Weekly Vulnerabilities Reports > August 1 to 7, 2022

Overview

109 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 35 high severity vulnerabilities. This weekly summary report vulnerabilities in 138 products from 76 vendors including Samsung, Fedoraproject, Debian, Gitlab, and Vmware. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Path Traversal", "Missing Authorization", "Incorrect Authorization", and "Improper Authentication".

  • 78 reported vulnerabilities are remotely exploitables.
  • 23 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 61 reported vulnerabilities are exploitable by an anonymous user.
  • Samsung has the most reported vulnerabilities, with 13 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

23 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-08-07 CVE-2022-37452 Exim
Debian
Out-of-bounds Write vulnerability in multiple products

Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.

9.8
2022-08-05 CVE-2022-26376 Asus
Asuswrt Merlin
Out-of-bounds Write vulnerability in multiple products

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7..

9.8
2022-08-05 CVE-2022-27631 DD WRT Out-of-bounds Write vulnerability in Dd-Wrt

A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599.

9.8
2022-08-05 CVE-2022-28664 Freshtomato Out-of-bounds Write vulnerability in Freshtomato 2022.1

A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1.

9.8
2022-08-05 CVE-2022-28665 Freshtomato Out-of-bounds Write vulnerability in Freshtomato 2022.1

A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1.

9.8
2022-08-05 CVE-2022-29465 Accusoft Out-of-bounds Write vulnerability in Accusoft Imagegear 20.0

An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0.

9.8
2022-08-05 CVE-2022-31656 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

9.8
2022-08-05 CVE-2022-31657 Vmware Open Redirect vulnerability in VMWare products

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability.

9.8
2022-08-05 CVE-2022-37434 Zlib
Fedoraproject
Debian
Netapp
Apple
Stormshield
Out-of-bounds Write vulnerability in multiple products

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

9.8
2022-08-05 CVE-2022-21186 Acrontum Unspecified vulnerability in Acrontum Filesystem-Template 0.0.1

The package @acrontum/filesystem-template before 0.0.2 are vulnerable to Arbitrary Command Injection due to the fetchRepo API missing sanitization of the href field of external input.

9.8
2022-08-04 CVE-2022-25168 Apache OS Command Injection vulnerability in Apache Hadoop

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell.

9.8
2022-08-04 CVE-2022-32964 Omicard EDM Project SQL Injection vulnerability in Omicard EDM Project Omicard EDM

OMICARD EDM’s API function has insufficient validation for user input.

9.8
2022-08-04 CVE-2022-32965 Omicard EDM Project Use of Hard-coded Credentials vulnerability in Omicard EDM Project Omicard EDM

OMICARD EDM has a hard-coded machine key.

9.8
2022-08-04 CVE-2022-2651 Joinbookwyrm Authentication Bypass by Primary Weakness vulnerability in Joinbookwyrm Bookwyrm

Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.

9.8
2022-08-03 CVE-2022-35866 Vinchin Use of Hard-coded Credentials vulnerability in Vinchin Backup and Recovery 6.5.0.17561

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561.

9.8
2022-08-03 CVE-2022-32292 Intel
Debian
Out-of-bounds Write vulnerability in multiple products

In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code.

9.8
2022-08-02 CVE-2022-30285 Quest Inadequate Encryption Strength vulnerability in Quest Kace Systems Management Appliance

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication.

9.8
2022-08-02 CVE-2022-35925 Joinbookwyrm Improper Restriction of Excessive Authentication Attempts vulnerability in Joinbookwyrm Bookwyrm

BookWyrm is a social network for tracking reading.

9.8
2022-08-02 CVE-2022-35223 Easyuse Deserialization of Untrusted Data vulnerability in Easyuse Mailhunter Ultimate 2020

EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability.

9.8
2022-08-01 CVE-2022-31180 Shescape Project Unspecified vulnerability in Shescape Project Shescape

Shescape is a simple shell escape package for JavaScript.

9.8
2022-08-01 CVE-2022-31188 Cvat Server-Side Request Forgery (SSRF) vulnerability in Cvat

CVAT is an opensource interactive video and image annotation tool for computer vision.

9.8
2022-08-01 CVE-2022-26437 Mediatek Use of Uninitialized Resource vulnerability in Mediatek Nbiot SDK 2.8.1

In httpclient, there is a possible out of bounds write due to uninitialized data.

9.8
2022-08-01 CVE-2022-27255 Realtek Improper Input Validation vulnerability in Realtek Ecos Msdk Firmware and Ecos Rsdk Firmware

In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow.

9.8

35 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-08-05 CVE-2022-25649 Storeapps Unspecified vulnerability in Storeapps Affiliate for Woocommerce

Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.

8.8
2022-08-05 CVE-2022-2636 Hestiacp Code Injection vulnerability in Hestiacp Control Panel

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6.

8.8
2022-08-03 CVE-2022-36359 Djangoproject
Debian
Download of Code Without Integrity Check vulnerability in multiple products

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.

8.8
2022-08-05 CVE-2022-1012 Linux Memory Leak vulnerability in Linux Kernel

A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size.

8.2
2022-08-03 CVE-2022-32293 Intel
Debian
Use After Free vulnerability in multiple products

In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.

8.1
2022-08-02 CVE-2022-37035 Frrouting Race Condition vulnerability in Frrouting 8.3

An issue was discovered in bgpd in FRRouting (FRR) 8.3.

8.1
2022-08-03 CVE-2022-31197 Postgresql
Debian
Fedoraproject
SQL Injection vulnerability in multiple products

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code.

8.0
2022-08-05 CVE-2022-29886 Estsoft Integer Overflow or Wraparound vulnerability in Estsoft Alyac 2.5.8.544

An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files.

7.8
2022-08-05 CVE-2022-32543 Estsoft Integer Overflow or Wraparound vulnerability in Estsoft Alyac 2.5.8.544

An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files.

7.8
2022-08-05 CVE-2022-31609 Nvidia Unspecified vulnerability in Nvidia Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it allows the guest VM to allocate resources for which the guest is not authorized.

7.8
2022-08-05 CVE-2022-1158 Linux
Fedoraproject
Redhat
Use After Free vulnerability in multiple products

A flaw was found in KVM.

7.8
2022-08-05 CVE-2022-31660 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability.

7.8
2022-08-05 CVE-2022-31661 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities.

7.8
2022-08-05 CVE-2022-31664 Vmware Unspecified vulnerability in VMWare products

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability.

7.8
2022-08-05 CVE-2022-36833 Samsung Improper Privilege Management vulnerability in Samsung Gameoptimizingservice

Improper Privilege Management vulnerability in Game Optimizing Service prior to versions 3.3.04.0 in Android 10, and 3.5.04.8 in Android 11 and above allows local attacker to execute hidden function for developer by changing package name.

7.8
2022-08-05 CVE-2022-36840 Samsung Uncontrolled Search Path Element vulnerability in Samsung Update

DLL hijacking vulnerability in Samsung Update Setup prior to version 2.2.9.50 allows attackers to execute arbitrary code.

7.8
2022-08-05 CVE-2022-37415 Uniwill Out-of-bounds Write vulnerability in Uniwill Sparkio.Sys 1.0

The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buffer overflow via IOCTL 0x40002008.

7.8
2022-08-01 CVE-2022-26429 Google Missing Authorization vulnerability in Google Android 11.0/12.0

In cta, there is a possible way to write permission usage records of an app due to a missing permission check.

7.8
2022-08-06 CVE-2022-37451 Exim
Fedoraproject
Release of Invalid Pointer or Reference vulnerability in multiple products

Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.

7.5
2022-08-05 CVE-2022-27660 TCL Unspecified vulnerability in TCL Linkhub Mesh Wifi Ac1200 Ms1G0001.0014

A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14.

7.5
2022-08-04 CVE-2022-32455 F5 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products

In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when a BIG-IP LTM Client SSL profile is configured on a virtual server to perform client certificate authentication with session tickets enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate.

7.5
2022-08-04 CVE-2022-32963 Omicard EDM Project Path Traversal vulnerability in Omicard EDM Project Omicard EDM

OMICARD EDM’s mail file relay function has a path traversal vulnerability.

7.5
2022-08-04 CVE-2022-35216 Omicard EDM Project Path Traversal vulnerability in Omicard EDM Project Omicard EDM

OMICARD EDM’s mail image relay function has a path traversal vulnerability.

7.5
2022-08-03 CVE-2022-35506 Triplecross Project Out-of-bounds Write vulnerability in Triplecross Project Triplecross 0.1.0

TripleCross v0.1.0 was discovered to contain a stack overflow which occurs because there is no limit to the length of program parameters.

7.5
2022-08-03 CVE-2022-35737 Sqlite
Netapp
Splunk
Improper Validation of Array Index vulnerability in multiple products

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

7.5
2022-08-02 CVE-2022-35923 V8N Project Unspecified vulnerability in V8N Project V8N

v8n is a javascript validation library.

7.5
2022-08-01 CVE-2022-35922 Rust Websocket Project
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

Rust-WebSocket is a WebSocket (RFC6455) library written in Rust.

7.5
2022-08-01 CVE-2022-31198 Openzeppelin Incorrect Calculation vulnerability in Openzeppelin Contracts and Contracts Upgradeable

OpenZeppelin Contracts is a library for secure smart contract development.

7.5
2022-08-01 CVE-2022-31173 Juniper Project Uncontrolled Recursion vulnerability in Juniper Project Juniper

Juniper is a GraphQL server library for Rust.

7.5
2022-08-01 CVE-2022-2509 GNU
Redhat
Fedoraproject
Debian
Double Free vulnerability in multiple products

A vulnerability found in gnutls.

7.5
2022-08-01 CVE-2022-2591 TEM Improper Resource Shutdown or Release vulnerability in TEM Flex-1085 Firmware 1.6.0

A vulnerability classified as critical has been found in TEM FLEX-1085 1.6.0.

7.5
2022-08-02 CVE-2022-29154 Samba
Fedoraproject
Improper Input Validation vulnerability in multiple products

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers.

7.4
2022-08-01 CVE-2022-30616 IBM Unspecified vulnerability in IBM Robotic Process Automation

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a privileged user to elevate their privilege to platform administrator through manipulation of APIs.

7.2
2022-08-01 CVE-2022-36799 Atlassian Code Injection vulnerability in Atlassian Jira Data Center and Jira Server

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.

7.2
2022-08-05 CVE-2022-1973 Linux
Fedoraproject
Netapp
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux kernel in log_replay in fs/ntfs3/fslog.c in the NTFS journal.

7.1

43 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-08-05 CVE-2022-2675 Unitree Unspecified vulnerability in Unitree GO 1 Firmware

Using off-the-shelf commodity hardware, the Unitree Go 1 robotics platform version H0.1.7 and H0.1.9 (using firmware version 0.1.35) can be powered down by an attacker within normal RF range without authentication.

6.5
2022-08-05 CVE-2022-2512 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1.

6.5
2022-08-01 CVE-2022-35918 Snowflake Path Traversal vulnerability in Snowflake Streamlit

Streamlit is a data oriented application development framework for python.

6.5
2022-08-01 CVE-2022-30698 Nlnetlabs
Fedoraproject
Insufficient Session Expiration vulnerability in multiple products

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack.

6.5
2022-08-01 CVE-2022-30699 Nlnetlabs
Fedoraproject
Insufficient Session Expiration vulnerability in multiple products

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack.

6.5
2022-08-01 CVE-2022-2370 Yaycommerce Missing Authorization vulnerability in Yaycommerce Yaysmtp

The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them

6.5
2022-08-01 CVE-2022-35716 IBM Incorrect Authorization vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.16, 7.0.0.0 through 7.0.5.11, 7.1.0.0 through 7.1.2.7, and 7.2.0.0 through 7.2.3.0 could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.

6.5
2022-08-05 CVE-2022-2497 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1.

6.4
2022-08-05 CVE-2022-37431 Dotcms Cross-site Scripting vulnerability in Dotcms

A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06.

6.1
2022-08-02 CVE-2021-23385 Flask Security Project Open Redirect vulnerability in Flask-Security Project Flask-Security

This affects all versions of package Flask-Security.

6.1
2022-08-01 CVE-2022-2241 Fifu Improper Encoding or Escaping of Output vulnerability in Fifu Featured Image From URL

The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

6.1
2022-08-05 CVE-2022-37450 Ethereum Unspecified vulnerability in Ethereum GO Ethereum

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

5.9
2022-08-01 CVE-2022-2596 Node Fetch Project Unspecified vulnerability in Node-Fetch Project Node-Fetch

Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10.

5.9
2022-08-05 CVE-2022-29071 Arista Information Exposure Through Log Files vulnerability in Arista Cloudvision Portal

This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs.

5.5
2022-08-05 CVE-2021-27798 Broadcom Path Traversal vulnerability in Broadcom Fabric Operating System 7.3.1D/7.4.1B

A vulnerability in Brocade Fabric OS versions v7.4.1b and v7.3.1d could allow local users to conduct privileged directory transversal.

5.5
2022-08-05 CVE-2022-33715 Google Unspecified vulnerability in Google Android 11.0/12.0

Improper access control and path traversal vulnerability in LauncherProvider prior to SMR Aug-2022 Release 1 allow local attacker to access files of One UI.

5.5
2022-08-05 CVE-2022-33734 Samsung Unspecified vulnerability in Samsung Charm

Sensitive information exposure in onCharacteristicChanged in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission.

5.5
2022-08-05 CVE-2022-34769 Rashim OS Command Injection vulnerability in Rashim Michlol

Michlol - rashim web interface Insecure direct object references (IDOR). First of all, the attacker needs to login. After he performs log into the system there are some functionalities that the specific user is not allowed to perform. However all the attacker needs to do in order to achieve his goals is to change the value of the ptMsl parameter and then the attacker can access sensitive data that he not supposed to access because its belong to another user.

5.5
2022-08-05 CVE-2022-36829 Samsung Unspecified vulnerability in Samsung Charm Firmware

PendingIntent hijacking vulnerability in releaseAlarm in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.

5.5
2022-08-05 CVE-2022-36830 Samsung Unspecified vulnerability in Samsung Charm Firmware

PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.

5.5
2022-08-05 CVE-2022-36831 Samsung Path Traversal vulnerability in Samsung Notes

Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission.

5.5
2022-08-05 CVE-2022-36836 Samsung Missing Authorization vulnerability in Samsung Charm Firmware

Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission.

5.5
2022-08-05 CVE-2022-36837 Samsung Unspecified vulnerability in Samsung Email

Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information.

5.5
2022-08-05 CVE-2022-36839 Samsung SQL Injection vulnerability in Samsung Checkout

SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1 allows attackers to access IAP information.

5.5
2022-08-03 CVE-2022-35928 Aescrypt Improper Validation of Specified Quantity in Input vulnerability in Aescrypt AES Crypt 3.11

AES Crypt is a file encryption software for multiple platforms.

5.5
2022-08-01 CVE-2022-2598 VIM
Debian
Out-of-bounds Write vulnerability in multiple products

Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.

5.5
2022-08-02 CVE-2022-23733 Github Cross-site Scripting vulnerability in Github Enterprise Server

A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes.

5.4
2022-08-05 CVE-2022-2539 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, allowed a project member to filter issues by contact and organization.

5.3
2022-08-05 CVE-2022-36296 Jumpdemand Improper Authentication vulnerability in Jumpdemand Activedemand

Broken Authentication vulnerability in JumpDEMAND Inc.

5.3
2022-08-01 CVE-2022-35917 Solanalabs Always-Incorrect Control Flow Implementation vulnerability in Solanalabs PAY

Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services.

5.3
2022-08-01 CVE-2022-35915 Openzeppelin Allocation of Resources Without Limits or Throttling vulnerability in Openzeppelin products

OpenZeppelin Contracts is a library for secure smart contract development.

5.3
2022-08-01 CVE-2022-35916 Openzeppelin Incorrect Resource Transfer Between Spheres vulnerability in Openzeppelin Contracts and Contracts Upgradeable

OpenZeppelin Contracts is a library for secure smart contract development.

5.3
2022-08-01 CVE-2022-31190 Duraspace Incorrect Authorization vulnerability in Duraspace Dspace

DSpace open source software is a repository application which provides durable access to digital resources.

5.3
2022-08-01 CVE-2022-0598 Idehweb Cross-site Scripting vulnerability in Idehweb Login With Phone Number

The Login with phone number WordPress plugin before 1.3.8 does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-08-05 CVE-2022-36838 Samsung Unspecified vulnerability in Samsung Galaxy Wearable

Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information.

4.6
2022-08-05 CVE-2022-2303 Gitlab Improper Authentication vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1.

4.3
2022-08-03 CVE-2022-23442 Fortinet Unspecified vulnerability in Fortinet Fortios

An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands.

4.3
2022-08-03 CVE-2022-27484 Fortinet Improper Authentication vulnerability in Fortinet Fortiadc

A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request.

4.3
2022-08-03 CVE-2022-36800 Atlassian Unspecified vulnerability in Atlassian Jira Service Management

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint.

4.3
2022-08-01 CVE-2022-35921 Friendsofflarum Incorrect Authorization vulnerability in Friendsofflarum Byobu 0.30.0

fof/byobu is a private discussions extension for Flarum forum.

4.3
2022-08-01 CVE-2022-31155 Sourcegraph Incorrect Authorization vulnerability in Sourcegraph

Sourcegraph is an opensource code search and navigation engine.

4.3
2022-08-01 CVE-2022-34307 IBM Missing Encryption of Sensitive Data vulnerability in IBM Cics TX 11.1

IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies.

4.3
2022-08-01 CVE-2022-22334 IBM Unspecified vulnerability in IBM Robotic Process Automation

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user to access information from a tenant of which they should not have access.

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-08-05 CVE-2022-33733 Samsung Unspecified vulnerability in Samsung Charm

Sensitive information exposure in onCharacteristicRead in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission.

3.3
2022-08-05 CVE-2022-36832 Samsung Unspecified vulnerability in Samsung Cameralyzer 3.2.0/3.3.0/3.4.0

Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51 allows attackers to access external storage as Cameralyzer privilege.

3.3
2022-08-05 CVE-2022-36835 Samsung Unspecified vulnerability in Samsung Internet Browser

Implicit Intent hijacking vulnerability in Samsung Internet Browser prior to version 17.0.7.34 allows attackers to access arbitrary files.

3.3
2022-08-05 CVE-2022-2456 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1.

2.7
2022-08-05 CVE-2022-2459 Gitlab Missing Authorization vulnerability in Gitlab

An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1.

2.7
2022-08-01 CVE-2022-35919 Minio Path Traversal vulnerability in Minio

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0.

2.7
2022-08-01 CVE-2022-31177 Flask Appbuilder Project Unspecified vulnerability in Flask-Appbuilder Project Flask-Appbuilder

Flask-AppBuilder is an application development framework built on top of Flask python framework.

2.7
2022-08-05 CVE-2022-33720 Google Improper Authentication vulnerability in Google Android 10.0/11.0

Improper authentication vulnerability in AppLock prior to SMR Aug-2022 Release 1 allows physical attacker to access Chrome locked by AppLock via new tap shortcut.

2.4