Weekly Vulnerabilities Reports > August 1 to 7, 2022
Overview
109 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 35 high severity vulnerabilities. This weekly summary report vulnerabilities in 138 products from 76 vendors including Samsung, Fedoraproject, Debian, Gitlab, and Vmware. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Path Traversal", "Missing Authorization", "Incorrect Authorization", and "Improper Authentication".
- 78 reported vulnerabilities are remotely exploitables.
- 23 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 61 reported vulnerabilities are exploitable by an anonymous user.
- Samsung has the most reported vulnerabilities, with 13 reported vulnerabilities.
- Debian has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
23 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-07 | CVE-2022-37452 | Exim Debian | Out-of-bounds Write vulnerability in multiple products Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set. | 9.8 |
2022-08-05 | CVE-2022-26376 | Asus Asuswrt Merlin | Out-of-bounds Write vulnerability in multiple products A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. | 9.8 |
2022-08-05 | CVE-2022-27631 | DD WRT | Out-of-bounds Write vulnerability in Dd-Wrt A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. | 9.8 |
2022-08-05 | CVE-2022-28664 | Freshtomato | Out-of-bounds Write vulnerability in Freshtomato 2022.1 A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. | 9.8 |
2022-08-05 | CVE-2022-28665 | Freshtomato | Out-of-bounds Write vulnerability in Freshtomato 2022.1 A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. | 9.8 |
2022-08-05 | CVE-2022-29465 | Accusoft | Out-of-bounds Write vulnerability in Accusoft Imagegear 20.0 An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0. | 9.8 |
2022-08-05 | CVE-2022-31656 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. | 9.8 |
2022-08-05 | CVE-2022-31657 | Vmware | Open Redirect vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. | 9.8 |
2022-08-05 | CVE-2022-37434 | Zlib Fedoraproject Debian Netapp Apple Stormshield | Out-of-bounds Write vulnerability in multiple products zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. | 9.8 |
2022-08-05 | CVE-2022-21186 | Acrontum | Unspecified vulnerability in Acrontum Filesystem-Template 0.0.1 The package @acrontum/filesystem-template before 0.0.2 are vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input. | 9.8 |
2022-08-04 | CVE-2022-25168 | Apache | OS Command Injection vulnerability in Apache Hadoop Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. | 9.8 |
2022-08-04 | CVE-2022-32964 | Omicard EDM Project | SQL Injection vulnerability in Omicard EDM Project Omicard EDM OMICARD EDM’s API function has insufficient validation for user input. | 9.8 |
2022-08-04 | CVE-2022-32965 | Omicard EDM Project | Use of Hard-coded Credentials vulnerability in Omicard EDM Project Omicard EDM OMICARD EDM has a hard-coded machine key. | 9.8 |
2022-08-04 | CVE-2022-2651 | Joinbookwyrm | Authentication Bypass by Primary Weakness vulnerability in Joinbookwyrm Bookwyrm Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5. | 9.8 |
2022-08-03 | CVE-2022-35866 | Vinchin | Use of Hard-coded Credentials vulnerability in Vinchin Backup and Recovery 6.5.0.17561 This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. | 9.8 |
2022-08-03 | CVE-2022-32292 | Intel Debian | Out-of-bounds Write vulnerability in multiple products In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code. | 9.8 |
2022-08-02 | CVE-2022-30285 | Quest | Inadequate Encryption Strength vulnerability in Quest Kace Systems Management Appliance In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. | 9.8 |
2022-08-02 | CVE-2022-35925 | Joinbookwyrm | Improper Restriction of Excessive Authentication Attempts vulnerability in Joinbookwyrm Bookwyrm BookWyrm is a social network for tracking reading. | 9.8 |
2022-08-02 | CVE-2022-35223 | Easyuse | Deserialization of Untrusted Data vulnerability in Easyuse Mailhunter Ultimate 2020 EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. | 9.8 |
2022-08-01 | CVE-2022-31180 | Shescape Project | Unspecified vulnerability in Shescape Project Shescape Shescape is a simple shell escape package for JavaScript. | 9.8 |
2022-08-01 | CVE-2022-31188 | Cvat | Server-Side Request Forgery (SSRF) vulnerability in Cvat CVAT is an opensource interactive video and image annotation tool for computer vision. | 9.8 |
2022-08-01 | CVE-2022-26437 | Mediatek | Use of Uninitialized Resource vulnerability in Mediatek Nbiot SDK 2.8.1 In httpclient, there is a possible out of bounds write due to uninitialized data. | 9.8 |
2022-08-01 | CVE-2022-27255 | Realtek | Improper Input Validation vulnerability in Realtek Ecos Msdk Firmware and Ecos Rsdk Firmware In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. | 9.8 |
35 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-05 | CVE-2022-25649 | Storeapps | Unspecified vulnerability in Storeapps Affiliate for Woocommerce Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress. | 8.8 |
2022-08-05 | CVE-2022-2636 | Hestiacp | Code Injection vulnerability in Hestiacp Control Panel Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. | 8.8 |
2022-08-03 | CVE-2022-36359 | Djangoproject Debian | Download of Code Without Integrity Check vulnerability in multiple products An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. | 8.8 |
2022-08-05 | CVE-2022-1012 | Linux | Memory Leak vulnerability in Linux Kernel A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. | 8.2 |
2022-08-03 | CVE-2022-32293 | Intel Debian | Use After Free vulnerability in multiple products In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution. | 8.1 |
2022-08-02 | CVE-2022-37035 | Frrouting | Race Condition vulnerability in Frrouting 8.3 An issue was discovered in bgpd in FRRouting (FRR) 8.3. | 8.1 |
2022-08-03 | CVE-2022-31197 | Postgresql Debian Fedoraproject | SQL Injection vulnerability in multiple products PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. | 8.0 |
2022-08-05 | CVE-2022-29886 | Estsoft | Integer Overflow or Wraparound vulnerability in Estsoft Alyac 2.5.8.544 An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. | 7.8 |
2022-08-05 | CVE-2022-32543 | Estsoft | Integer Overflow or Wraparound vulnerability in Estsoft Alyac 2.5.8.544 An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. | 7.8 |
2022-08-05 | CVE-2022-31609 | Nvidia | Unspecified vulnerability in Nvidia Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it allows the guest VM to allocate resources for which the guest is not authorized. | 7.8 |
2022-08-05 | CVE-2022-1158 | Linux Fedoraproject Redhat | Use After Free vulnerability in multiple products A flaw was found in KVM. | 7.8 |
2022-08-05 | CVE-2022-31660 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. | 7.8 |
2022-08-05 | CVE-2022-31661 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. | 7.8 |
2022-08-05 | CVE-2022-31664 | Vmware | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. | 7.8 |
2022-08-05 | CVE-2022-36833 | Samsung | Improper Privilege Management vulnerability in Samsung Gameoptimizingservice Improper Privilege Management vulnerability in Game Optimizing Service prior to versions 3.3.04.0 in Android 10, and 3.5.04.8 in Android 11 and above allows local attacker to execute hidden function for developer by changing package name. | 7.8 |
2022-08-05 | CVE-2022-36840 | Samsung | Uncontrolled Search Path Element vulnerability in Samsung Update DLL hijacking vulnerability in Samsung Update Setup prior to version 2.2.9.50 allows attackers to execute arbitrary code. | 7.8 |
2022-08-05 | CVE-2022-37415 | Uniwill | Out-of-bounds Write vulnerability in Uniwill Sparkio.Sys 1.0 The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buffer overflow via IOCTL 0x40002008. | 7.8 |
2022-08-01 | CVE-2022-26429 | Missing Authorization vulnerability in Google Android 11.0/12.0 In cta, there is a possible way to write permission usage records of an app due to a missing permission check. | 7.8 | |
2022-08-06 | CVE-2022-37451 | Exim Fedoraproject | Release of Invalid Pointer or Reference vulnerability in multiple products Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc. | 7.5 |
2022-08-05 | CVE-2022-27660 | TCL | Unspecified vulnerability in TCL Linkhub Mesh Wifi Ac1200 Ms1G0001.0014 A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. | 7.5 |
2022-08-04 | CVE-2022-32455 | F5 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when a BIG-IP LTM Client SSL profile is configured on a virtual server to perform client certificate authentication with session tickets enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |
2022-08-04 | CVE-2022-32963 | Omicard EDM Project | Path Traversal vulnerability in Omicard EDM Project Omicard EDM OMICARD EDM’s mail file relay function has a path traversal vulnerability. | 7.5 |
2022-08-04 | CVE-2022-35216 | Omicard EDM Project | Path Traversal vulnerability in Omicard EDM Project Omicard EDM OMICARD EDM’s mail image relay function has a path traversal vulnerability. | 7.5 |
2022-08-03 | CVE-2022-35506 | Triplecross Project | Out-of-bounds Write vulnerability in Triplecross Project Triplecross 0.1.0 TripleCross v0.1.0 was discovered to contain a stack overflow which occurs because there is no limit to the length of program parameters. | 7.5 |
2022-08-03 | CVE-2022-35737 | Sqlite Netapp Splunk | Improper Validation of Array Index vulnerability in multiple products SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. | 7.5 |
2022-08-02 | CVE-2022-35923 | V8N Project | Unspecified vulnerability in V8N Project V8N v8n is a javascript validation library. | 7.5 |
2022-08-01 | CVE-2022-35922 | Rust Websocket Project Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. | 7.5 |
2022-08-01 | CVE-2022-31198 | Openzeppelin | Incorrect Calculation vulnerability in Openzeppelin Contracts and Contracts Upgradeable OpenZeppelin Contracts is a library for secure smart contract development. | 7.5 |
2022-08-01 | CVE-2022-31173 | Juniper Project | Uncontrolled Recursion vulnerability in Juniper Project Juniper Juniper is a GraphQL server library for Rust. | 7.5 |
2022-08-01 | CVE-2022-2509 | GNU Redhat Fedoraproject Debian | Double Free vulnerability in multiple products A vulnerability found in gnutls. | 7.5 |
2022-08-01 | CVE-2022-2591 | TEM | Improper Resource Shutdown or Release vulnerability in TEM Flex-1085 Firmware 1.6.0 A vulnerability classified as critical has been found in TEM FLEX-1085 1.6.0. | 7.5 |
2022-08-02 | CVE-2022-29154 | Samba Fedoraproject | Improper Input Validation vulnerability in multiple products An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. | 7.4 |
2022-08-01 | CVE-2022-30616 | IBM | Unspecified vulnerability in IBM Robotic Process Automation IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to elevate their privilege to platform administrator through manipulation of APIs. | 7.2 |
2022-08-01 | CVE-2022-36799 | Atlassian | Code Injection vulnerability in Atlassian Jira Data Center and Jira Server This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. | 7.2 |
2022-08-05 | CVE-2022-1973 | Linux Fedoraproject Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal. | 7.1 |
43 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-05 | CVE-2022-2675 | Unitree | Unspecified vulnerability in Unitree GO 1 Firmware Using off-the-shelf commodity hardware, the Unitree Go 1 robotics platform version H0.1.7 and H0.1.9 (using firmware version 0.1.35) can be powered down by an attacker within normal RF range without authentication. | 6.5 |
2022-08-05 | CVE-2022-2512 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 6.5 |
2022-08-01 | CVE-2022-35918 | Snowflake | Path Traversal vulnerability in Snowflake Streamlit Streamlit is a data oriented application development framework for python. | 6.5 |
2022-08-01 | CVE-2022-30698 | Nlnetlabs Fedoraproject | Insufficient Session Expiration vulnerability in multiple products NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. | 6.5 |
2022-08-01 | CVE-2022-30699 | Nlnetlabs Fedoraproject | Insufficient Session Expiration vulnerability in multiple products NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. | 6.5 |
2022-08-01 | CVE-2022-2370 | Yaycommerce | Missing Authorization vulnerability in Yaycommerce Yaysmtp The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them | 6.5 |
2022-08-01 | CVE-2022-35716 | IBM | Incorrect Authorization vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. | 6.5 |
2022-08-05 | CVE-2022-2497 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 6.4 |
2022-08-05 | CVE-2022-37431 | Dotcms | Cross-site Scripting vulnerability in Dotcms A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. | 6.1 |
2022-08-02 | CVE-2021-23385 | Flask Security Project | Open Redirect vulnerability in Flask-Security Project Flask-Security This affects all versions of package Flask-Security. | 6.1 |
2022-08-01 | CVE-2022-2241 | Fifu | Improper Encoding or Escaping of Output vulnerability in Fifu Featured Image From URL The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | 6.1 |
2022-08-05 | CVE-2022-37450 | Ethereum | Unspecified vulnerability in Ethereum GO Ethereum Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022. | 5.9 |
2022-08-01 | CVE-2022-2596 | Node Fetch Project | Unspecified vulnerability in Node-Fetch Project Node-Fetch Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10. | 5.9 |
2022-08-05 | CVE-2022-29071 | Arista | Information Exposure Through Log Files vulnerability in Arista Cloudvision Portal This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. | 5.5 |
2022-08-05 | CVE-2021-27798 | Broadcom | Path Traversal vulnerability in Broadcom Fabric Operating System 7.3.1D/7.4.1B A vulnerability in Brocade Fabric OS versions v7.4.1b and v7.3.1d could allow local users to conduct privileged directory transversal. | 5.5 |
2022-08-05 | CVE-2022-33715 | Unspecified vulnerability in Google Android 11.0/12.0 Improper access control and path traversal vulnerability in LauncherProvider prior to SMR Aug-2022 Release 1 allow local attacker to access files of One UI. | 5.5 | |
2022-08-05 | CVE-2022-33734 | Samsung | Unspecified vulnerability in Samsung Charm Sensitive information exposure in onCharacteristicChanged in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission. | 5.5 |
2022-08-05 | CVE-2022-34769 | Rashim | OS Command Injection vulnerability in Rashim Michlol Michlol - rashim web interface Insecure direct object references (IDOR). First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goals is to change the value of the ptMsl parameter and then the attacker can access sensitive data that he not supposed to access because its belong to another user. | 5.5 |
2022-08-05 | CVE-2022-36829 | Samsung | Unspecified vulnerability in Samsung Charm Firmware PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent. | 5.5 |
2022-08-05 | CVE-2022-36830 | Samsung | Unspecified vulnerability in Samsung Charm Firmware PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent. | 5.5 |
2022-08-05 | CVE-2022-36831 | Samsung | Path Traversal vulnerability in Samsung Notes Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission. | 5.5 |
2022-08-05 | CVE-2022-36836 | Samsung | Missing Authorization vulnerability in Samsung Charm Firmware Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission. | 5.5 |
2022-08-05 | CVE-2022-36837 | Samsung | Unspecified vulnerability in Samsung Email Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information. | 5.5 |
2022-08-05 | CVE-2022-36839 | Samsung | SQL Injection vulnerability in Samsung Checkout SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1 allows attackers to access IAP information. | 5.5 |
2022-08-03 | CVE-2022-35928 | Aescrypt | Improper Validation of Specified Quantity in Input vulnerability in Aescrypt AES Crypt 3.11 AES Crypt is a file encryption software for multiple platforms. | 5.5 |
2022-08-01 | CVE-2022-2598 | VIM Debian | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100. | 5.5 |
2022-08-02 | CVE-2022-23733 | Github | Cross-site Scripting vulnerability in Github Enterprise Server A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. | 5.4 |
2022-08-05 | CVE-2022-2539 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, allowed a project member to filter issues by contact and organization. | 5.3 |
2022-08-05 | CVE-2022-36296 | Jumpdemand | Improper Authentication vulnerability in Jumpdemand Activedemand Broken Authentication vulnerability in JumpDEMAND Inc. | 5.3 |
2022-08-01 | CVE-2022-35917 | Solanalabs | Always-Incorrect Control Flow Implementation vulnerability in Solanalabs PAY Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. | 5.3 |
2022-08-01 | CVE-2022-35915 | Openzeppelin | Allocation of Resources Without Limits or Throttling vulnerability in Openzeppelin products OpenZeppelin Contracts is a library for secure smart contract development. | 5.3 |
2022-08-01 | CVE-2022-35916 | Openzeppelin | Incorrect Resource Transfer Between Spheres vulnerability in Openzeppelin Contracts and Contracts Upgradeable OpenZeppelin Contracts is a library for secure smart contract development. | 5.3 |
2022-08-01 | CVE-2022-31190 | Duraspace | Incorrect Authorization vulnerability in Duraspace Dspace DSpace open source software is a repository application which provides durable access to digital resources. | 5.3 |
2022-08-01 | CVE-2022-0598 | Idehweb | Cross-site Scripting vulnerability in Idehweb Login With Phone Number The Login with phone number WordPress plugin before 1.3.8 does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-08-05 | CVE-2022-36838 | Samsung | Unspecified vulnerability in Samsung Galaxy Wearable Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information. | 4.6 |
2022-08-05 | CVE-2022-2303 | Gitlab | Improper Authentication vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 4.3 |
2022-08-03 | CVE-2022-23442 | Fortinet | Unspecified vulnerability in Fortinet Fortios An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands. | 4.3 |
2022-08-03 | CVE-2022-27484 | Fortinet | Improper Authentication vulnerability in Fortinet Fortiadc A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request. | 4.3 |
2022-08-03 | CVE-2022-36800 | Atlassian | Unspecified vulnerability in Atlassian Jira Service Management Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. | 4.3 |
2022-08-01 | CVE-2022-35921 | Friendsofflarum | Incorrect Authorization vulnerability in Friendsofflarum Byobu 0.30.0 fof/byobu is a private discussions extension for Flarum forum. | 4.3 |
2022-08-01 | CVE-2022-31155 | Sourcegraph | Incorrect Authorization vulnerability in Sourcegraph Sourcegraph is an opensource code search and navigation engine. | 4.3 |
2022-08-01 | CVE-2022-34307 | IBM | Missing Encryption of Sensitive Data vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. | 4.3 |
2022-08-01 | CVE-2022-22334 | IBM | Unspecified vulnerability in IBM Robotic Process Automation IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user to access information from a tenant of which they should not have access. | 4.3 |
8 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-05 | CVE-2022-33733 | Samsung | Unspecified vulnerability in Samsung Charm Sensitive information exposure in onCharacteristicRead in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission. | 3.3 |
2022-08-05 | CVE-2022-36832 | Samsung | Unspecified vulnerability in Samsung Cameralyzer 3.2.0/3.3.0/3.4.0 Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51 allows attackers to access external storage as Cameralyzer privilege. | 3.3 |
2022-08-05 | CVE-2022-36835 | Samsung | Unspecified vulnerability in Samsung Internet Browser Implicit Intent hijacking vulnerability in Samsung Internet Browser prior to version 17.0.7.34 allows attackers to access arbitrary files. | 3.3 |
2022-08-05 | CVE-2022-2456 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 2.7 |
2022-08-05 | CVE-2022-2459 | Gitlab | Missing Authorization vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. | 2.7 |
2022-08-01 | CVE-2022-35919 | Minio | Path Traversal vulnerability in Minio MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. | 2.7 |
2022-08-01 | CVE-2022-31177 | Flask Appbuilder Project | Unspecified vulnerability in Flask-Appbuilder Project Flask-Appbuilder Flask-AppBuilder is an application development framework built on top of Flask python framework. | 2.7 |
2022-08-05 | CVE-2022-33720 | Improper Authentication vulnerability in Google Android 10.0/11.0 Improper authentication vulnerability in AppLock prior to SMR Aug-2022 Release 1 allows physical attacker to access Chrome locked by AppLock via new tap shortcut. | 2.4 |