Weekly Vulnerabilities Reports > August 22 to 28, 2022
Overview
214 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 98 high severity vulnerabilities. This weekly summary report vulnerabilities in 494 products from 108 vendors including Redhat, Fedoraproject, Debian, Totolink, and Linux. Vulnerabilities are notably categorized as "OS Command Injection", "Use After Free", "Out-of-bounds Write", "NULL Pointer Dereference", and "Cross-site Scripting".
- 121 reported vulnerabilities are remotely exploitables.
- 65 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 111 reported vulnerabilities are exploitable by an anonymous user.
- Redhat has the most reported vulnerabilities, with 45 reported vulnerabilities.
- Dlink has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
23 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-28 | CVE-2022-37056 | Dlink | OS Command Injection vulnerability in Dlink Go-Rt-Ac750 Firmware Reva1.01B03/Revb2.00B02 D-Link GO-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 is vulnerable to Command Injection via /cgibin, hnap_main, | 9.8 |
2022-08-28 | CVE-2022-36755 | Dlink | Improper Authentication vulnerability in Dlink Dir-845L Firmware D-Link DIR845L A1 contains a authentication vulnerability via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php. | 9.8 |
2022-08-28 | CVE-2022-36756 | Dlink | Code Injection vulnerability in Dlink Dir-845L Firmware DIR845L A1 v1.00-v1.03 is vulnerable to command injection via /htdocs/upnpinc/gena.php. | 9.8 |
2022-08-28 | CVE-2022-37053 | Trendnet | Code Injection vulnerability in Trendnet Tew733Gr Firmware 1.03B01 TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection via /htdocs/upnpinc/gena.php. | 9.8 |
2022-08-28 | CVE-2022-37057 | Dlink | OS Command Injection vulnerability in Dlink Go-Rt-Ac750 Firmware Reva1.01B03/Revb2.00B02 D-Link Go-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 are vulnerable to Command Injection via cgibin, ssdpcgi_main. | 9.8 |
2022-08-28 | CVE-2022-38556 | Trendnet | Improper Authentication vulnerability in Trendnet Tew733Gr Firmware 1.03B01 Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh. | 9.8 |
2022-08-28 | CVE-2022-38557 | Dlink | Improper Authentication vulnerability in Dlink Dir-845L Firmware D-Link DIR845L v1.00-v1.03 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh. | 9.8 |
2022-08-25 | CVE-2022-37240 | Altn | Injection vulnerability in Altn Security Gateway for Email Servers 8.5.2 MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter. | 9.8 |
2022-08-25 | CVE-2022-37242 | Altn | Injection vulnerability in Altn Security Gateway for Email Servers 8.5.2 MDaemon Technologies SecurityGateway for Email Servers 8.5.2, is vulnerable to HTTP Response splitting via the data parameter. | 9.8 |
2022-08-25 | CVE-2022-37810 | Tenda | OS Command Injection vulnerability in Tenda Ac1206 Firmware 15.03.06.23 Tenda AC1206 V15.03.06.23 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac. | 9.8 |
2022-08-25 | CVE-2022-37070 | H3C | OS Command Injection vulnerability in H3C Gr-1200W Firmware H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a command injection vulnerability via the param parameter at DelL2tpLNSList. | 9.8 |
2022-08-25 | CVE-2022-2957 | Simple AND Nice Shopping Cart Script Project | SQL Injection vulnerability in Simple and Nice Shopping Cart Script Project Simple and Nice Shopping Cart Script A vulnerability classified as critical was found in SourceCodester Simple and Nice Shopping Cart Script. | 9.8 |
2022-08-24 | CVE-2022-32839 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved bounds checks. | 9.8 |
2022-08-24 | CVE-2022-38078 | Sixapart | Code Injection vulnerability in Sixapart Movable Type Movable Type XMLRPC API provided by Six Apart Ltd. | 9.8 |
2022-08-23 | CVE-2021-42627 | Dlink | Unspecified vulnerability in Dlink products The WAN configuration page "wan.htm" on D-Link DIR-615 devices with firmware 20.06 can be accessed directly without authentication which can lead to disclose the information about WAN settings and also leverage attacker to modify the data fields of page. | 9.8 |
2022-08-23 | CVE-2021-42232 | TP Link | OS Command Injection vulnerability in Tp-Link Archer A7 Firmware 210519 TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. | 9.8 |
2022-08-22 | CVE-2022-38667 | Crowcpp | Use After Free vulnerability in Crowcpp Crow HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. | 9.8 |
2022-08-22 | CVE-2022-35583 | Wkhtmltopdf | Server-Side Request Forgery (SSRF) vulnerability in Wkhtmltopdf 0.12.6 wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. | 9.8 |
2022-08-22 | CVE-2022-34149 | Miniorange | Permissions, Privileges, and Access Controls vulnerability in Miniorange WP Oauth Server Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress. | 9.8 |
2022-08-22 | CVE-2022-34858 | Miniorange | Missing Authentication for Critical Function vulnerability in Miniorange Oauth 2.0 Client for SSO Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress. | 9.8 |
2022-08-22 | CVE-2022-37134 | Dlink | Improper Validation of Specified Quantity in Input vulnerability in Dlink Dir-816 Firmware 1.10Cnb04 D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Buffer Overflow via /goform/form2Wan.cgi. | 9.8 |
2022-08-22 | CVE-2022-36198 | Phpgurukul | SQL Injection vulnerability in PHPgurukul BUS Pass Management System 1.0 Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.php | 9.8 |
2022-08-23 | CVE-2022-36261 | Taogogo | Path Traversal vulnerability in Taogogo Taocms 3.0.2 An arbitrary file deletion vulnerability was discovered in taocms 3.0.2, that allows attacker to delete file in server when request url admin.php?action=file&ctrl=del&path=/../../../test.txt | 9.1 |
98 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-26 | CVE-2021-3020 | Clusterlabs | Improper Privilege Management vulnerability in Clusterlabs Hawk An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. | 8.8 |
2022-08-25 | CVE-2021-4112 | Redhat | Files or Directories Accessible to External Parties vulnerability in Redhat products A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. | 8.8 |
2022-08-25 | CVE-2022-20824 | Cisco | Out-of-bounds Write vulnerability in Cisco products A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges or cause a denial of service (DoS) condition on an affected device. | 8.8 |
2022-08-25 | CVE-2022-20921 | Cisco | Unspecified vulnerability in Cisco ACI Multi-Site Orchestrator A vulnerability in the API implementation of Cisco ACI Multi-Site Orchestrator (MSO) could allow an authenticated, remote attacker to elevate privileges on an affected device. | 8.8 |
2022-08-25 | CVE-2022-2031 | Samba | Improper Authentication vulnerability in Samba A flaw was found in Samba. | 8.8 |
2022-08-25 | CVE-2022-32744 | Samba | Authentication Bypass by Spoofing vulnerability in Samba A flaw was found in Samba. | 8.8 |
2022-08-25 | CVE-2021-25642 | Apache | Deserialization of Untrusted Data vulnerability in Apache Hadoop ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. | 8.8 |
2022-08-25 | CVE-2022-36804 | Atlassian | Unspecified vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |
2022-08-25 | CVE-2022-32427 | Printerlogic | Path Traversal vulnerability in Printerlogic Windows Client 25.0.0.676 PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. | 8.8 |
2022-08-24 | CVE-2022-32893 | Apple Fedoraproject Debian Webkitgtk Wpewebkit | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write issue was addressed with improved bounds checking. | 8.8 |
2022-08-24 | CVE-2022-2234 | Myscada | OS Command Injection vulnerability in Myscada Mypro An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the operating system. | 8.8 |
2022-08-24 | CVE-2022-36633 | Goteleport | OS Command Injection vulnerability in Goteleport Teleport Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. | 8.8 |
2022-08-23 | CVE-2022-1513 | Lenovo | OS Command Injection vulnerability in Lenovo Pcmanager A potential vulnerability was reported in Lenovo PCManager prior to version 5.0.10.4191 that may allow code execution when visiting a specially crafted website. | 8.8 |
2022-08-23 | CVE-2022-36379 | Yookassa | Cross-Site Request Forgery (CSRF) vulnerability in Yookassa Yukassa for Woocommerce Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress. | 8.8 |
2022-08-25 | CVE-2022-20823 | Cisco | Out-of-bounds Read vulnerability in Cisco products A vulnerability in the OSPF version 3 (OSPFv3) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2022-08-25 | CVE-2021-3929 | Qemu Fedoraproject | Use After Free vulnerability in multiple products A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. | 8.2 |
2022-08-26 | CVE-2022-29850 | Lexmark | Exposure of Resource to Wrong Sphere vulnerability in Lexmark products Various Lexmark products through 2022-04-27 allow an attacker who has already compromised an affected Lexmark device to maintain persistence across reboots. | 8.1 |
2022-08-26 | CVE-2022-36120 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism Enterprise An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 8.1 |
2022-08-25 | CVE-2021-43766 | Odyssey Project | Improper Certificate Validation vulnerability in Odyssey Project Odyssey 1.1 Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. | 8.1 |
2022-08-25 | CVE-2022-32745 | Samba | Use of Uninitialized Resource vulnerability in Samba A flaw was found in Samba. | 8.1 |
2022-08-24 | CVE-2021-4125 | Redhat | Deserialization of Untrusted Data vulnerability in Redhat Openshift It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed. | 8.1 |
2022-08-28 | CVE-2022-3016 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0286. | 7.8 |
2022-08-25 | CVE-2020-27796 | UPX Project | Out-of-bounds Read vulnerability in UPX Project UPX 4.0.0 A heap-based buffer over-read was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. | 7.8 |
2022-08-25 | CVE-2022-2982 | VIM Fedoraproject | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0260. | 7.8 |
2022-08-25 | CVE-2022-0135 | Virglrenderer Project Redhat Debian | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). | 7.8 |
2022-08-25 | CVE-2022-36455 | Totolink | OS Command Injection vulnerability in Totolink A3600R Firmware 4.1.2Cu.5182B20201102 TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability via the username parameter in /cstecgi.cgi. | 7.8 |
2022-08-25 | CVE-2022-37078 | Totolink | Out-of-bounds Write vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the lang parameter at /setting/setLanguageCfg. | 7.8 |
2022-08-25 | CVE-2022-37079 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg. | 7.8 |
2022-08-25 | CVE-2022-37081 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the command parameter at setting/setTracerouteCfg. | 7.8 |
2022-08-25 | CVE-2022-37082 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the host_time parameter at the function NTPSyncWithHost. | 7.8 |
2022-08-25 | CVE-2022-37083 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the ip parameter at the function setDiagnosisCfg. | 7.8 |
2022-08-25 | CVE-2022-36456 | Totolink | OS Command Injection vulnerability in Totolink A720R Firmware 4.1.5Cu.532B20210610 TOTOLink A720R V4.1.5cu.532_B20210610 was discovered to contain a command injection vulnerability via the username parameter in /cstecgi.cgi. | 7.8 |
2022-08-25 | CVE-2022-36458 | Totolink | OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.6134B20201202 TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the command parameter in the function setTracerouteCfg. | 7.8 |
2022-08-25 | CVE-2022-36459 | Totolink | OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.6134B20201202 TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the host_time parameter in the function NTPSyncWithHost. | 7.8 |
2022-08-25 | CVE-2022-36460 | Totolink | OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.6134B20201202 TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile. | 7.8 |
2022-08-25 | CVE-2022-36461 | Totolink | OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.6134B20201202 TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg. | 7.8 |
2022-08-25 | CVE-2022-36479 | Totolink | OS Command Injection vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the host_time parameter in the function NTPSyncWithHost. | 7.8 |
2022-08-25 | CVE-2022-36481 | Totolink | OS Command Injection vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the ip parameter in the function setDiagnosisCfg. | 7.8 |
2022-08-25 | CVE-2022-36482 | Totolink | Out-of-bounds Write vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the lang parameter in the function setLanguageCfg. | 7.8 |
2022-08-25 | CVE-2022-36485 | Totolink | OS Command Injection vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg. | 7.8 |
2022-08-25 | CVE-2022-36486 | Totolink | OS Command Injection vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile. | 7.8 |
2022-08-25 | CVE-2022-36487 | Totolink | OS Command Injection vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216 TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the command parameter in the function setTracerouteCfg. | 7.8 |
2022-08-25 | CVE-2022-36509 | H3C | OS Command Injection vulnerability in H3C Gr3200 Firmware Minigr1B0V100R014 H3C GR3200 MiniGR1B0V100R014 was discovered to contain a command injection vulnerability via the param parameter at DelL2tpLNSList. | 7.8 |
2022-08-25 | CVE-2022-36510 | H3C | OS Command Injection vulnerability in H3C Gr2200 Firmware Minigr1A0V100R014 H3C GR2200 MiniGR1A0V100R014 was discovered to contain a command injection vulnerability via the param parameter at DelL2tpLNSList. | 7.8 |
2022-08-25 | CVE-2022-37076 | Totolink | OS Command Injection vulnerability in Totolink A7000R Firmware 9.1.0U.6115B20201022 TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile. | 7.8 |
2022-08-24 | CVE-2022-32811 | Apple | Improper Locking vulnerability in Apple mac OS X and Macos A memory corruption vulnerability was addressed with improved locking. | 7.8 |
2022-08-24 | CVE-2022-32812 | Apple | Unspecified vulnerability in Apple mac OS X and Macos The issue was addressed with improved memory handling. | 7.8 |
2022-08-24 | CVE-2022-32813 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 7.8 |
2022-08-24 | CVE-2022-32837 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 7.8 |
2022-08-24 | CVE-2022-32894 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved bounds checking. | 7.8 |
2022-08-24 | CVE-2021-3999 | GNU Debian Netapp | Off-by-one Error vulnerability in multiple products A flaw was found in glibc. | 7.8 |
2022-08-24 | CVE-2021-4028 | Linux Suse | Use After Free vulnerability in multiple products A flaw in the Linux kernel's implementation of RDMA communications manager listener code allowed an attacker with local access to setup a socket to listen on a high port allowing for a list element to be used after free. | 7.8 |
2022-08-24 | CVE-2021-4037 | Linux Debian | Improper Access Control vulnerability in multiple products A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. | 7.8 |
2022-08-24 | CVE-2022-2978 | Linux Debian | Use After Free vulnerability in multiple products A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. | 7.8 |
2022-08-23 | CVE-2020-35511 | Libpng Debian | Buffer Over-read vulnerability in multiple products A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file. | 7.8 |
2022-08-23 | CVE-2022-2938 | Linux Redhat Fedoraproject Netapp | Use After Free vulnerability in multiple products A flaw was found in the Linux kernel's implementation of Pressure Stall Information. | 7.8 |
2022-08-23 | CVE-2022-31676 | Vmware Debian Fedoraproject Netapp | Improper Privilege Management vulnerability in multiple products VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. | 7.8 |
2022-08-23 | CVE-2022-2946 | VIM Fedoraproject Debian | Use After Free vulnerability in multiple products Use After Free in GitHub repository vim/vim prior to 9.0.0246. | 7.8 |
2022-08-23 | CVE-2021-23177 | Libarchive Fedoraproject Redhat Debian | Link Following vulnerability in multiple products An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. | 7.8 |
2022-08-23 | CVE-2021-31566 | Libarchive Fedoraproject Redhat Debian Splunk | Link Following vulnerability in multiple products An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. | 7.8 |
2022-08-22 | CVE-2022-38171 | Xpdfreader Freedesktop | Integer Overflow or Wraparound vulnerability in multiple products Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). | 7.8 |
2022-08-26 | CVE-2022-36537 | Zkoss | Unspecified vulnerability in Zkoss ZK Framework ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader. | 7.5 |
2022-08-26 | CVE-2022-0217 | Prosody | XML Entity Expansion vulnerability in Prosody It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. | 7.5 |
2022-08-26 | CVE-2021-3632 | Redhat | Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in Keycloak. | 7.5 |
2022-08-26 | CVE-2021-3859 | Redhat Netapp | Information Exposure Through Process Environment vulnerability in multiple products A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. | 7.5 |
2022-08-25 | CVE-2021-42521 | VTK | NULL Pointer Dereference vulnerability in VTK There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. | 7.5 |
2022-08-25 | CVE-2021-42522 | Gnome | Memory Leak vulnerability in Gnome Anjuta 2.0.0 There is a Information Disclosure vulnerability in anjuta/plugins/document-manager/anjuta-bookmarks.c. | 7.5 |
2022-08-25 | CVE-2021-42523 | Colord Project | Memory Leak vulnerability in Colord Project Colord 1.4.4/1.4.5 There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db.c separately. | 7.5 |
2022-08-25 | CVE-2022-2255 | Modwsgi Debian | Insufficient Verification of Data Authenticity vulnerability in multiple products A vulnerability was found in mod_wsgi. | 7.5 |
2022-08-25 | CVE-2022-22728 | Apache Fedoraproject Debian | Classic Buffer Overflow vulnerability in multiple products A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. | 7.5 |
2022-08-24 | CVE-2022-32793 | Apple Fedoraproject | Out-of-bounds Write vulnerability in multiple products Multiple out-of-bounds write issues were addressed with improved bounds checking. | 7.5 |
2022-08-24 | CVE-2021-3998 | GNU Netapp | Out-of-bounds Read vulnerability in multiple products A flaw was found in glibc. | 7.5 |
2022-08-24 | CVE-2021-43309 | Litejs | Unspecified vulnerability in Litejs Uri-Template-Lite An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the "URI.expand" method | 7.5 |
2022-08-24 | CVE-2021-0946 | Missing Initialization of Resource vulnerability in Google Android The method PVRSRVBridgePMRPDumpSymbolicAddr allocates puiMemspaceNameInt on the heap, fills the contents of the buffer via PMR_PDumpSymbolicAddr, and then copies the buffer to userspace. | 7.5 | |
2022-08-24 | CVE-2021-0947 | Missing Initialization of Resource vulnerability in Google Android The method PVRSRVBridgeTLDiscoverStreams allocates puiStreamsInt on the heap, fills the contents of the buffer via TLServerDiscoverStreamsKM, and then copies the buffer to userspace. | 7.5 | |
2022-08-24 | CVE-2022-27812 | Stormshield | Unspecified vulnerability in Stormshield Network Security Flooding SNS firewall versions 3.7.0 to 3.7.29, 3.11.0 to 3.11.17, 4.2.0 to 4.2.10, and 4.3.0 to 4.3.6 with specific forged traffic, can lead to SNS DoS. | 7.5 |
2022-08-23 | CVE-2021-20298 | Openexr Debian | Out-of-bounds Write vulnerability in multiple products A flaw was found in OpenEXR's B44Compressor. | 7.5 |
2022-08-23 | CVE-2021-20304 | Openexr | Integer Overflow or Wraparound vulnerability in Openexr A flaw was found in OpenEXR's hufDecode functionality. | 7.5 |
2022-08-23 | CVE-2021-3690 | Redhat | Memory Leak vulnerability in Redhat products A flaw was found in Undertow. | 7.5 |
2022-08-23 | CVE-2021-3839 | Dpdk Fedoraproject Redhat | Out-of-bounds Write vulnerability in multiple products A flaw was found in the vhost library in DPDK. | 7.5 |
2022-08-23 | CVE-2021-3905 | Openvswitch Redhat Canonical Fedoraproject | Memory Leak vulnerability in multiple products A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. | 7.5 |
2022-08-23 | CVE-2022-21208 | Node Opcua Project | Improper Validation of Specified Quantity in Input vulnerability in Node-Opcua Project Node-Opcua The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. | 7.5 |
2022-08-23 | CVE-2022-25302 | OPC UA Stack Project | Unspecified vulnerability in OPC UA Stack Project OPC UA Stack All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdBase.h. | 7.5 |
2022-08-23 | CVE-2022-25761 | Open62541 Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. | 7.5 |
2022-08-22 | CVE-2022-38668 | Crowcpp | Use of Uninitialized Resource vulnerability in Crowcpp Crow 1.0+4 HTTP applications (servers) based on Crow through 1.0+4 may reveal potentially sensitive uninitialized data from stack memory when fulfilling a request for a static file smaller than 16 KB. | 7.5 |
2022-08-22 | CVE-2022-1930 | Ethereum | Unspecified vulnerability in Ethereum Eth-Account An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the eth-account PyPI package, when an attacker is able to supply arbitrary input to the encode_structured_data method | 7.5 |
2022-08-22 | CVE-2022-34770 | Tabit | Authorization Bypass Through User-Controlled Key vulnerability in Tabit Tabit - sensitive information disclosure. | 7.5 |
2022-08-22 | CVE-2022-34775 | Tabit | Authorization Bypass Through User-Controlled Key vulnerability in Tabit Tabit - Excessive data exposure. | 7.5 |
2022-08-26 | CVE-2021-3563 | Openstack Debian Redhat | Incorrect Authorization vulnerability in multiple products A flaw was found in openstack-keystone. | 7.4 |
2022-08-23 | CVE-2021-28861 | Python Fedoraproject | Open Redirect vulnerability in multiple products Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. | 7.4 |
2022-08-26 | CVE-2022-36226 | Siteservercms Project | Missing Authorization vulnerability in Siteservercms Project Siteservercms SiteServerCMS 5.X has a Remote-download-Getshell-vulnerability via /SiteServer/Ajax/ajaxOtherService.aspx. | 7.2 |
2022-08-23 | CVE-2022-35203 | Trendnet | Improper Authentication vulnerability in Trendnet Tv-Ip572Pi Firmware 1.0 An access control issue in TrendNet TV-IP572PI v1.0 allows unauthenticated attackers to access sensitive system information. | 7.2 |
2022-08-22 | CVE-2022-33900 | Sandhillsdev | Deserialization of Untrusted Data vulnerability in Sandhillsdev Easy Digital Downloads PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. | 7.2 |
2022-08-25 | CVE-2022-36115 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 7.1 |
2022-08-24 | CVE-2021-4204 | Linux Debian Redhat Netapp | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. | 7.1 |
2022-08-22 | CVE-2021-3481 | QT | Out-of-bounds Read vulnerability in QT A flaw was found in Qt. | 7.1 |
2022-08-26 | CVE-2021-3864 | Linux Debian Redhat | Improper Access Control vulnerability in multiple products A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. | 7.0 |
2022-08-25 | CVE-2022-2959 | Linux | Improper Locking vulnerability in Linux Kernel A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). | 7.0 |
89 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-23 | CVE-2021-20316 | Samba Debian Redhat | Race Condition vulnerability in multiple products A flaw was found in the way Samba handled file/directory metadata. | 6.8 |
2022-08-23 | CVE-2021-3827 | Redhat | Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. | 6.8 |
2022-08-26 | CVE-2022-34301 | Kidan Redhat Microsoft | A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. | 6.7 |
2022-08-26 | CVE-2022-34302 | Horizondatasys Redhat Microsoft | A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. | 6.7 |
2022-08-26 | CVE-2022-34303 | Eurosoft UK Redhat Microsoft | A flaw was found in Eurosoft bootloaders before 2022-06-01. | 6.7 |
2022-08-26 | CVE-2021-35939 | RPM Redhat | Link Following vulnerability in multiple products It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. | 6.7 |
2022-08-25 | CVE-2021-35938 | RPM Fedoraproject Redhat | Link Following vulnerability in multiple products A symbolic link issue was found in rpm. | 6.7 |
2022-08-25 | CVE-2022-20865 | Cisco | OS Command Injection vulnerability in Cisco products A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. | 6.7 |
2022-08-24 | CVE-2021-4178 | Redhat | Deserialization of Untrusted Data vulnerability in Redhat products A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. | 6.7 |
2022-08-23 | CVE-2021-3701 | Redhat | Incorrect Default Permissions vulnerability in Redhat Ansible Runner 2.0.0 A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. | 6.6 |
2022-08-25 | CVE-2021-3979 | Redhat Fedoraproject | Improper Authentication vulnerability in multiple products A key length flaw was found in Red Hat Ceph Storage. | 6.5 |
2022-08-24 | CVE-2021-4209 | GNU Redhat Netapp | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in GnuTLS. | 6.5 |
2022-08-23 | CVE-2021-3975 | Redhat Canonical Fedoraproject Debian Netapp | Use After Free vulnerability in multiple products A use-after-free flaw was found in libvirt. | 6.5 |
2022-08-23 | CVE-2022-37428 | Powerdns Fedoraproject | Incomplete Cleanup vulnerability in multiple products PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties. | 6.5 |
2022-08-23 | CVE-2022-38663 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins GIT Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. | 6.5 |
2022-08-23 | CVE-2022-38665 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Collabnet Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-08-23 | CVE-2021-3670 | Samba Redhat Fedoraproject | MaxQueryDuration not honoured in Samba AD DC LDAP | 6.5 |
2022-08-23 | CVE-2022-33142 | Wordplus | Unspecified vulnerability in Wordplus Better Messages Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress. | 6.5 |
2022-08-23 | CVE-2022-34868 | Yookassa | Unspecified vulnerability in Yookassa Yukassa for Woocommerce Authenticated Arbitrary Settings Update vulnerability in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress. | 6.5 |
2022-08-23 | CVE-2022-35191 | Dlink | Improper Resource Shutdown or Release vulnerability in Dlink Dsl-3782 Firmware 1.01 D-Link Wireless AC1200 Dual Band VDSL ADSL Modem Router DSL-3782 Firmware v1.01 allows unauthenticated attackers to cause a Denial of Service (DoS) via a crafted HTTP connection request. | 6.5 |
2022-08-22 | CVE-2022-25810 | Transposh | Missing Authorization vulnerability in Transposh Wordpress Translation The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. | 6.5 |
2022-08-25 | CVE-2021-35937 | RPM Redhat Fedoraproject | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products A race condition vulnerability was found in rpm. | 6.4 |
2022-08-26 | CVE-2022-36547 | Edoc Doctor Appointment System Project | Cross-site Scripting vulnerability in Edoc-Doctor-Appointment-System Project Edoc-Doctor-Appointment-System 1.0.1 Edoc-doctor-appointment-system v1.0.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /patient/index.php. | 6.1 |
2022-08-26 | CVE-2021-3427 | Deluge Torrent | Cross-site Scripting vulnerability in Deluge-Torrent Deluge The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. | 6.1 |
2022-08-25 | CVE-2022-31798 | Nortekcontrol | Session Fixation vulnerability in Nortekcontrol Emerge E3 Firmware 0.3207E/0.3207P Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. | 6.1 |
2022-08-23 | CVE-2022-35278 | Apache Netapp | Cross-site Scripting vulnerability in multiple products In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. | 6.1 |
2022-08-23 | CVE-2022-2956 | Noxen Project | Cross-site Scripting vulnerability in Noxen Project Noxen A vulnerability classified as problematic has been found in ConsoleTVs Noxen. | 6.1 |
2022-08-23 | CVE-2019-25075 | Gravitee | Cross-site Scripting vulnerability in Gravitee API Management HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request. | 6.1 |
2022-08-22 | CVE-2021-3639 | Uninett | Open Redirect vulnerability in Uninett MOD Auth Mellon A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. | 6.1 |
2022-08-22 | CVE-2022-36251 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Clinic'S Patient Management System 1.0 Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php. | 6.1 |
2022-08-24 | CVE-2021-4158 | Qemu Redhat | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference issue was found in the ACPI code of QEMU. | 6.0 |
2022-08-25 | CVE-2021-43767 | Postgresql | Improper Certificate Validation vulnerability in Postgresql Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. | 5.9 |
2022-08-23 | CVE-2021-3714 | Linux Redhat | A flaw was found in the Linux kernels memory deduplication mechanism. | 5.9 |
2022-08-27 | CVE-2022-38791 | Mariadb Fedoraproject | Improper Locking vulnerability in multiple products In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. | 5.5 |
2022-08-26 | CVE-2022-0171 | Linux Redhat Debian | Improper Cross-boundary Removal of Sensitive Data vulnerability in multiple products A flaw was found in the Linux kernel. | 5.5 |
2022-08-26 | CVE-2022-0175 | Virglrenderer Project Redhat | Missing Initialization of Resource vulnerability in multiple products A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). | 5.5 |
2022-08-26 | CVE-2021-3669 | Linux IBM Debian Fedoraproject Redhat | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A flaw was found in the Linux kernel. | 5.5 |
2022-08-26 | CVE-2022-38533 | GNU Fedoraproject | Out-of-bounds Write vulnerability in multiple products In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. | 5.5 |
2022-08-25 | CVE-2021-20224 | Imagemagick | Integer Overflow or Wraparound vulnerability in Imagemagick An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. | 5.5 |
2022-08-25 | CVE-2021-23159 | SOX Project | Classic Buffer Overflow vulnerability in SOX Project SOX 14.4.27 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. | 5.5 |
2022-08-25 | CVE-2021-23172 | SOX Project | Classic Buffer Overflow vulnerability in SOX Project SOX 14.4.27 A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. | 5.5 |
2022-08-25 | CVE-2021-23210 | SOX Project | Divide By Zero vulnerability in SOX Project SOX 14.4.27 A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. | 5.5 |
2022-08-25 | CVE-2021-33844 | SOX Project | Divide By Zero vulnerability in SOX Project SOX 14.4.27 A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. | 5.5 |
2022-08-25 | CVE-2022-2980 | VIM Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259. | 5.5 |
2022-08-25 | CVE-2021-4022 | Rizin | Use After Free vulnerability in Rizin A vulnerability was found in rizin. | 5.5 |
2022-08-24 | CVE-2022-32834 | Apple | Unspecified vulnerability in Apple mac OS X and Macos An access issue was addressed with improvements to the sandbox. | 5.5 |
2022-08-24 | CVE-2022-32838 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved state management. | 5.5 |
2022-08-24 | CVE-2021-4142 | Candlepinproject | Authorization Bypass Through User-Controlled Key vulnerability in Candlepinproject Candlepin The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. | 5.5 |
2022-08-24 | CVE-2021-4214 | Libpng Debian Netapp | Classic Buffer Overflow vulnerability in multiple products A heap overflow flaw was found in libpngs' pngimage.c program. | 5.5 |
2022-08-24 | CVE-2021-4218 | Linux | Improper Initialization vulnerability in Linux Kernel A flaw was found in the Linux kernel’s implementation of reading the SVC RDMA counters. | 5.5 |
2022-08-23 | CVE-2021-3995 | Kernel Fedoraproject | Files or Directories Accessible to External Parties vulnerability in multiple products A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. | 5.5 |
2022-08-23 | CVE-2021-3996 | Kernel Fedoraproject | Files or Directories Accessible to External Parties vulnerability in multiple products A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. | 5.5 |
2022-08-23 | CVE-2021-3997 | Systemd Project Fedoraproject Redhat | Uncontrolled Recursion vulnerability in multiple products A flaw was found in systemd. | 5.5 |
2022-08-23 | CVE-2021-3759 | Linux Debian | Allocation of Resources Without Limits or Throttling vulnerability in multiple products A memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. | 5.5 |
2022-08-23 | CVE-2021-3798 | Opencryptoki Project | Unspecified vulnerability in Opencryptoki Project Opencryptoki A flaw was found in openCryptoki. | 5.5 |
2022-08-23 | CVE-2021-3800 | Gnome Debian Netapp | Information Exposure vulnerability in multiple products A flaw was found in glib before version 2.63.6. | 5.5 |
2022-08-22 | CVE-2022-2923 | VIM Fedoraproject | NULL Pointer Dereference vulnerability in multiple products NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240. | 5.5 |
2022-08-22 | CVE-2022-31238 | Dell | Information Exposure vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. | 5.5 |
2022-08-22 | CVE-2021-3659 | Linux Fedoraproject Redhat | NULL Pointer Dereference vulnerability in multiple products A NULL pointer dereference flaw was found in the Linux kernel’s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. | 5.5 |
2022-08-22 | CVE-2022-2873 | Linux Fedoraproject Redhat Netapp Debian | Incorrect Calculation of Buffer Size vulnerability in multiple products An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. | 5.5 |
2022-08-26 | CVE-2022-36548 | Edoc Doctor Appointment System Project | Cross-site Scripting vulnerability in Edoc-Doctor-Appointment-System Project Edoc-Doctor-Appointment-System 1.0.1 Edoc-doctor-appointment-system v1.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability at /patient/settings.php. | 5.4 |
2022-08-25 | CVE-2022-32746 | Samba | Use After Free vulnerability in Samba A flaw was found in the Samba AD LDAP server. | 5.4 |
2022-08-23 | CVE-2022-38664 | Jenkins | Cross-site Scripting vulnerability in Jenkins JOB Configuration History Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names. | 5.4 |
2022-08-23 | CVE-2020-35509 | Redhat | Improper Certificate Validation vulnerability in Redhat Keycloak 11.0.3/12.0.0 A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. | 5.4 |
2022-08-22 | CVE-2021-3442 | Redhat | Improper Input Validation vulnerability in Redhat Openshift API Management 2.9.1 A flaw was found in the Red Hat OpenShift API Management product. | 5.4 |
2022-08-22 | CVE-2022-2312 | Student Result OR Employee Database Project | Cross-Site Request Forgery (CSRF) vulnerability in Student Result or Employee Database Project Student Result or Employee Database The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. | 5.4 |
2022-08-26 | CVE-2022-36121 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism Enterprise An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 5.3 |
2022-08-25 | CVE-2022-36116 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 5.3 |
2022-08-25 | CVE-2022-36118 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 5.3 |
2022-08-25 | CVE-2022-23235 | Netapp | Unspecified vulnerability in Netapp Active IQ Unified Manager Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.10P1 are susceptible to a vulnerability which could allow an attacker to discover cluster, node and Active IQ Unified Manager specific information via AutoSupport telemetry data that is sent even when AutoSupport has been disabled. | 5.3 |
2022-08-24 | CVE-2021-4189 | Python Debian Redhat Netapp | Unchecked Return Value vulnerability in multiple products A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. | 5.3 |
2022-08-23 | CVE-2022-35242 | 59Sec | Unspecified vulnerability in 59Sec the Leads Management System: 59Sec Lite 3.4.1 Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress. | 5.3 |
2022-08-22 | CVE-2022-2552 | Snapcreek | Missing Authorization vulnerability in Snapcreek Duplicator The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | 5.3 |
2022-08-23 | CVE-2022-35235 | Xplodedthemes | Path Traversal vulnerability in Xplodedthemes Wpide - File Manager & Code Editor Authenticated (admin+) Arbitrary File Read vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress. | 4.9 |
2022-08-26 | CVE-2021-3688 | Redhat | Information Exposure vulnerability in Redhat Jboss Core Services Httpd 2.4.23/2.4.29/2.4.37 A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). | 4.8 |
2022-08-26 | CVE-2022-0207 | Ovirt Redhat | Race Condition vulnerability in multiple products A race condition was found in vdsm. | 4.7 |
2022-08-22 | CVE-2021-3521 | RPM | Improper Verification of Cryptographic Signature vulnerability in RPM There is a flaw in RPM's signature functionality. | 4.7 |
2022-08-26 | CVE-2022-0168 | Linux Redhat | NULL Pointer Dereference vulnerability in multiple products A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. | 4.4 |
2022-08-26 | CVE-2022-0216 | Qemu Fedoraproject | Use After Free vulnerability in multiple products A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. | 4.4 |
2022-08-26 | CVE-2021-3735 | Qemu Debian | Improper Locking vulnerability in multiple products A deadlock issue was found in the AHCI controller device of QEMU. | 4.4 |
2022-08-24 | CVE-2021-4159 | Linux Redhat Debian | A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. | 4.4 |
2022-08-27 | CVE-2022-2787 | Debian | Improper Preservation of Permissions vulnerability in Debian Linux and Schroot Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session. | 4.3 |
2022-08-26 | CVE-2021-3856 | Redhat | Path Traversal vulnerability in Redhat Keycloak ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. | 4.3 |
2022-08-25 | CVE-2022-32742 | Samba | Unspecified vulnerability in Samba A flaw was found in Samba. | 4.3 |
2022-08-24 | CVE-2022-32857 | Apple | Unspecified vulnerability in Apple products This issue was addressed by using HTTPS when sending information over the network. | 4.3 |
2022-08-22 | CVE-2022-2276 | WP Edit Menu Project | Missing Authorization vulnerability in WP Edit Menu Project WP Edit Menu The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | 4.3 |
2022-08-22 | CVE-2022-2377 | Wpwax | Missing Authorization vulnerability in Wpwax Directorist The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | 4.3 |
2022-08-22 | CVE-2022-2382 | Shapedplugin | Missing Authorization vulnerability in Shapedplugin Product Slider for Woocommerce The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. | 4.3 |
2022-08-22 | CVE-2022-2389 | Funnelkit | Missing Authorization vulnerability in Funnelkit Automations The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | 4.3 |
4 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-08-26 | CVE-2021-3574 | Imagemagick Fedoraproject | Memory Leak vulnerability in multiple products A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted file with the convert command, ASAN detects memory leaks. | 3.3 |
2022-08-24 | CVE-2021-4217 | Unzip Project Fedoraproject Redhat | NULL Pointer Dereference vulnerability in multiple products A flaw was found in unzip. | 3.3 |
2022-08-25 | CVE-2022-36117 | Ssctech | Unspecified vulnerability in Ssctech Blue Prism An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. | 3.1 |
2022-08-22 | CVE-2022-2841 | Crowdstrike | Unspecified vulnerability in Crowdstrike Falcon 6.31.14505.0/6.42.15610/6.44.15806 A vulnerability was found in CrowdStrike Falcon 6.31.14505.0/6.42.15610/6.44.15806. | 2.7 |