Weekly Vulnerabilities Reports > August 15 to 21, 2022
Overview
158 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 61 high severity vulnerabilities. This weekly summary report vulnerabilities in 773 products from 81 vendors including Intel, Fedoraproject, Swftools, Otfcc Project, and VIM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Out-of-bounds Read", "Use After Free", and "NULL Pointer Dereference".
- 99 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 37 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 97 reported vulnerabilities are exploitable by an anonymous user.
- Intel has the most reported vulnerabilities, with 20 reported vulnerabilities.
- Intel has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
18 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-21 | CVE-2022-34916 | Apache | Improper Input Validation vulnerability in Apache Flume 1.10.0/1.4.0/1.9.0 Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. | 9.8 |
2022-08-19 | CVE-2022-23459 | Json Project | Use After Free vulnerability in Json++ Project Json++ 1.0.0/1.0.1 Jsonxx or Json++ is a JSON parser, writer and reader written in C++. | 9.8 |
2022-08-19 | CVE-2022-35201 | Tenda | Unspecified vulnerability in Tenda Ac18 Firmware 15.03.05.05 Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. | 9.8 |
2022-08-18 | CVE-2020-36599 | Omniauth | Improper Encoding or Escaping of Output vulnerability in Omniauth lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value. | 9.8 |
2022-08-18 | CVE-2022-30601 | Intel | Insufficiently Protected Credentials vulnerability in Intel products Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access. | 9.8 |
2022-08-18 | CVE-2022-25899 | Intel | Unspecified vulnerability in Intel Open Active Management Technology Cloud Toolkit Authentication bypass for the Open AMT Cloud Toolkit software maintained by Intel(R) before versions 2.0.2 and 2.2.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | 9.8 |
2022-08-18 | CVE-2022-37061 | Flir | OS Command Injection vulnerability in Flir AX8 Firmware All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. | 9.8 |
2022-08-18 | CVE-2022-35153 | Fusionpbx | Improper Encoding or Escaping of Output vulnerability in Fusionpbx 5.0.1 FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | 9.8 |
2022-08-17 | CVE-2022-35147 | Html JS | Information Exposure vulnerability in Html-Js Doracms DoraCMS v2.18 and earlier allows attackers to bypass login authentication via a crafted HTTP request. | 9.8 |
2022-08-17 | CVE-2022-35121 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 3.6.1 Novel-Plus v3.6.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /service/impl/BookServiceImpl.java. | 9.8 |
2022-08-17 | CVE-2022-36190 | Gpac | Use After Free vulnerability in Gpac GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. | 9.8 |
2022-08-16 | CVE-2022-36242 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Clinic'S Patient Management System 1.0 Clinic's Patient Management System v1.0 is vulnerable to SQL Injection via /pms/update_medicine.php?id=. | 9.8 |
2022-08-16 | CVE-2022-36273 | Tenda | OS Command Injection vulnerability in Tenda AC9 Firmware 15.03.2.21Cn Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg. | 9.8 |
2022-08-15 | CVE-2022-34294 | Totd Project | Insufficient Entropy vulnerability in Totd Project Totd 1.5.3 totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DNS resolvers. | 9.8 |
2022-08-15 | CVE-2022-36262 | Taogogo | Code Injection vulnerability in Taogogo Taocms 3.0.2 An issue was discovered in taocms 3.0.2. | 9.8 |
2022-08-15 | CVE-2022-2314 | VR Calendar Project | Unspecified vulnerability in VR Calendar Project VR Calendar The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. | 9.8 |
2022-08-16 | CVE-2022-38193 | Esri | Code Injection vulnerability in Esri Portal for Arcgis There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution. | 9.6 |
2022-08-17 | CVE-2022-35122 | Ecowitt | Missing Authentication for Critical Function vulnerability in Ecowitt Gw1100 Firmware An access control issue in Ecowitt GW1100 Series Weather Stations <=GW1100B_v2.1.5 allows unauthenticated attackers to access sensitive information including device and local WiFi passwords. | 9.1 |
61 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-19 | CVE-2022-35167 | Prinitix | Incorrect Permission Assignment for Critical Resource vulnerability in Prinitix Cloud Print Management 1.3.1149.0 Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions. | 8.8 |
2022-08-18 | CVE-2022-23182 | Intel | Unspecified vulnerability in Intel Data Center Manager Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 8.8 |
2022-08-16 | CVE-2020-14321 | Moodle | Incorrect Authorization vulnerability in Moodle In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. | 8.8 |
2022-08-16 | CVE-2022-2661 | Sequi | Unspecified vulnerability in Sequi Portbloque S Firmware Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests. | 8.8 |
2022-08-16 | CVE-2022-34254 | Adobe Magento | Path Traversal vulnerability in multiple products Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint. | 8.8 |
2022-08-15 | CVE-2022-2818 | Agentejo | Improper Cross-boundary Removal of Sensitive Data vulnerability in Agentejo Cockpit Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2. | 8.8 |
2022-08-15 | CVE-2022-36006 | Arvados | Deserialization of Untrusted Data vulnerability in Arvados Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. | 8.8 |
2022-08-15 | CVE-2022-37400 | Apache | Use of Insufficiently Random Values vulnerability in Apache Openoffice Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. | 8.8 |
2022-08-15 | CVE-2022-37401 | Apache | Insufficient Entropy vulnerability in Apache Openoffice Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. | 8.8 |
2022-08-15 | CVE-2022-2820 | Namelessmc | Session Fixation vulnerability in Namelessmc Nameless Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | 8.2 |
2022-08-18 | CVE-2022-21225 | Intel | Unspecified vulnerability in Intel Data Center Manager 3.6.2 Improper neutralization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. | 8.0 |
2022-08-18 | CVE-2022-26017 | Intel | Unspecified vulnerability in Intel Driver & Support Assistant Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. | 8.0 |
2022-08-18 | CVE-2022-2625 | Postgresql Fedoraproject Redhat | A vulnerability was found in PostgreSQL. | 8.0 |
2022-08-19 | CVE-2022-2889 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0225. | 7.8 |
2022-08-18 | CVE-2021-33060 | Intel Netapp | Out-of-bounds Write vulnerability in multiple products Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-08-18 | CVE-2022-21148 | Intel | Unspecified vulnerability in Intel Edge Insights for Industrial Improper access control in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-08-18 | CVE-2022-21229 | Intel | Unspecified vulnerability in Intel Control Center 1.2.1.1007 Improper buffer restrictions for some Intel(R) NUC 9 Extreme Laptop Kit drivers before version 2.2.0.22 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-08-18 | CVE-2022-21812 | Intel | Unspecified vulnerability in Intel Hardware Accelerated Execution Manager Improper access control in the Intel(R) HAXM software before version 7.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-08-18 | CVE-2022-25966 | Intel | Unspecified vulnerability in Intel Edge Insights for Industrial Improper access control in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 7.8 |
2022-08-18 | CVE-2022-37047 | Broadcom Fedoraproject | Out-of-bounds Write vulnerability in multiple products The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. | 7.8 |
2022-08-18 | CVE-2022-37048 | Broadcom Fedoraproject | Out-of-bounds Write vulnerability in multiple products The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. | 7.8 |
2022-08-18 | CVE-2022-37049 | Broadcom Fedoraproject | Out-of-bounds Write vulnerability in multiple products The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. | 7.8 |
2022-08-17 | CVE-2022-2862 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0221. | 7.8 |
2022-08-17 | CVE-2022-2849 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220. | 7.8 |
2022-08-17 | CVE-2022-2845 | Fedoraproject VIM | Improper Validation of Specified Quantity in Input vulnerability in multiple products Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218. | 7.8 |
2022-08-17 | CVE-2022-31262 | GOG | Improper Preservation of Permissions vulnerability in GOG Galaxy 2.0.46 An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. | 7.8 |
2022-08-15 | CVE-2022-2817 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0213. | 7.8 |
2022-08-15 | CVE-2022-2816 | VIM Fedoraproject | Out-of-bounds Read vulnerability in multiple products Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212. | 7.8 |
2022-08-15 | CVE-2022-34711 | Microsoft | Unspecified vulnerability in Microsoft products Windows Defender Credential Guard Elevation of Privilege Vulnerability | 7.8 |
2022-08-15 | CVE-2022-2819 | VIM Fedoraproject | Heap-based Buffer Overflow vulnerability in multiple products Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211. | 7.8 |
2022-08-15 | CVE-2022-38223 | Tats Fedoraproject | Out-of-bounds Write vulnerability in multiple products There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. | 7.8 |
2022-08-20 | CVE-2022-38493 | Rhonabwy Project | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Rhonabwy Project Rhonabwy Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. | 7.5 |
2022-08-19 | CVE-2022-2792 | Emerson | Unspecified vulnerability in Emerson Electric'S Proficy Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists. | 7.5 |
2022-08-19 | CVE-2022-23460 | Json Project | Uncontrolled Recursion vulnerability in Json++ Project Json++ 1.0.0/1.0.1 Jsonxx or Json++ is a JSON parser, writer and reader written in C++. | 7.5 |
2022-08-18 | CVE-2022-36728 | Library Management System Project | SQL Injection vulnerability in Library Management System Project Library Management System 1.0 Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the RollNo parameter at /staff/delstu.php. | 7.5 |
2022-08-18 | CVE-2022-37062 | Flir | Missing Authentication for Critical Function vulnerability in Flir AX8 Firmware 1.46.16 All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. | 7.5 |
2022-08-18 | CVE-2022-37060 | Flir | Path Traversal vulnerability in Flir AX8 Firmware FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. | 7.5 |
2022-08-18 | CVE-2022-35198 | Contract Management System Project | Improper Authentication vulnerability in Contract Management System Project Contract Managment System 2.0 Contract Management System v2.0 contains a weak default password which gives attackers to access database connection information. | 7.5 |
2022-08-17 | CVE-2021-45454 | Amperecomputing | Unspecified vulnerability in Amperecomputing Ampere Altra Firmware and Ampere Altra MAX Firmware Ampere Altra before SRP 1.08b and Altra Max? before SRP 2.05 allow information disclosure of power telemetry via HWmon. | 7.5 |
2022-08-17 | CVE-2022-1401 | Device42 | Incorrect Authorization vulnerability in Device42 Cmdb Improper Access Control vulnerability in the /Exago/WrImageResource.adx route as used in Device42 Asset Management Appliance allows an unauthenticated attacker to read sensitive server files with root permissions. | 7.5 |
2022-08-16 | CVE-2020-14322 | Moodle | Allocation of Resources Without Limits or Throttling vulnerability in Moodle In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. | 7.5 |
2022-08-16 | CVE-2022-2832 | Blender | Use of NullPointerException Catch to Detect NULL Pointer Dereference vulnerability in Blender 3.3.0 A flaw was found in Blender 3.3.0. | 7.5 |
2022-08-16 | CVE-2022-38184 | Esri | Unspecified vulnerability in Esri Portal for Arcgis There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs. | 7.5 |
2022-08-16 | CVE-2022-33939 | Yokogawa | Unspecified vulnerability in Yokogawa products CENTUM VP / CS 3000 controller FCS (CP31, CP33, CP345, CP401, and CP451) contains an issue in processing communication packets, which may lead to resource consumption. | 7.5 |
2022-08-16 | CVE-2022-35734 | Hjholdings | Use of Hard-coded Credentials vulnerability in Hjholdings Hulu 3.0.47 'Hulu / ????' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. | 7.5 |
2022-08-16 | CVE-2022-24949 | Eternal Terminal Project | Classic Buffer Overflow vulnerability in Eternal Terminal Project Eternal Terminal A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. | 7.5 |
2022-08-16 | CVE-2022-24950 | Eternal Terminal Project | Race Condition vulnerability in Eternal Terminal Project Eternal Terminal A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. | 7.5 |
2022-08-16 | CVE-2022-38216 | Mapbox | Integer Overflow or Wraparound vulnerability in Mapbox Maps Software Development KIT An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. | 7.5 |
2022-08-15 | CVE-2020-21365 | Wkhtmltopdf Debian | Path Traversal vulnerability in multiple products Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations. | 7.5 |
2022-08-15 | CVE-2020-23622 | Cling Project | Server-Side Request Forgery (SSRF) vulnerability in Cling Project Cling An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header | 7.5 |
2022-08-15 | CVE-2022-36524 | Dlink | Improper Authentication vulnerability in Dlink Go-Rt-Ac750 Firmware 101B03/200B02 D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd.sh. | 7.5 |
2022-08-15 | CVE-2022-36526 | Dlink | Unspecified vulnerability in Dlink Go-Rt-Ac750 Firmware 101B03/200B02 D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Authentication Bypass via function phpcgi_main in cgibin. | 7.5 |
2022-08-19 | CVE-2022-2788 | Emerson | Path Traversal vulnerability in Emerson Electric'S Proficy Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. | 7.3 |
2022-08-19 | CVE-2022-36263 | Logitech | Unspecified vulnerability in Logitech Streamlabs Desktop 1.9.0 StreamLabs Desktop Application 1.9.0 is vulnerable to Incorrect Access Control via obs64.exe. | 7.3 |
2022-08-17 | CVE-2022-1373 | Softing | Path Traversal vulnerability in Softing products The “restore configuration” feature of Softing Secure Integration Server V1.22 is vulnerable to a directory traversal vulnerability when processing zip files. | 7.2 |
2022-08-17 | CVE-2022-36215 | Dedebiz | Unspecified vulnerability in Dedebiz Dedecmsv6 6.0.0 DedeBIZ v6 was discovered to contain a remote code execution vulnerability in sys_info.php. | 7.2 |
2022-08-16 | CVE-2022-34253 | Adobe Magento | XML Injection (aka Blind XPath Injection) vulnerability in multiple products Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. | 7.2 |
2022-08-15 | CVE-2022-2354 | WP Dbmanager Project | Incorrect Authorization vulnerability in Wp-Dbmanager Project Wp-Dbmanager The WP-DBManager WordPress plugin before 2.80.8 does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. | 7.2 |
2022-08-19 | CVE-2020-27792 | Artifex Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in the gdevlp8k.c file. | 7.1 |
2022-08-15 | CVE-2022-35822 | Microsoft | Unspecified vulnerability in Microsoft products Windows Defender Credential Guard Security Feature Bypass Vulnerability | 7.1 |
2022-08-16 | CVE-2022-24951 | Eternal Terminal Project | Race Condition vulnerability in Eternal Terminal Project Eternal Terminal A race condition exists in Eternal Terminal prior to version 6.2.0 which allows a local attacker to hijack Eternal Terminal's IPC socket, enabling access to Eternal Terminal clients which attempt to connect in the future. | 7.0 |
76 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-18 | CVE-2022-28697 | Intel | Unspecified vulnerability in Intel products Improper access control in firmware for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2022-08-18 | CVE-2022-2568 | Redhat | Improper Privilege Management vulnerability in Redhat Ansible Automation Platform 2.0/2.1/2.2 A privilege escalation flaw was found in the Ansible Automation Platform. | 6.5 |
2022-08-18 | CVE-2022-37769 | Jpeg | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jpeg Libjpeg libjpeg commit 281daa9 was discovered to contain a segmentation fault via HuffmanDecoder::Get at huffmandecoder.hpp. | 6.5 |
2022-08-18 | CVE-2022-37770 | Jpeg | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jpeg Libjpeg libjpeg commit 281daa9 was discovered to contain a segmentation fault via LineMerger::GetNextLowpassLine at linemerger.cpp. | 6.5 |
2022-08-18 | CVE-2022-36024 | Pycord Development | Missing Authorization vulnerability in Pycord Development Pycord 2.0.0 py-cord is a an API wrapper for Discord written in Python. | 6.5 |
2022-08-16 | CVE-2022-35100 | Swftools | Out-of-bounds Read vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via gfxline_getbbox at /lib/gfxtools.c. | 6.5 |
2022-08-16 | CVE-2022-35476 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbc0b. | 6.5 |
2022-08-16 | CVE-2022-35477 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fe954. | 6.5 |
2022-08-16 | CVE-2022-35478 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6babea. | 6.5 |
2022-08-16 | CVE-2022-35479 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbbb6. | 6.5 |
2022-08-16 | CVE-2022-35481 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /multiarch/memmove-vec-unaligned-erms.S. | 6.5 |
2022-08-16 | CVE-2022-35482 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x65f724. | 6.5 |
2022-08-16 | CVE-2022-35483 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x5266a8. | 6.5 |
2022-08-16 | CVE-2022-35484 | Otfcc Project | NULL Pointer Dereference vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6b6a8f. | 6.5 |
2022-08-16 | CVE-2022-35485 | Otfcc Project | Out-of-bounds Read vulnerability in Otfcc Project Otfcc 0.10.4 OTFCC v0.10.4 was discovered to contain a segmentation violation via /release-x64/otfccdump+0x703969. | 6.5 |
2022-08-16 | CVE-2022-24952 | Eternal Terminal Project | Improper Input Validation vulnerability in Eternal Terminal Project Eternal Terminal Several denial of service vulnerabilities exist in Eternal Terminal prior to version 6.2.0, including a DoS triggered remotely by an invalid sequence number and a local bug triggered by invalid input sent directly to the IPC socket. | 6.5 |
2022-08-16 | CVE-2022-36306 | Airspan | Files or Directories Accessible to External Parties vulnerability in Airspan Airvelocity 1500 Firmware 15.18.00.2511/9.3.0.01249 An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. | 6.5 |
2022-08-15 | CVE-2022-35961 | Openzeppelin | Improper Validation of Integrity Check Value vulnerability in Openzeppelin Contracts and Contracts Upgradeable OpenZeppelin Contracts is a library for secure smart contract development. | 6.5 |
2022-08-18 | CVE-2021-30071 | Hestiacp | Cross-site Scripting vulnerability in Hestiacp Control Panel A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 |
2022-08-16 | CVE-2022-25799 | Cert | Open Redirect vulnerability in Cert Vince 1.48.0/1.49.0 An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. | 6.1 |
2022-08-16 | CVE-2022-34257 | Adobe Magento | Cross-site Scripting vulnerability in multiple products Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. | 6.1 |
2022-08-16 | CVE-2022-36530 | Rageframe | Cross-site Scripting vulnerability in Rageframe 2.6.37 An issue was discovered in rageframe2 2.6.37. | 6.1 |
2022-08-15 | CVE-2022-38186 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | 6.1 |
2022-08-19 | CVE-2022-34624 | Mealie | Insufficient Session Expiration vulnerability in Mealie 0.5.5/1.0.0 Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request. | 5.9 |
2022-08-18 | CVE-2022-30944 | Intel | Insufficiently Protected Credentials vulnerability in Intel products Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access. | 5.5 |
2022-08-18 | CVE-2022-21140 | Intel | Unspecified vulnerability in Intel products Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable information disclosure via local access. | 5.5 |
2022-08-18 | CVE-2022-21152 | Intel | Unspecified vulnerability in Intel Edge Insights for Industrial Improper access control in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an authenticated user to potentially enable information disclosure via local access. | 5.5 |
2022-08-18 | CVE-2022-21233 | Intel | Unspecified vulnerability in Intel products Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | 5.5 |
2022-08-18 | CVE-2022-26373 | Intel Debian | Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | 5.5 |
2022-08-18 | CVE-2022-2874 | VIM | NULL Pointer Dereference vulnerability in VIM NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224. | 5.5 |
2022-08-18 | CVE-2022-29550 | Qualys | Information Exposure Through Log Files vulnerability in Qualys Cloud Agent 4.8.049 An issue was discovered in Qualys Cloud Agent 4.8.0-49. | 5.5 |
2022-08-17 | CVE-2022-2867 | Libtiff Fedoraproject Debian | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. | 5.5 |
2022-08-17 | CVE-2022-2868 | Libtiff Fedoraproject Debian | Improper Validation of Specified Quantity in Input vulnerability in multiple products libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. | 5.5 |
2022-08-17 | CVE-2022-2869 | Libtiff Fedoraproject Debian | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. | 5.5 |
2022-08-17 | CVE-2022-36191 | Gpac | Out-of-bounds Write vulnerability in Gpac A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. | 5.5 |
2022-08-16 | CVE-2022-35101 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via /multiarch/memset-vec-unaligned-erms.S. | 5.5 |
2022-08-16 | CVE-2022-35104 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via DCTStream::reset() at /xpdf/Stream.cc. | 5.5 |
2022-08-16 | CVE-2022-35105 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via /bin/png2swf+0x552cea. | 5.5 |
2022-08-16 | CVE-2022-35106 | Swftools | Out-of-bounds Read vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via FoFiTrueType::computeTableChecksum(unsigned char*, int) at /xpdf/FoFiTrueType.cc. | 5.5 |
2022-08-16 | CVE-2022-35108 | Swftools | NULL Pointer Dereference vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via DCTStream::getChar() at /xpdf/Stream.cc. | 5.5 |
2022-08-16 | CVE-2022-35109 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via draw_stroke at /gfxpoly/stroke.c. | 5.5 |
2022-08-16 | CVE-2022-35110 | Swftools | Memory Leak vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a memory leak via /lib/mem.c. | 5.5 |
2022-08-16 | CVE-2022-35113 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via swf_DefineLosslessBitsTagToImage at /modules/swfbits.c. | 5.5 |
2022-08-16 | CVE-2022-35114 | Swftools | Out-of-bounds Read vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via extractFrame at /readers/swf.c. | 5.5 |
2022-08-16 | CVE-2022-36150 | Monostream | Out-of-bounds Write vulnerability in Monostream Tifig 0.2.2 tifig v0.2.2 was discovered to contain a heap-buffer overflow via __asan_memmove at /asan/asan_interceptors_memintrinsics.cpp. | 5.5 |
2022-08-16 | CVE-2022-36151 | Monostream | NULL Pointer Dereference vulnerability in Monostream Tifig 0.2.2 tifig v0.2.2 was discovered to contain a segmentation violation via getType() at /common/bbox.cpp. | 5.5 |
2022-08-16 | CVE-2022-36152 | Monostream | Memory Leak vulnerability in Monostream Tifig 0.2.2 tifig v0.2.2 was discovered to contain a memory leak via operator new[](unsigned long) at /asan/asan_new_delete.cpp. | 5.5 |
2022-08-16 | CVE-2022-36153 | Monostream | NULL Pointer Dereference vulnerability in Monostream Tifig 0.2.2 tifig v0.2.2 was discovered to contain a segmentation violation via std::vector<unsigned int, std::allocator<unsigned int> >::size() const at /bits/stl_vector.h. | 5.5 |
2022-08-16 | CVE-2022-29959 | Emerson | Insufficiently Protected Credentials vulnerability in Emerson Openbsi 5.9 Emerson OpenBSI through 2022-04-29 mishandles credential storage. | 5.5 |
2022-08-19 | CVE-2020-23466 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Online Marriage Registration System 1.0 Cross Site Scripting (XSS) vulnerability exists in the phpgurukul Online Marriage Registration System 1.0 allows attackers to run arbitrary code via the wzipcode field. | 5.4 |
2022-08-18 | CVE-2021-32862 | Jupyter Debian | Cross-site Scripting vulnerability in multiple products The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. | 5.4 |
2022-08-18 | CVE-2022-37063 | Flir | Cross-site Scripting vulnerability in Flir AX8 Firmware 1.46.16 All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. | 5.4 |
2022-08-16 | CVE-2022-38189 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. | 5.4 |
2022-08-15 | CVE-2022-38191 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application. | 5.4 |
2022-08-15 | CVE-2022-24654 | Intelbras | Cross-site Scripting vulnerability in Intelbras ATA 200 Firmware 74.19.10.21 Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload. | 5.4 |
2022-08-15 | CVE-2022-2824 | Open EMR | Authorization Bypass Through User-Controlled Key vulnerability in Open-Emr Openemr Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1. | 5.4 |
2022-08-19 | CVE-2022-35692 | Adobe | Unspecified vulnerability in Adobe Commerce and Magento Commerce Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 5.3 |
2022-08-19 | CVE-2022-1901 | Octopus | Improper Privilege Management vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | 5.3 |
2022-08-18 | CVE-2022-36023 | Hyperledger | Improper Input Validation vulnerability in Hyperledger Fabric Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. | 5.3 |
2022-08-17 | CVE-2022-38392 | Unspecified vulnerability in * 5400Rmp OEM Harddrive Certain 5400 RPM hard drives, for laptops and other PCs in approximately 2005 and later, allow physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video. | 5.3 | |
2022-08-16 | CVE-2022-34259 | Adobe Magento | Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 5.3 |
2022-08-16 | CVE-2022-2838 | Eclipse | XXE vulnerability in Eclipse Sphinx In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | 5.3 |
2022-08-15 | CVE-2022-35948 | Nodejs | CRLF Injection vulnerability in Nodejs Undici undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. | 5.3 |
2022-08-17 | CVE-2022-35117 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Clinic'S Patient Management System 1.0 Clinic's Patient Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via update_medicine_details.php. | 4.8 |
2022-08-16 | CVE-2022-34258 | Adobe Magento | Cross-site Scripting vulnerability in multiple products Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. | 4.8 |
2022-08-16 | CVE-2022-34156 | Hjholdings | Improper Certificate Validation vulnerability in Hjholdings Hulu 'Hulu / ????' App for iOS versions prior to 3.0.81 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | 4.8 |
2022-08-15 | CVE-2022-2152 | Duplicate Page AND Post Project | Cross-site Scripting vulnerability in Duplicate Page and Post Project Duplicate Page and Post The Duplicate Page and Post WordPress plugin before 2.8 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-08-18 | CVE-2021-33128 | Intel | Unspecified vulnerability in Intel Ethernet Controller E810 Firmware Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.0.6 may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2022-08-18 | CVE-2022-26074 | Intel | Incomplete Cleanup vulnerability in Intel Server Platform Services Firmware Incomplete cleanup in a firmware subsystem for Intel(R) SPS before versions SPS_E3_04.08.04.330.0 and SPS_E3_04.01.04.530.0 may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2022-08-18 | CVE-2022-28709 | Intel | Unspecified vulnerability in Intel Ethernet Controller E810 Firmware Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.1.9 may allow a privileged user to potentially enable denial of service via local access. | 4.4 |
2022-08-16 | CVE-2020-10710 | Theforeman | Insufficiently Protected Credentials vulnerability in Theforeman Foreman A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. | 4.4 |
2022-08-18 | CVE-2022-25986 | Cybozu | Unspecified vulnerability in Cybozu Office Browse restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Scheduler. | 4.3 |
2022-08-18 | CVE-2022-32544 | Cybozu | Unspecified vulnerability in Cybozu Office Operation restriction bypass vulnerability in Project of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to alter the data of Project via unspecified vectors. | 4.3 |
2022-08-18 | CVE-2022-32583 | Cybozu | Unspecified vulnerability in Cybozu Office Operation restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to alter the data of Scheduler via unspecified vectors. | 4.3 |
2022-08-18 | CVE-2022-33311 | Cybozu | Unspecified vulnerability in Cybozu Office Browse restriction bypass vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Address Book via unspecified vectors. | 4.3 |
2022-08-16 | CVE-2022-2846 | Dwbooster | Missing Authorization vulnerability in Dwbooster Calendar Event Multi View The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-16 | CVE-2022-37438 | Splunk | Unspecified vulnerability in Splunk and Splunk Cloud Platform In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. | 3.5 |
2022-08-18 | CVE-2021-23188 | Intel | Unspecified vulnerability in Intel products Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an authenticated user to potentially enable information disclosure via local access. | 3.3 |
2022-08-17 | CVE-2020-14394 | Qemu Fedoraproject Redhat | Infinite Loop vulnerability in multiple products An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. | 3.2 |