux
Debian
Netapp
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
5.5
2022-07-06 CVE-2022-26348 Gallagher SQL Injection vulnerability in Gallagher Command Centre

Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server.

5.5
2022-07-06 CVE-2022-21763 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In telecom service, there is a possible information disclosure due to a missing permission check.

5.5
2022-07-06 CVE-2022-21764 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In telecom service, there is a possible information disclosure due to a missing permission check.

5.5
2022-07-04 CVE-2022-2301 Chafa Project Out-of-bounds Read vulnerability in Chafa Project Chafa

Buffer Over-read in GitHub repository hpjansson/chafa prior to 1.10.3.

5.5
2022-07-10 CVE-2022-2365 Trilium Project Unspecified vulnerability in Trilium Project Trilium

Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3.

5.4
2022-07-08 CVE-2022-22370 IBM Cross-site Scripting vulnerability in IBM Security Verify Access

IBM Security Verify Access 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to cross-site scripting.

5.4
2022-07-08 CVE-2022-34160 IBM Cross-site Scripting vulnerability in IBM Cics TX 11.1

IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTML injection.

5.4
2022-07-08 CVE-2022-34166 IBM Cross-site Scripting vulnerability in IBM Cics TX 11.1

IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-site scripting.

5.4
2022-07-08 CVE-2022-34167 IBM Cross-site Scripting vulnerability in IBM Cics TX 11.1

IBM CICS TX Standard and Advanced 11.1 is vulnerable to stored cross-site scripting.

5.4
2022-07-08 CVE-2022-34306 IBM Cross-site Scripting vulnerability in IBM Cics TX 11.1

IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

5.4
2022-07-08 CVE-2022-31290 Withknown Cross-site Scripting vulnerability in Withknown Known

A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Your Name text field.

5.4
2022-07-07 CVE-2022-32567 Appfire Cross-site Scripting vulnerability in Appfire Jira Misc Custom Fields 2.4.6

The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function.

5.4
2022-07-07 CVE-2022-2342 Getoutline Unspecified vulnerability in Getoutline Outline

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4.

5.4
2022-07-06 CVE-2015-3172 Eidogo Cross-site Scripting vulnerability in Eidogo

EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input.

5.4
2022-07-06 CVE-2022-2316 Devolutions Cross-site Scripting vulnerability in Devolutions Server

HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site.

5.4
2022-07-06 CVE-2022-24141 Iobit Unspecified vulnerability in Iobit Itop VPN 3.2

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop.

5.4
2022-07-06 CVE-2022-35229 Zabbix Cross-site Scripting vulnerability in Zabbix

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users.

5.4
2022-07-06 CVE-2022-35230 Zabbix Cross-site Scripting vulnerability in Zabbix

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users.

5.4
2022-07-05 CVE-2022-33075 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul ZOO Management System 1.0

A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.

5.4
2022-07-05 CVE-2022-30289 Citeum Cross-site Scripting vulnerability in Citeum Opencti

A stored Cross-site Scripting (XSS) vulnerability was identified in the Data Import functionality of OpenCTI through 5.2.4.

5.4
2022-07-04 CVE-2022-2300 Microweber Unspecified vulnerability in Microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

5.4
2022-07-04 CVE-2022-26368 Cybozu Unspecified vulnerability in Cybozu Garoon

Browse restriction bypass and operation restriction bypass vulnerability in Cabinet of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter and/or obtain the data of Cabinet.

5.4
2022-07-07 CVE-2021-41042 Eclipse XXE vulnerability in Eclipse LYO 1.0.0/4.1.0

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML.

5.3
2022-07-07 CVE-2015-3207 Openshift Missing Encryption of Sensitive Data vulnerability in Openshift Origin 3.0.0

In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.

5.3
2022-07-06 CVE-2022-20752 Cisco Information Exposure Through Discrepancy vulnerability in Cisco Unified Communications Manager and Unity Connection

A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an unauthenticated, remote attacker to perform a timing attack.

5.3
2022-07-06 CVE-2022-31111 Parity Unspecified vulnerability in Parity Frontier

Frontier is Substrate's Ethereum compatibility layer.

5.3
2022-07-05 CVE-2022-2097 Openssl
Fedoraproject
Netapp
Siemens
Debian
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances.

5.3
2022-07-04 CVE-2022-28713 Cybozu Improper Authentication vulnerability in Cybozu Garoon

Improper authentication vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote attacker to obtain some data of Facility Information without logging in to the product.

5.3
2022-07-08 CVE-2022-35412 Digitalguardian Unspecified vulnerability in Digitalguardian Digital Guardian 7.7.4.0042

Digital Guardian Agent 7.7.4.0042 allows an administrator (who ordinarily does not have a supported way to uninstall the product) to disable some of the agent functionality and then exfiltrate files to an external USB device.

5.1
2022-07-06 CVE-2022-20768 Cisco Information Exposure Through Log Files vulnerability in Cisco Telepresence Collaboration Endpoint

A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.

4.9
2022-07-06 CVE-2021-46687 Jfrog Exposure of Resource to Wrong Sphere vulnerability in Jfrog Artifactory

JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API.

4.9
2022-07-05 CVE-2022-31770 IBM Unspecified vulnerability in IBM APP Connect Enterprise Certified Container 4.2

IBM App Connect Enterprise Certified Container 4.2 could allow a user from the administration console to cause a denial of service by creating a specially crafted request.

4.9
2022-07-08 CVE-2022-28624 HPE Cross-site Scripting vulnerability in HPE products

A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products.

4.8
2022-07-07 CVE-2022-32060 Snipeitapp Cross-site Scripting vulnerability in Snipeitapp Snipe-It 6.0.2

An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.

4.8
2022-07-07 CVE-2022-32061 Snipeitapp Cross-site Scripting vulnerability in Snipeitapp Snipe-It 6.0.2

An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.

4.8
2022-07-07 CVE-2022-31029 PI Hole Unspecified vulnerability in Pi-Hole Adminlte 5.12

AdminLTE is a Pi-hole Dashboard for stats and configuration.

4.8
2022-07-07 CVE-2022-31133 Humhub Unspecified vulnerability in Humhub

HumHub is an Open Source Enterprise Social Network.

4.8
2022-07-04 CVE-2021-25056 Ninjaforms Cross-site Scripting vulnerability in Ninjaforms Ninja Forms

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-07-04 CVE-2021-25066 Ninjaforms Unspecified vulnerability in Ninjaforms Ninja Forms

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-07-04 CVE-2022-1301 Wpexperts Unspecified vulnerability in Wpexperts WP Contact Slider

The WP Contact Slider WordPress plugin before 2.4.7 does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

4.8
2022-07-04 CVE-2022-29513 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Scheduler of Cybozu Garoon 4.10.0 to 5.5.1 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary script.

4.8
2022-07-05 CVE-2022-33744 Linux
Debian
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings.
4.7
2022-07-06 CVE-2021-3695 GNU
Fedoraproject
Redhat
Netapp
Out-of-bounds Write vulnerability in multiple products

A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area.

4.5
2022-07-06 CVE-2021-3696 GNU
Redhat
Netapp
Out-of-bounds Write vulnerability in multiple products

A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader.

4.5
2022-07-06 CVE-2022-21769 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In CCCI, there is a possible out of bounds read due to a missing bounds check.

4.4
2022-07-08 CVE-2022-35406 Portswigger Open Redirect vulnerability in Portswigger Burp Suite

A URL disclosure issue was discovered in Burp Suite before 2022.6.

4.3
2022-07-08 CVE-2022-30852 Withknown Authorization Bypass Through User-Controlled Key vulnerability in Withknown Known

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

4.3
2022-07-07 CVE-2022-28889 Apache Improper Restriction of Rendered UI Layers or Frames vulnerability in Apache Druid

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking.

4.3
2022-07-07 CVE-2022-32205 Haxx
Fedoraproject
Debian
Netapp
Apple
Siemens
Splunk
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them.

4.3
2022-07-06 CVE-2022-20862 Cisco Path Traversal vulnerability in Cisco Unified Communications Manager

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device.

4.3
2022-07-06 CVE-2022-31131 Nextcloud Authorization Bypass Through User-Controlled Key vulnerability in Nextcloud Mail

Nextcloud mail is a Mail app for the Nextcloud home server product.

4.3
2022-07-06 CVE-2022-23172 Priority Software Weak Password Recovery Mechanism for Forgotten Password vulnerability in Priority-Software Priority 19.1.0.68

An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user.

4.3
2022-07-06 CVE-2021-37839 Apache Improper Check for Dropped Privileges vulnerability in Apache Superset

Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on.

4.3
2022-07-06 CVE-2022-32290 Northern Tech Incorrect Authorization vulnerability in Northern.Tech Mender 3.2.0/3.2.1/3.2.2

The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control.

4.3
2022-07-04 CVE-2022-26051 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Portal of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Portal.

4.3
2022-07-04 CVE-2022-26054 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Link of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Link.

4.3
2022-07-04 CVE-2022-27661 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Workflow.

4.3
2022-07-04 CVE-2022-27803 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Space of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Space.

4.3
2022-07-04 CVE-2022-27807 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Link of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to disable to add Categories.

4.3
2022-07-04 CVE-2022-28692 Cybozu Improper Input Validation vulnerability in Cybozu Garoon

Improper input validation vulnerability in Scheduler of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to alter the data of Scheduler.

4.3
2022-07-04 CVE-2022-28718 Cybozu Unspecified vulnerability in Cybozu Garoon

Operation restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.5.1 allow a remote authenticated attacker to alter the data of Bulletin.

4.3
2022-07-04 CVE-2022-29467 Cybozu Information Exposure vulnerability in Cybozu Garoon

Address information disclosure vulnerability in Cybozu Garoon 4.2.0 to 5.5.1 allows a remote authenticated attacker to obtain some data of Address.

4.3
2022-07-04 CVE-2022-29471 Cybozu Unspecified vulnerability in Cybozu Garoon

Browse restriction bypass vulnerability in Bulletin of Cybozu Garoon allows a remote authenticated attacker to obtain the data of Bulletin.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-07-05 CVE-2022-31014 Nextcloud Injection vulnerability in Nextcloud Server

Nextcloud server is an open source personal cloud server.

3.5
2022-07-07 CVE-2022-2047 Eclipse
Debian
Netapp
Improper Input Validation vulnerability in multiple products

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname.

2.7
2022-07-07 CVE-2022-23744 Checkpoint Unspecified vulnerability in Checkpoint Endpoint Security and Harmony Endpoint

Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator.

2.3