Weekly Vulnerabilities Reports > September 19 to 25, 2022

Overview

567 new vulnerabilities reported during this period, including 114 critical vulnerabilities and 205 high severity vulnerabilities. This weekly summary report vulnerabilities in 391 products from 212 vendors including Apple, Jenkins, Otfcc Project, Tenda, and Debian. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "SQL Injection", "Missing Authorization", and "Unrestricted Upload of File with Dangerous Type".

  • 435 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 115 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 370 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 70 reported vulnerabilities.
  • Online Banking System Project has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

114 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-09-23 CVE-2022-32845 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

10.0
2022-09-21 CVE-2022-28802 Zapier Incorrect Permission Assignment for Critical Resource vulnerability in Zapier Code BY Zapier

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code.

9.9
2022-09-24 CVE-2022-23463 Nepxion Unspecified vulnerability in Nepxion Discovery

Nepxion Discovery is a solution for Spring Cloud.

9.8
2022-09-23 CVE-2022-40113 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/send_funds.php.

9.8
2022-09-23 CVE-2022-40114 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer.php.

9.8
2022-09-23 CVE-2022-40115 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/delete_beneficiary.php.

9.8
2022-09-23 CVE-2022-40116 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search parameter at /net-banking/beneficiary.php.

9.8
2022-09-23 CVE-2022-40117 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/delete_customer.php.

9.8
2022-09-23 CVE-2022-40118 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/send_funds_action.php.

9.8
2022-09-23 CVE-2022-40119 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search_term parameter at /net-banking/transactions.php.

9.8
2022-09-23 CVE-2022-40120 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search_term parameter at /net-banking/customer_transactions.php.

9.8
2022-09-23 CVE-2022-40121 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search parameter at /net-banking/manage_customers.php.

9.8
2022-09-23 CVE-2022-40122 Online Banking System Project SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0

Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer_action.php.

9.8
2022-09-23 CVE-2022-40100 Tenda Command Injection vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a command injection vulnerability via the FormexeCommand function.

9.8
2022-09-23 CVE-2022-40630 Tacitine Session Fixation vulnerability in Tacitine products

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface.

9.8
2022-09-23 CVE-2022-36944 Scala Lang
Fedoraproject
Deserialization of Untrusted Data vulnerability in multiple products

Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file.

9.8
2022-09-23 CVE-2022-2025 Grandstream Out-of-bounds Write vulnerability in Grandstream Gds3710 Firmware 1.0.11.13

an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn't check the param length before use the strcopy instruction.

9.8
2022-09-23 CVE-2022-2070 Grandstream Out-of-bounds Write vulnerability in Grandstream Gds3710 Firmware 1.0.11.13

In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction.

9.8
2022-09-23 CVE-2022-2970 MZ Automation Out-of-bounds Write vulnerability in Mz-Automation Libiec61850

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) does not sanitize input before memcpy is used, which could allow an attacker to crash the device or remotely execute arbitrary code.

9.8
2022-09-23 CVE-2022-2972 MZ Automation Out-of-bounds Write vulnerability in Mz-Automation Libiec61850

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) is vulnerable to a stack-based buffer overflow, which could allow an attacker to crash the device or remotely execute arbitrary code.

9.8
2022-09-23 CVE-2022-38742 Rockwellautomation Out-of-bounds Write vulnerability in Rockwellautomation Thinmanager

Rockwell Automation ThinManager ThinServer versions 11.0.0 - 13.0.0 is vulnerable to a heap-based buffer overflow.

9.8
2022-09-23 CVE-2022-40628 Tacitine Code Injection vulnerability in Tacitine products

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper control of code generation in the Tacitine Firewall web-based management interface.

9.8
2022-09-23 CVE-2022-40851 Tenda Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19

Tenda AC15 V15.03.05.19 contained a stack overflow via the function fromAddressNat.

9.8
2022-09-23 CVE-2022-40854 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC18 router contained a stack overflow vulnerability in /goform/fast_setting_wifi_set

9.8
2022-09-23 CVE-2022-40855 Tenda Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6

Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post request 'goform/setPortMapping/'.

9.8
2022-09-23 CVE-2022-40866 Tenda Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formSetDebugCfg with request /goform/setDebugCfg/

9.8
2022-09-23 CVE-2022-40867 Tenda Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formIPMacBindDel with the request /goform/delIpMacBind/

9.8
2022-09-23 CVE-2022-40868 Tenda Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formDelDhcpRule with the request /goform/delDhcpRules/

9.8
2022-09-23 CVE-2022-40853 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware 15.03.05.19

Tenda AC15 router V15.03.05.19 contains a stack overflow via the list parameter at /goform/fast_setting_wifi_set

9.8
2022-09-23 CVE-2022-40860 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware 15.03.05.19

Tenda AC15 router V15.03.05.19 contains a stack overflow vulnerability in the function formSetQosBand->FUN_0007dd20 with request /goform/SetNetControlList

9.8
2022-09-23 CVE-2022-40862 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware

Tenda AC15 and AC18 router V15.03.05.19 contains stack overflow vulnerability in the function fromNatStaticSetting with the request /goform/NatStaticSetting

9.8
2022-09-23 CVE-2022-40864 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware

Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function setSmartPowerManagement with the request /goform/PowerSaveSet

9.8
2022-09-23 CVE-2022-40865 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware

Tenda AC15 and AC18 routers V15.03.05.19 contain heap overflow vulnerabilities in the function setSchedWifi with the request /goform/openSchedWifi/

9.8
2022-09-23 CVE-2022-40869 Tendacn Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware

Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function fromDhcpListClient with a combined parameter "list*" ("%s%d","list").

9.8
2022-09-23 CVE-2022-3236 Sophos Code Injection vulnerability in Sophos Firewall 19.0.1

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

9.8
2022-09-23 CVE-2022-3269 Ikus Soft Unspecified vulnerability in Ikus-Soft Rdiffweb

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

9.8
2022-09-23 CVE-2022-26112 Apache Unspecified vulnerability in Apache Pinot

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support.

9.8
2022-09-23 CVE-2022-35951 Redis
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

Redis is an in-memory database that persists on disk.

9.8
2022-09-23 CVE-2022-37232 Netgear Out-of-bounds Write vulnerability in Netgear Wnr2000V4 Firmware 1.0.0.70

Netgear N300 wireless router wnr2000v4-V1.0.0.70 is vulnerable to Buffer Overflow via uhttpd.

9.8
2022-09-23 CVE-2022-37235 Netgear Out-of-bounds Write vulnerability in Netgear R7000 Firmware 1.0.11.13410.2.119

Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware.

9.8
2022-09-23 CVE-2022-38573 10 Strike Classic Buffer Overflow vulnerability in 10-Strike Network Inventory Explorer 9.3

10-Strike Network Inventory Explorer v9.3 was discovered to contain a buffer overflow via the Add Computers function.

9.8
2022-09-22 CVE-2022-31937 Netgear Out-of-bounds Write vulnerability in Netgear Wnr2000V4 Firmware 1.0.0.70

Netgear N300 wireless router wnr2000v4-V1.0.0.70 was discovered to contain a stack overflow via strcpy in uhttpd.

9.8
2022-09-22 CVE-2022-36934 Whatsapp Integer Overflow or Wraparound vulnerability in Whatsapp

An integer overflow in WhatsApp could result in remote code execution in an established video call.

9.8
2022-09-22 CVE-2022-40087 Simple College Website Project Unrestricted Upload of File with Dangerous Type vulnerability in Simple College Website Project Simple College Website 1.0

Simple College Website v1.0 was discovered to contain an arbitrary file write vulnerability via the function file_put_contents().

9.8
2022-09-22 CVE-2022-40089 Simple College Website Project Unspecified vulnerability in Simple College Website Project Simple College Website 1.0

A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

9.8
2022-09-22 CVE-2022-3268 Ikus Soft Unspecified vulnerability in Ikus-Soft Minarca

Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2.

9.8
2022-09-21 CVE-2021-43310 Keylime Authentication Bypass by Spoofing vulnerability in Keylime

A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier.

9.8
2022-09-21 CVE-2022-40030 Simple Task Managing System Project SQL Injection vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0

SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at changeStatus.php.

9.8
2022-09-21 CVE-2022-41226 Jenkins XXE vulnerability in Jenkins Compuware Common Configuration

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

9.8
2022-09-21 CVE-2022-41237 Jenkins Unspecified vulnerability in Jenkins Dotci

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

9.8
2022-09-21 CVE-2022-41238 Jenkins Missing Authorization vulnerability in Jenkins Dotci

A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

9.8
2022-09-21 CVE-2022-37026 Erlang Unspecified vulnerability in Erlang Erlang/Otp

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

9.8
2022-09-21 CVE-2022-41220 Md2Roff Project Out-of-bounds Write vulnerability in Md2Roff Project Md2Roff 1.9

md2roff 1.9 has a stack-based buffer overflow via a Markdown file, a different vulnerability than CVE-2022-34913.

9.8
2022-09-21 CVE-2022-38619 Bpcbt SQL Injection vulnerability in Bpcbt Smartvista Front-End 2.2.22

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /SVFE2/pages/feegroups/mcc_group.jsf.

9.8
2022-09-20 CVE-2022-32788 Apple Classic Buffer Overflow vulnerability in Apple products

A buffer overflow was addressed with improved bounds checking.

9.8
2022-09-20 CVE-2022-32863 Apple Out-of-bounds Write vulnerability in Apple Safari

A memory corruption issue was addressed with improved state management.

9.8
2022-09-20 CVE-2022-32882 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

9.8
2022-09-20 CVE-2022-40357 Zblogcn Server-Side Request Forgery (SSRF) vulnerability in Zblogcn Z-Blogphp

A security issue was discovered in Z-BlogPHP <= 1.7.2.

9.8
2022-09-20 CVE-2022-40008 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a was discovered to contain a heap-buffer overflow via the function readU8 at /lib/ttf.c.

9.8
2022-09-20 CVE-2022-40009 Swftools Use After Free vulnerability in Swftools 20211216

SWFTools commit 772e55a was discovered to contain a heap-use-after-free via the function grow_unicode at /lib/ttf.c.

9.8
2022-09-20 CVE-2017-20148 Debian Unspecified vulnerability in Debian Logcheck 1.3.23

In the ebuild package through logcheck-1.3.23.ebuild for Logcheck on Gentoo, it is possible to achieve root privilege escalation from the logcheck user because of insecure recursive chown calls.

9.8
2022-09-20 CVE-2022-37265 Stealjs Unspecified vulnerability in Stealjs Steal 2.2.4

Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js.

9.8
2022-09-20 CVE-2022-41138 Zutty Project Unspecified vulnerability in Zutty Project Zutty

In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution.

9.8
2022-09-20 CVE-2022-37204 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

Final CMS 5.1.0 is vulnerable to SQL Injection.

9.8
2022-09-20 CVE-2022-38916 Pagekit Unrestricted Upload of File with Dangerous Type vulnerability in Pagekit 1.0.18

A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files

9.8
2022-09-20 CVE-2022-39955 Owasp
Fedoraproject
Debian
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes.
9.8
2022-09-20 CVE-2022-39956 Owasp
Fedoraproject
Debian
Improper Encoding or Escaping of Output vulnerability in multiple products

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set.

9.8
2022-09-19 CVE-2022-0143 Forgerock Incorrect Authorization vulnerability in Forgerock Ldap Connector

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted.

9.8
2022-09-19 CVE-2022-28321 Linux PAM Improper Authentication vulnerability in Linux-Pam

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins.

9.8
2022-09-19 CVE-2022-38509 Wedding Planner Project SQL Injection vulnerability in Wedding Planner Project Wedding Planner 1.0

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php.

9.8
2022-09-19 CVE-2022-23767 Hanssak SQL Injection vulnerability in Hanssak Securegate and Weblink

This vulnerability of SecureGate is SQL-Injection using login without password.

9.8
2022-09-19 CVE-2022-23768 Neoinfosys Unspecified vulnerability in Neoinfosys Nis-Hap11Ac Firmware 3.0

This Vulnerability in NIS-HAP11AC is caused by an exposed external port for the telnet service.

9.8
2022-09-19 CVE-2022-40144 Trendmicro Improper Authentication vulnerability in Trendmicro Apex ONE 2019

A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product's login authentication by falsifying request parameters on affected installations.

9.8
2022-09-19 CVE-2022-3218 Necta Improper Authentication vulnerability in Necta Wifi Mouse Server 1.7.8.5

Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution.

9.8
2022-09-19 CVE-2022-35914 Glpi Project Injection vulnerability in Glpi-Project Glpi

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

9.8
2022-09-19 CVE-2022-37203 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

JFinal CMS 5.1.0 is vulnerable to SQL Injection.

9.8
2022-09-19 CVE-2022-38881 D8S Archives Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Archives Project D8S-Archives 0.1.0

The d8s-archives for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38882 D8S Json Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Json Project D8S-Json 0.1.0

The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38883 D8S Math Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Math Project D8S-Math 0.1.0

The d8s-math for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38884 D8S Grammars Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Grammars Project D8S-Grammars 0.1.0

The d8s-grammars for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38885 D8S Netstrings Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Netstrings Project D8S-Netstrings 0.1.0

The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38886 D8S XML Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Xml Project D8S-Xml 0.1.0

The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38887 D8S Python Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Python Project D8S-Python 0.1.0

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40425 D8S Html Project Unspecified vulnerability in D8S-Html Project D8S-Html 0.1.0

The d8s-html for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40426 D8S Asns Project Unspecified vulnerability in D8S-Asns Project D8S-Asns 0.1.0

The d8s-asns for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40428 D8S Mpeg Project Unspecified vulnerability in D8S-Mpeg Project D8S Mpeg 0.1.0

The d8s-mpeg for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40429 D8S IP Addresses Project Unspecified vulnerability in D8S-Ip-Addresses Project D8S-Ip-Addresses 0.1.0

The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40430 D8S Utility Project Unspecified vulnerability in D8S-Utility Project D8S-Utility 0.1.0

The d8s-utility for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40431 D8S Pdfs Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Pdfs Project D8S-Pdfs 0.1.0

The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40432 D8S Strings Project Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Strings Project D8S-Strings 0.1.0

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40809 Democritus Dicts Project Unspecified vulnerability in Democritus Dicts Project Democritus Dicts 0.1.0

The d8s-dicts for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40810 Democritus IP Addresses Project Unspecified vulnerability in Democritus IP Addresses Project Democritus IP Addresses 0.1.0

The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40812 Democritus Pdfs Project Unspecified vulnerability in Democritus Pdfs Project Democritus Pdfs 0.1.0

The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40424 Democritus Urls Project Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40427 Democritus Domains Project Unspecified vulnerability in Democritus Domains Project Democritus Domains 0.1.0

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40805 Democritus Urls Project Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0

The d8s-urls for python 0.1.0, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40806 Democritus Uuids Project Unspecified vulnerability in Democritus Uuids Project Democritus Uuids 0.1.0

The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40807 Democritus Domains Project Unspecified vulnerability in Democritus Domains Project Democritus Domains 0.1.0

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40808 Democritus Dates Project Unspecified vulnerability in Democritus Dates Project Democritus Dates 0.1.0

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-40811 Democritus Urls Project Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-2754 Ketchup Restaurant Reservations Project Unspecified vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations 1.0.0

The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks

9.8
2022-09-19 CVE-2022-2840 Zephyr ONE SQL Injection vulnerability in Zephyr-One Zephyr Project Manager

The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

9.8
2022-09-19 CVE-2022-38880 Democritus Urls Project Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-09-19 CVE-2022-38545 Valine JS Cross-site Scripting vulnerability in Valine.Js Valine 1.4.18

Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.

9.6
2022-09-24 CVE-2022-36025 Linuxfoundation Incorrect Conversion between Numeric Types vulnerability in Linuxfoundation Besu

Besu is a Java-based Ethereum client.

9.1
2022-09-23 CVE-2022-32847 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

9.1
2022-09-23 CVE-2022-23144 ZTE Unspecified vulnerability in ZTE products

There is a broken access control vulnerability in ZTE ZXvSTB product.

9.1
2022-09-23 CVE-2022-39227 Python JWT Project Unspecified vulnerability in Python-Jwt Project Python-Jwt

python-jwt is a module for generating and verifying JSON Web Tokens.

9.1
2022-09-22 CVE-2022-40186 Hashicorp Unspecified vulnerability in Hashicorp Vault

An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3.

9.1
2022-09-21 CVE-2022-41241 Jenkins XXE vulnerability in Jenkins RQM

Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

9.1
2022-09-19 CVE-2022-37032 Frrouting
Debian
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service.

9.1
2022-09-19 CVE-2022-40980 Trendmicro Unspecified vulnerability in Trendmicro Mobile Security 9.8

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

9.1
2022-09-21 CVE-2022-30577 Tibco Cross-site Scripting vulnerability in Tibco EBX

The Web Server component of TIBCO Software Inc.'s TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system.

9.0
2022-09-21 CVE-2022-30578 Tibco Cross-site Scripting vulnerability in Tibco EBX Add-Ons

The Web Server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system.

9.0

205 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-09-23 CVE-2022-22629 Apple Out-of-bounds Write vulnerability in Apple products

A buffer overflow issue was addressed with improved memory handling.

8.8
2022-09-23 CVE-2022-22610 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

8.8
2022-09-23 CVE-2022-22624 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

8.8
2022-09-23 CVE-2022-22628 Apple Use After Free vulnerability in Apple products

A use after free issue was addressed with improved memory management.

8.8
2022-09-23 CVE-2022-22637 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

8.8
2022-09-23 CVE-2022-26700 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved state management.

8.8
2022-09-23 CVE-2022-32211 Rocket Chat SQL Injection vulnerability in Rocket.Chat

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret.

8.8
2022-09-23 CVE-2022-32787 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved bounds checking.

8.8
2022-09-23 CVE-2022-32792 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved input validation.

8.8
2022-09-23 CVE-2022-35248 Rocket Chat Improper Authentication vulnerability in Rocket.Chat

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login.

8.8
2022-09-23 CVE-2022-38079 Backup Scheduler Project Unspecified vulnerability in Backup Scheduler Project Backup Scheduler

Cross-Site Request Forgery (CSRF) vulnerability Backup Scheduler plugin <= 1.5.13 at WordPress.

8.8
2022-09-23 CVE-2022-38454 Kraken Unspecified vulnerability in Kraken Kraken.Io Image Optimizer

Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress.

8.8
2022-09-23 CVE-2022-38134 Cusrev Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce

Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.

8.8
2022-09-23 CVE-2022-38470 Cusrev Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.

8.8
2022-09-23 CVE-2022-36388 Ydesignservices Unspecified vulnerability in Ydesignservices YDS Support Ticket System 1.0

Cross-Site Request Forgery (CSRF) vulnerability in YDS Support Ticket System plugin <= 1.0 at WordPress.

8.8
2022-09-23 CVE-2022-38085 Read More BY Adam Project Unspecified vulnerability in Read More BY Adam Project Read More BY Adam

Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress.

8.8
2022-09-23 CVE-2022-36798 Topdigitaltrends Unspecified vulnerability in Topdigitaltrends Mega Addons for Wpbakery Page Builder

Cross-Site Request Forgery (CSRF) vulnerability in Topdigitaltrends Mega Addons For WPBakery Page Builder plugin <= 4.2.7 at WordPress.

8.8
2022-09-23 CVE-2022-39238 Arvados Unspecified vulnerability in Arvados

Arvados is an open source platform for managing and analyzing biomedical big data.

8.8
2022-09-23 CVE-2022-40298 Crestron Incorrect Permission Assignment for Critical Resource vulnerability in Crestron Airmedia 4.3.1.39

Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39.

8.8
2022-09-21 CVE-2022-41227 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Ns-Nd Integration Performance Publisher 4.8.0.129/4.8.0.77

A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.

8.8
2022-09-21 CVE-2022-41228 Jenkins Missing Authorization vulnerability in Jenkins Ns-Nd Integration Performance Publisher 4.8.0.129/4.8.0.77

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials.

8.8
2022-09-21 CVE-2022-41234 Jenkins Missing Authorization vulnerability in Jenkins Rundeck

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

8.8
2022-09-21 CVE-2022-41236 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Security Inspector

A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on attacker-specified report generation options.

8.8
2022-09-21 CVE-2022-41245 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager

A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-09-21 CVE-2022-41249 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins SCM Httpclient

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-09-21 CVE-2022-41253 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cons3Rt 1.0.0

A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

8.8
2022-09-21 CVE-2022-3068 Octoprint Unspecified vulnerability in Octoprint

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

8.8
2022-09-20 CVE-2022-23685 Arubanetworks Cross-Site Request Forgery (CSRF) vulnerability in Arubanetworks Clearpass Policy Manager

A vulnerability in the ClearPass Policy Manager web-based management interface exists which exposes some endpoints to a lack of Cross-Site Request Forgery (CSRF) protection.

8.8
2022-09-20 CVE-2022-23692 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance.

8.8
2022-09-20 CVE-2022-23693 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance.

8.8
2022-09-20 CVE-2022-23694 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance.

8.8
2022-09-20 CVE-2022-23695 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance.

8.8
2022-09-20 CVE-2022-23696 Arubanetworks SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance.

8.8
2022-09-20 CVE-2022-26696 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved environment sanitization.

8.8
2022-09-20 CVE-2022-28639 HPE Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71

A remote potential adjacent denial of service (DoS) and potential adjacent arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71.

8.8
2022-09-20 CVE-2022-28640 HPE Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71

A potential local adjacent arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability was discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71.

8.8
2022-09-20 CVE-2022-32886 Apple
Fedoraproject
Debian
Out-of-bounds Write vulnerability in multiple products

A buffer overflow issue was addressed with improved memory handling.

8.8
2022-09-20 CVE-2022-32912 Apple Out-of-bounds Read vulnerability in Apple Ipados and Iphone OS

An out-of-bounds read was addressed with improved bounds checking.

8.8
2022-09-20 CVE-2022-38931 Baijiacms Project Server-Side Request Forgery (SSRF) vulnerability in Baijiacms Project Baijiacms 4.1.4

A Server-Side Request Forgery (SSRF) in fetch_net_file_upload function of baijiacmsV4 v4.1.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.

8.8
2022-09-20 CVE-2022-37205 Jflyfox SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0

JFinal CMS 5.1.0 is affected by: SQL Injection.

8.8
2022-09-20 CVE-2022-40250 Intel
AMI
Out-of-bounds Write vulnerability in multiple products

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it.

8.8
2022-09-20 CVE-2022-35196 Testlink Cross-Site Request Forgery (CSRF) vulnerability in Testlink 1.9.20

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php.

8.8
2022-09-20 CVE-2022-40955 Apache Unspecified vulnerability in Apache Inlong

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server.

8.8
2022-09-19 CVE-2022-38351 Supremainc Improper Privilege Management vulnerability in Supremainc Biostar 2 2.8.16

A vulnerability in Suprema BioStar (aka Bio Star) 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.

8.8
2022-09-19 CVE-2022-23766 Bigfile Improper Input Validation vulnerability in Bigfile Bigfileagent

An improper input validation vulnerability leading to arbitrary file execution was discovered in BigFileAgent.

8.8
2022-09-19 CVE-2022-38577 Processmaker Improper Preservation of Permissions vulnerability in Processmaker 3.0.1.7/3.4.11

ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page.

8.8
2022-09-19 CVE-2022-38618 Bpcbt SQL Injection vulnerability in Bpcbt Smartvista 2.2.22

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/country_group.jsf.

8.8
2022-09-19 CVE-2022-2958 Badgeos Unspecified vulnerability in Badgeos Badgos

The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections

8.8
2022-09-19 CVE-2022-3141 Cozmoslabs Unspecified vulnerability in Cozmoslabs Translatepress

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection.

8.8
2022-09-19 CVE-2022-3142 Basixonline Unspecified vulnerability in Basixonline Nex-Forms

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections.

8.8
2022-09-19 CVE-2022-38617 Bpcbt SQL Injection vulnerability in Bpcbt Smartvista 2.2.22

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the voiceAudit:j_id97 parameter at /SVFE2/pages/audit/voiceaudit.jsf.

8.8
2022-09-20 CVE-2022-30579 Tibco Server-Side Request Forgery (SSRF) vulnerability in Tibco Spotfire Analytics Platform and Spotfire Server

The Web Player component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to execute blind Server Side Request Forgery (SSRF) on the affected system.

8.4
2022-09-23 CVE-2022-35893 Insyde Improper Input Validation vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.2
2022-09-23 CVE-2022-36338 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.2
2022-09-22 CVE-2022-35408 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.2
2022-09-21 CVE-2022-35895 Insyde Out-of-bounds Write vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

8.2
2022-09-21 CVE-2022-2881 ISC Out-of-bounds Read vulnerability in ISC Bind

The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.

8.2
2022-09-20 CVE-2022-26873 Intel
AMI
Out-of-bounds Write vulnerability in multiple products

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages.

8.2
2022-09-20 CVE-2022-40261 Intel
AMI
Classic Buffer Overflow vulnerability in multiple products

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it.

8.2
2022-09-20 CVE-2022-40262 AMI
Intel
Out-of-bounds Write vulnerability in multiple products

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages.

8.2
2022-09-23 CVE-2020-36604 Hapijs Unspecified vulnerability in Hapijs Hoek

hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.

8.1
2022-09-21 CVE-2022-40616 IBM Unspecified vulnerability in IBM Maximo Asset Management 7.6.1.1/7.6.1.2/7.6.1.3

IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to.

8.1
2022-09-21 CVE-2022-41243 Jenkins Improper Certificate Validation vulnerability in Jenkins Smalltest

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

8.1
2022-09-21 CVE-2022-41244 Jenkins Improper Certificate Validation vulnerability in Jenkins View26 Test-Reporting

Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.

8.1
2022-09-21 CVE-2022-41232 Jenkins Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Build-Publisher

A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.

8.0
2022-09-25 CVE-2022-3297 VIM
Fedoraproject
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
7.8
2022-09-25 CVE-2022-3296 VIM
Fedoraproject
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
7.8
2022-09-23 CVE-2022-32814 Apple Type Confusion vulnerability in Apple products

A type confusion issue was addressed with improved state handling.

7.8
2022-09-23 CVE-2022-32796 Apple Out-of-bounds Write vulnerability in Apple Macos

A memory corruption issue was addressed with improved state management.

7.8
2022-09-23 CVE-2022-32798 Apple Out-of-bounds Write vulnerability in Apple Macos

An out-of-bounds write issue was addressed with improved input validation.

7.8
2022-09-23 CVE-2022-32801 Apple Unspecified vulnerability in Apple Macos

This issue was addressed with improved checks.

7.8
2022-09-23 CVE-2022-32815 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

7.8
2022-09-23 CVE-2022-32819 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved state management.

7.8
2022-09-23 CVE-2022-32820 Apple Out-of-bounds Write vulnerability in Apple products

An out-of-bounds write issue was addressed with improved input validation.

7.8
2022-09-23 CVE-2022-32821 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved validation.

7.8
2022-09-23 CVE-2022-32826 Apple Unspecified vulnerability in Apple products

An authorization issue was addressed with improved state management.

7.8
2022-09-23 CVE-2022-32829 Apple Unspecified vulnerability in Apple Iphone OS and Macos

This issue was addressed with improved checks.

7.8
2022-09-23 CVE-2022-32842 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved input validation.

7.8
2022-09-23 CVE-2022-3263 Measuresoft Incorrect Default Permissions vulnerability in Measuresoft Scadapro Server 6.7

The security descriptor of Measuresoft ScadaPro Server version 6.7 has inconsistent permissions, which could allow a local user with limited privileges to modify the service binary path and start malicious commands with SYSTEM privileges.

7.8
2022-09-23 CVE-2022-27492 Whatsapp Integer Underflow (Wrap or Wraparound) vulnerability in Whatsapp

An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file.

7.8
2022-09-23 CVE-2022-35257 UI Unspecified vulnerability in UI Desktop 0.55.1.2

A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM.

7.8
2022-09-23 CVE-2022-2566 Ffmpeg Integer Overflow or Wraparound vulnerability in Ffmpeg 5.1

A heap out-of-bounds memory write exists in FFMPEG since version 5.1.

7.8
2022-09-23 CVE-2022-41322 Kitty Project
Fedoraproject
Improper Encoding or Escaping of Output vulnerability in multiple products

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution.

7.8
2022-09-23 CVE-2022-30426 Acer Out-of-bounds Write vulnerability in Acer products

There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products.

7.8
2022-09-22 CVE-2022-37234 Netgear Out-of-bounds Write vulnerability in Netgear R7000 Firmware 1.0.11.13410.2.119

Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware.

7.8
2022-09-22 CVE-2022-3256 VIM
Fedoraproject
Debian
Use After Free in GitHub repository vim/vim prior to 9.0.0530.
7.8
2022-09-21 CVE-2022-39224 Ruby ARR PM Project OS Command Injection vulnerability in Ruby-Arr-Pm Project Ruby-Arr-Pm

Arr-pm is an RPM reader/writer library written in Ruby.

7.8
2022-09-21 CVE-2022-38928 Xpdfreader NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.04

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

7.8
2022-09-20 CVE-2022-28637 HPE Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71

A local Denial of Service (DoS) and local arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71.

7.8
2022-09-20 CVE-2022-28638 HPE Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71

An isolated local disclosure of information and potential isolated local arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71.

7.8
2022-09-20 CVE-2022-32802 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved checks.

7.8
2022-09-20 CVE-2022-32908 Apple Out-of-bounds Write vulnerability in Apple products

A memory corruption issue was addressed with improved input validation.

7.8
2022-09-20 CVE-2022-32911 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

7.8
2022-09-20 CVE-2022-32917 Apple Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS

The issue was addressed with improved bounds checks.

7.8
2022-09-20 CVE-2022-37877 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A vulnerability in the ClearPass OnGuard macOS agent could allow malicious users on a macOS instance to elevate their user privileges.

7.8
2022-09-19 CVE-2022-38532 MSI Unspecified vulnerability in MSI Center 1.0.50.0

Micro-Star International Co., Ltd MSI Center 1.0.50.0 was discovered to contain a vulnerability in the component C_Features of MSI.CentralServer.exe.

7.8
2022-09-19 CVE-2022-3239 Linux Use After Free vulnerability in Linux Kernel

A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards.

7.8
2022-09-19 CVE-2022-34893 Trendmicro Link Following vulnerability in Trendmicro Security 12.0

Trend Micro Security 2022 (consumer) has a link following vulnerability where an attacker with lower privileges could manipulate a mountpoint which could lead to escalation of privilege on an affected machine.

7.8
2022-09-19 CVE-2022-38764 Trendmicro Incorrect Default Permissions vulnerability in Trendmicro Housecall 1.62.1.1133

A vulnerability on Trend Micro HouseCall version 1.62.1.1133 and below could allow a local attacker to escalate privlieges due to an overly permissive folder om the product installer.

7.8
2022-09-19 CVE-2022-40142 Trendmicro Improper Privilege Management vulnerability in Trendmicro Apex ONE 2019

A security link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service agents could allow a local attacker to create a writable folder in an arbitrary location and escalate privileges on affected installations.

7.8
2022-09-19 CVE-2022-29908 Fabasoft Improper Certificate Validation vulnerability in Fabasoft Cloud Enterprise Client 22.4.0043

The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.

7.8
2022-09-19 CVE-2022-35699 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2022-09-19 CVE-2022-35700 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2022-09-19 CVE-2022-35701 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.

7.8
2022-09-19 CVE-2022-35702 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2022-09-19 CVE-2022-35703 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure.

7.8
2022-09-19 CVE-2022-40978 Jetbrains Uncontrolled Search Path Element vulnerability in Jetbrains Intellij Idea

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking

7.8
2022-09-25 CVE-2022-41343 Dompdf Project Files or Directories Accessible to External Parties vulnerability in Dompdf Project Dompdf

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

7.5
2022-09-24 CVE-2022-41340 Secp256K1 JS Project Improper Verification of Cryptographic Signature vulnerability in Secp256K1-Js Project Secp256K1-Js 1.0.0/1.0.1

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.

7.5
2022-09-24 CVE-2022-23464 Nepxion Unspecified vulnerability in Nepxion Discovery

Nepxion Discovery is a solution for Spring Cloud.

7.5
2022-09-23 CVE-2022-32790 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

7.5
2022-09-23 CVE-2022-40101 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterSet function.

7.5
2022-09-23 CVE-2022-40102 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formwrlSSIDset function.

7.5
2022-09-23 CVE-2022-40104 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formwrlSSIDget function.

7.5
2022-09-23 CVE-2022-40105 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterGet function.

7.5
2022-09-23 CVE-2022-40106 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the set_local_time function.

7.5
2022-09-23 CVE-2022-40107 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formexeCommand function.

7.5
2022-09-23 CVE-2022-40629 Tacitine Unspecified vulnerability in Tacitine products

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to insecure design in the Tacitine Firewall web-based management interface.

7.5
2022-09-23 CVE-2022-2971 MZ Automation Type Confusion vulnerability in Mz-Automation Libiec61850

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) accesses a resource using an incompatible type, which could allow an attacker to crash the server with a malicious payload.

7.5
2022-09-23 CVE-2022-2973 MZ Automation NULL Pointer Dereference vulnerability in Mz-Automation Libiec61850

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) uses a NULL pointer in certain situations.

7.5
2022-09-23 CVE-2022-40188 NIC
Fedoraproject
Debian
Algorithmic Complexity vulnerability in multiple products

Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity.

7.5
2022-09-23 CVE-2022-40194 Cusrev Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce

Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress

7.5
2022-09-23 CVE-2022-38936 PBC Project Unchecked Return Value vulnerability in PBC Project PBC

An issue has been found in PBC through 2022-8-27.

7.5
2022-09-22 CVE-2022-34026 Icecoder Path Traversal vulnerability in Icecoder 8.1

ICEcoder v8.1 allows attackers to execute a directory traversal.

7.5
2022-09-22 CVE-2022-1941 Google
Fedoraproject
Debian
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures.
7.5
2022-09-22 CVE-2022-40146 Apache
Debian
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url.
7.5
2022-09-22 CVE-2022-40705 Apache XXE vulnerability in Apache Soap 2.2/2.3

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP.

7.5
2022-09-22 CVE-2022-28981 Liferay Path Traversal vulnerability in Liferay Portal 7.4.0/7.4.1/7.4.2

Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.

7.5
2022-09-21 CVE-2022-23948 Keylime Unspecified vulnerability in Keylime

A flaw was found in Keylime before 6.3.0.

7.5
2022-09-21 CVE-2022-23949 Keylime Authentication Bypass by Spoofing vulnerability in Keylime

In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar.

7.5
2022-09-21 CVE-2022-23950 Keylime Exposure of Resource to Wrong Sphere vulnerability in Keylime

In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations.

7.5
2022-09-21 CVE-2022-23952 Keylime Unspecified vulnerability in Keylime

In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

7.5
2022-09-21 CVE-2022-3252 Apple Infinite Loop vulnerability in Apple Swift-Nio-Extras

Improper detection of complete HTTP body decompression SwiftNIO Extras provides a pair of helpers for transparently decompressing received HTTP request or response bodies.

7.5
2022-09-21 CVE-2022-2906 ISC Memory Leak vulnerability in ISC Bind

An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources.

7.5
2022-09-21 CVE-2022-38177 ISC
Debian
Fedoraproject
Netapp
Memory Leak vulnerability in multiple products

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak.

7.5
2022-09-21 CVE-2022-38178 ISC
Debian
Fedoraproject
Netapp
Memory Leak vulnerability in multiple products

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak.

7.5
2022-09-21 CVE-2022-3080 ISC
Fedoraproject
By sending specific queries to the resolver, an attacker can cause named to crash.
7.5
2022-09-21 CVE-2022-40604 Apache Use of Externally-Controlled Format String vulnerability in Apache Airflow

In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.

7.5
2022-09-21 CVE-2022-39221 Mcwebserver Minecraft MOD FOR Forge Project
Mcwebserver Minecraft MOD FOR Fabric AND Quilt Project
McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads.
7.5
2022-09-20 CVE-2022-37395 Huawei Improper Input Validation vulnerability in Huawei Cv81-Wdm FW Firmware 01.70.49.29.46

A Huawei device has an input verification vulnerability.

7.5
2022-09-20 CVE-2022-37884 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

A vulnerability exists in the ClearPass Policy Manager Guest User Interface that can allow an unauthenticated attacker to send specific operations which result in a Denial-of-Service condition.

7.5
2022-09-20 CVE-2022-39218 Fastly Unspecified vulnerability in Fastly Js-Compute

The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK.

7.5
2022-09-20 CVE-2016-20015 Smokeping Unspecified vulnerability in Smokeping

In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript allows the smokeping user to gain ownership of any file, allowing for the smokeping user to gain root privileges.

7.5
2022-09-20 CVE-2022-37259 Stealjs Unspecified vulnerability in Stealjs Steal 2.2.4

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.

7.5
2022-09-20 CVE-2022-38955 Netgear Improper Validation of Integrity Check Value vulnerability in Netgear Wpn824Ext Firmware 1.1.11.1.9

An exploitable firmware modification vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender.

7.5
2022-09-20 CVE-2022-39974 Wasm3 Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Wasm3 Project Wasm3 0.5.0

WASM3 v0.5.0 was discovered to contain a segmentation fault via the component op_Select_i32_srs in wasm3/source/m3_exec.h.

7.5
2022-09-20 CVE-2022-34917 Apache Allocation of Resources Without Limits or Throttling vulnerability in Apache Kafka 2.8.0/2.8.1/3.0.0

A security vulnerability has been identified in Apache Kafka.

7.5
2022-09-20 CVE-2022-39957 Owasp
Fedoraproject
Debian
Improper Encoding or Escaping of Output vulnerability in multiple products

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass.

7.5
2022-09-20 CVE-2022-39958 Owasp
Fedoraproject
Debian
Improper Encoding or Escaping of Output vulnerability in multiple products

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range.

7.5
2022-09-19 CVE-2022-28203 Mediawiki
Debian
Release of Invalid Pointer or Reference vulnerability in multiple products

A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2.

7.5
2022-09-19 CVE-2022-28204 Mediawiki Unspecified vulnerability in Mediawiki 1.37.0/1.37.1

A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2.

7.5
2022-09-19 CVE-2022-40141 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE 2019

A vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to intercept and decode certain communication strings that may contain some identification attributes of a particular Apex One server.

7.5
2022-09-19 CVE-2022-40608 IBM Path Traversal vulnerability in IBM Spectrum Protect Plus

IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack.

7.5
2022-09-19 CVE-2022-38333 Openwrt Out-of-bounds Read vulnerability in Openwrt

Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value().

7.5
2022-09-19 CVE-2022-40468 Tinyproxy Project Insecure Default Initialization of Resource vulnerability in Tinyproxy Project Tinyproxy

Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used.

7.5
2022-09-19 CVE-2022-37700 Easycorp Path Traversal vulnerability in Easycorp Zentao 15.0

Zentao Demo15 is vulnerable to Directory Traversal.

7.5
2022-09-19 CVE-2022-40067 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetVirtualSer.

7.5
2022-09-19 CVE-2022-40068 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetQosBand.

7.5
2022-09-19 CVE-2022-40069 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime.

7.5
2022-09-19 CVE-2022-40070 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via bin/httpd, function: formSetFirewallCfg.

7.5
2022-09-19 CVE-2022-40071 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, formSetDeviceName.

7.5
2022-09-19 CVE-2022-40072 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: setSmartPowerManagement.

7.5
2022-09-19 CVE-2022-40073 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, saveParentControlInfo.

7.5
2022-09-19 CVE-2022-40074 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, setSchedWifi.

7.5
2022-09-19 CVE-2022-40075 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, form_fast_setting_wifi_set.

7.5
2022-09-19 CVE-2022-40076 Tenda Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic.

7.5
2022-09-19 CVE-2022-40143 Trendmicro Link Following vulnerability in Trendmicro Apex ONE 2019

A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges.

7.3
2022-09-23 CVE-2022-40861 Tenda Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318)

Tenda AC18 router V15.03.05.19 contains a stack overflow vulnerability in the formSetQosBand->FUN_0007db78 function with the request /goform/SetNetControlList/

7.2
2022-09-23 CVE-2022-40091 Online Tours AND Travels Management System Project SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_packages.php.

7.2
2022-09-23 CVE-2022-40092 Online Tours AND Travels Management System Project SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_payment.php.

7.2
2022-09-23 CVE-2022-40093 Online Tours AND Travels Management System Project SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_tax.php.

7.2
2022-09-22 CVE-2022-40933 Online PET Shop WEB Application Project SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0

Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_order,id.

7.2
2022-09-22 CVE-2022-40934 Online PET Shop WEB Application Project SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0

Online Pet Shop We App v1.0 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_sub_category,id

7.2
2022-09-22 CVE-2022-40935 Online PET Shop WEB Application Project SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0

Online Pet Shop We App v1.0 is vulnerable to SQL Injection via /pet_shop/classes/Master.php?f=delete_category,id.

7.2
2022-09-22 CVE-2022-40932 Phpgurukul Unrestricted Upload of File with Dangerous Type vulnerability in PHPgurukul ZOO Management System 1.0

In Zoo Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of the "gallery" file of the "Gallery" module in the background management system.

7.2
2022-09-22 CVE-2022-40446 Zzcms SQL Injection vulnerability in Zzcms 2022

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.

7.2
2022-09-22 CVE-2022-40447 Zzcms SQL Injection vulnerability in Zzcms 2022

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.

7.2
2022-09-21 CVE-2022-36386 Soflyy Unrestricted Upload of File with Dangerous Type vulnerability in Soflyy WP ALL Import

Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.

7.2
2022-09-21 CVE-2022-40217 Xplodedthemes Unrestricted Upload of File with Dangerous Type vulnerability in Xplodedthemes Wpide

Authenticated (admin+) Arbitrary File Edit/Upload vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress.

7.2
2022-09-21 CVE-2022-40026 Simple Task Managing System Project SQL Injection vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0

SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at board.php.

7.2
2022-09-21 CVE-2022-37027 Ahsay Argument Injection or Modification vulnerability in Ahsay Cloud Backup Suite 9.1.4.0

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options.

7.2
2022-09-20 CVE-2022-37878 Arubanetworks OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-37879 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-37880 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-37881 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-37882 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-37883 Arubanetworks Unspecified vulnerability in Arubanetworks Clearpass Policy Manager

Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host.

7.2
2022-09-20 CVE-2022-38340 Safe Path Traversal vulnerability in Safe FME Server

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload.

7.2
2022-09-20 CVE-2022-40246 Intel Out-of-bounds Write vulnerability in Intel products

A potential attacker can write one byte by arbitrary address at the time of the PEI phase (only during S3 resume boot mode) and influence the subsequent boot stages.

7.2
2022-09-19 CVE-2022-38576 Interview Management System Project SQL Injection vulnerability in Interview Management System Project Interview Management System 1.0

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=.

7.2
2022-09-19 CVE-2022-40139 Trendmicro Unspecified vulnerability in Trendmicro Apex ONE 2019

Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution.

7.2
2022-09-23 CVE-2020-36521 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read was addressed with improved input validation.

7.1
2022-09-23 CVE-2022-32797 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

7.1
2022-09-23 CVE-2022-32807 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved file handling.

7.1
2022-09-23 CVE-2022-32831 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read was addressed with improved bounds checking.

7.1
2022-09-23 CVE-2022-32843 Apple Out-of-bounds Write vulnerability in Apple mac OS X and Macos

An out-of-bounds write issue was addressed with improved bounds checking.

7.1
2022-09-23 CVE-2022-32851 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved input validation.

7.1
2022-09-23 CVE-2022-32852 Apple Out-of-bounds Read vulnerability in Apple Macos

An out-of-bounds read issue was addressed with improved input validation.

7.1
2022-09-23 CVE-2022-32853 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved input validation.

7.1
2022-09-23 CVE-2022-34348 IBM XXE vulnerability in IBM Sterling Partner Engagement Manager 6.1/6.1.2/6.2.1.0

IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

7.1
2022-09-23 CVE-2022-2347 Denx Out-of-bounds Write vulnerability in Denx U-Boot

There exists an unchecked length field in UBoot.

7.1
2022-09-23 CVE-2021-41803 Hashicorp Missing Authorization vulnerability in Hashicorp Consul

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

7.1
2022-09-19 CVE-2022-2995 Kubernetes Incorrect Permission Assignment for Critical Resource vulnerability in Kubernetes Cri-O 1.25.0

Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

7.1
2022-09-19 CVE-2022-38341 Safe Unspecified vulnerability in Safe FME Server 2021.2.3

Safe Software FME Server v2021.2.5 and below does not employ server-side validation.

7.1
2022-09-21 CVE-2022-41222 Linux
Debian
Netapp
Canonical
Use After Free vulnerability in multiple products

mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move.

7.0

240 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-09-23 CVE-2022-30124 Rocket Chat Improper Authentication vulnerability in Rocket.Chat

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code).

6.8
2022-09-20 CVE-2021-33076 Intel Improper Authentication vulnerability in Intel products

Improper authentication in firmware for some Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

6.8
2022-09-23 CVE-2022-32832 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

6.7
2022-09-23 CVE-2022-30121 Ivanti Unspecified vulnerability in Ivanti Endpoint Manager

The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables.

6.7
2022-09-23 CVE-2021-3782 Wayland Integer Overflow or Wraparound vulnerability in Wayland

An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool.

6.6
2022-09-20 CVE-2022-35957 Grafana
Fedoraproject
Grafana is an open-source platform for monitoring and observability.
6.6
2022-09-23 CVE-2022-32220 Rocket Chat Missing Authorization vulnerability in Rocket.Chat

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

6.5
2022-09-23 CVE-2022-32227 Rocket Chat Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.

6.5
2022-09-23 CVE-2022-32816 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved UI handling.

6.5
2022-09-23 CVE-2022-3257 Mattermost Unrestricted Upload of File with Dangerous Type vulnerability in Mattermost Server

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

6.5
2022-09-23 CVE-2022-40716 Hashicorp Unchecked Return Value vulnerability in Hashicorp Consul

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions.

6.5
2022-09-23 CVE-2022-24280 Apache Improper Input Validation vulnerability in Apache Pulsar

Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address.

6.5
2022-09-23 CVE-2022-39230 Amazon Unspecified vulnerability in Amazon Fhir-Works-On-Aws-Authz-Smart 3.1.0/3.1.1/3.1.2

fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface.

6.5
2022-09-23 CVE-2022-41320 Veritas Insecure Storage of Sensitive Information vulnerability in Veritas System Recovery

Veritas System Recovery (VSR) versions 18 and 21 store a network destination password in the Windows registry during configuration of the backup configuration.

6.5
2022-09-22 CVE-2022-35021 Otfcc Project Classic Buffer Overflow vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a global buffer overflow via /release-x64/otfccdump+0x718693.

6.5
2022-09-22 CVE-2022-35022 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6badae.

6.5
2022-09-22 CVE-2022-35023 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /lib/x86_64-linux-gnu/libc.so.6+0xbb384.

6.5
2022-09-22 CVE-2022-35024 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /multiarch/memmove-vec-unaligned-erms.S.

6.5
2022-09-22 CVE-2022-35025 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x5266a8.

6.5
2022-09-22 CVE-2022-35026 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbc0b.

6.5
2022-09-22 CVE-2022-35027 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fe9a7.

6.5
2022-09-22 CVE-2022-35028 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbbb6.

6.5
2022-09-22 CVE-2022-35029 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6babea.

6.5
2022-09-22 CVE-2022-35030 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fe954.

6.5
2022-09-22 CVE-2022-35031 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x703969.

6.5
2022-09-22 CVE-2022-35032 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6b6a8f.

6.5
2022-09-22 CVE-2022-35034 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e7e3d.

6.5
2022-09-22 CVE-2022-35035 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b559f.

6.5
2022-09-22 CVE-2022-35036 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e1fc8.

6.5
2022-09-22 CVE-2022-35037 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6adb1e.

6.5
2022-09-22 CVE-2022-35038 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b064d.

6.5
2022-09-22 CVE-2022-35039 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e20a0.

6.5
2022-09-22 CVE-2022-38512 Liferay Missing Authorization vulnerability in Liferay DXP and Liferay Portal

The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.

6.5
2022-09-21 CVE-2022-41246 Jenkins Missing Authorization vulnerability in Jenkins Worksoft Execution Manager

A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-09-21 CVE-2022-41250 Jenkins Missing Authorization vulnerability in Jenkins SCM Httpclient

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-09-21 CVE-2022-41254 Jenkins Missing Authorization vulnerability in Jenkins Cons3Rt 1.0.0

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

6.5
2022-09-21 CVE-2022-41255 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Cons3Rt 1.0.0

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

6.5
2022-09-20 CVE-2022-32880 Apple Unspecified vulnerability in Apple Macos

This issue was addressed by enabling hardened runtime.

6.5
2022-09-20 CVE-2022-33735 Huawei Improper Restriction of Excessive Authentication Attempts vulnerability in Huawei Ws7200-10 Firmware 11.0.2.13

There is a password verification vulnerability in WS7200-10 11.0.2.13.

6.5
2022-09-20 CVE-2017-20147 Smokeping Unspecified vulnerability in Smokeping

In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user.

6.5
2022-09-19 CVE-2022-35060 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0a32.

6.5
2022-09-19 CVE-2022-35061 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e412a.

6.5
2022-09-19 CVE-2022-35062 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0bc3.

6.5
2022-09-19 CVE-2022-35063 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41a8.

6.5
2022-09-19 CVE-2022-35064 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x4adcdb in __asan_memset.

6.5
2022-09-19 CVE-2022-35065 Otfcc Project Unspecified vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x65f724.

6.5
2022-09-19 CVE-2022-35066 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41b8.

6.5
2022-09-19 CVE-2022-35067 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41b0.

6.5
2022-09-19 CVE-2022-35068 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e420d.

6.5
2022-09-19 CVE-2022-35069 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b544e.

6.5
2022-09-19 CVE-2022-35070 Otfcc Project Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x65fc97.

6.5
2022-09-19 CVE-2022-40713 Nokia Path Traversal vulnerability in Nokia 1350 Optical Management System 14.2

An issue was discovered in NOKIA 1350OMS R14.2.

6.5
2022-09-19 CVE-2022-40715 Nokia Path Traversal vulnerability in Nokia 1350 Optical Management System 14.2

An issue was discovered in NOKIA 1350OMS R14.2.

6.5
2022-09-24 CVE-2022-23461 Xdsoft Unspecified vulnerability in Xdsoft Jodit Editor

Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries.

6.1
2022-09-23 CVE-2022-40359 KFM Project Cross-site Scripting vulnerability in KFM Project KFM

Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php.

6.1
2022-09-23 CVE-2022-36417 3D TAG Cloud Project Unspecified vulnerability in 3D TAG Cloud Project 3D TAG Cloud

Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress.

6.1
2022-09-23 CVE-2022-40193 Brinidesigner Unspecified vulnerability in Brinidesigner Awesome Filterable Portfolio

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Awesome Filterable Portfolio plugin <= 1.9.7 at WordPress.

6.1
2022-09-23 CVE-2022-41319 Veritas Cross-site Scripting vulnerability in Veritas Desktop and Laptop Option

A Reflected Cross-Site Scripting (XSS) vulnerability affects the Veritas Desktop Laptop Option (DLO) application login page (aka the DLOServer/restore/login.jsp URI).

6.1
2022-09-22 CVE-2022-23458 NHN Unspecified vulnerability in NHN Toast UI Grid

Toast UI Grid is a component to display and edit data.

6.1
2022-09-22 CVE-2022-40088 Simple College Website Project Cross-site Scripting vulnerability in Simple College Website Project Simple College Website 1.0

Simple College Website v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /college_website/index.php?page=.

6.1
2022-09-22 CVE-2022-28977 Liferay Open Redirect vulnerability in Liferay DXP and Liferay Portal

HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.

6.1
2022-09-22 CVE-2022-28980 Liferay Cross-site Scripting vulnerability in Liferay Portal

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.

6.1
2022-09-22 CVE-2022-39197 Helpsystems Cross-site Scripting vulnerability in Helpsystems Cobalt Strike

An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver.

6.1
2022-09-22 CVE-2022-28979 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget.

6.1
2022-09-22 CVE-2022-28982 Liferay Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal

A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.

6.1
2022-09-21 CVE-2022-40027 Simple Task Managing System Project Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php.

6.1
2022-09-21 CVE-2022-40754 Apache Open Redirect vulnerability in Apache Airflow

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

6.1
2022-09-20 CVE-2022-39220 Sftpgo Project Unspecified vulnerability in Sftpgo Project Sftpgo

SFTPGo is an SFTP server written in Go.

6.1
2022-09-20 CVE-2020-36602 Huawei Out-of-bounds Write vulnerability in Huawei products

There is an out-of-bounds read and write vulnerability in some headset products.

6.1
2022-09-20 CVE-2022-3245 Microweber Cross-site Scripting vulnerability in Microweber

HTML injection attack is closely related to Cross-site Scripting (XSS).

6.1
2022-09-20 CVE-2022-3242 Microweber Cross-site Scripting vulnerability in Microweber

Code Injection in GitHub repository microweber/microweber prior to 1.3.2.

6.1
2022-09-19 CVE-2022-38339 Safe Cross-site Scripting vulnerability in Safe FME Server

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login page.

6.1
2022-09-19 CVE-2022-38527 Ucms Project Cross-site Scripting vulnerability in Ucms Project Ucms 1.6

UCMS v1.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Import function under the Site Management page.

6.1
2022-09-19 CVE-2022-40712 Nokia Cross-site Scripting vulnerability in Nokia 1350 Optical Management System 14.2

An issue was discovered in NOKIA 1350OMS R14.2.

6.1
2022-09-19 CVE-2022-40714 Nokia Cross-site Scripting vulnerability in Nokia 1350 Optical Management System 14.2

An issue was discovered in NOKIA 1350OMS R14.2.

6.1
2022-09-19 CVE-2022-2753 Ketchup Restaurant Reservations Project Unspecified vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations 1.0.0

The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made

6.1
2022-09-22 CVE-2022-35894 Insyde Memory Leak vulnerability in Insyde Insydeh2O

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

6.0
2022-09-22 CVE-2022-35896 Insyde Improper Input Validation vulnerability in Insyde Insydeh2O

An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5.

6.0
2022-09-23 CVE-2022-32799 Apple Out-of-bounds Read vulnerability in Apple mac OS X and Macos

An out-of-bounds read issue was addressed with improved bounds checking.

5.9
2022-09-23 CVE-2021-45035 Velneo Improper Certificate Validation vulnerability in Velneo Vclient 28.1.3

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default.

5.9
2022-09-23 CVE-2022-33681 Apache Improper Certificate Validation vulnerability in Apache Pulsar

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack.

5.9
2022-09-23 CVE-2022-33682 Apache Improper Certificate Validation vulnerability in Apache Pulsar

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients.

5.9
2022-09-23 CVE-2022-33683 Apache Improper Certificate Validation vulnerability in Apache Pulsar

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration.

5.9
2022-09-20 CVE-2022-34746 Zyxel Insufficient Entropy vulnerability in Zyxel products

An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70.

5.9
2022-09-19 CVE-2022-40234 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Spectrum Protect Plus

Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus.

5.9
2022-09-23 CVE-2022-38061 Apasionados Improper Neutralization of Formula Elements in a CSV File vulnerability in Apasionados Export Post Info

Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress.

5.7
2022-09-21 CVE-2022-41231 Jenkins Path Traversal vulnerability in Jenkins Build-Publisher

Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

5.7
2022-09-23 CVE-2022-3278 VIM
Fedoraproject
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.
5.5
2022-09-23 CVE-2022-26707 Apple Improper Input Validation vulnerability in Apple Macos

An issue in the handling of environment variables was addressed with improved validation.

5.5
2022-09-23 CVE-2022-28886 F Secure Infinite Loop vulnerability in F-Secure products

A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.so/aerdl.dll may go into an infinite loop when unpacking PE files.

5.5
2022-09-23 CVE-2022-32783 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved checks.

5.5
2022-09-23 CVE-2022-32785 Apple NULL Pointer Dereference vulnerability in Apple products

A null pointer dereference was addressed with improved validation.

5.5
2022-09-23 CVE-2022-32786 Apple Unspecified vulnerability in Apple mac OS X and Macos

An issue in the handling of environment variables was addressed with improved validation.

5.5
2022-09-23 CVE-2022-32789 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved checks.

5.5
2022-09-23 CVE-2022-32800 Apple Unspecified vulnerability in Apple mac OS X and Macos

This issue was addressed with improved checks.

5.5
2022-09-23 CVE-2022-32805 Apple Unspecified vulnerability in Apple mac OS X and Macos

The issue was addressed with improved handling of caches.

5.5
2022-09-23 CVE-2022-32817 Apple Out-of-bounds Read vulnerability in Apple products

An out-of-bounds read issue was addressed with improved bounds checking.

5.5
2022-09-23 CVE-2022-32818 Apple Unspecified vulnerability in Apple Macos

The issue was addressed with improved memory handling.

5.5
2022-09-23 CVE-2022-32823 Apple Improper Initialization vulnerability in Apple products

A memory initialization issue was addressed with improved memory handling.

5.5
2022-09-23 CVE-2022-32825 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

5.5
2022-09-23 CVE-2022-32828 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

5.5
2022-09-23 CVE-2022-32841 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

5.5
2022-09-23 CVE-2022-32848 Apple Unspecified vulnerability in Apple Macos

A logic issue was addressed with improved checks.

5.5
2022-09-23 CVE-2022-32849 Apple Unspecified vulnerability in Apple products

An information disclosure issue was addressed by removing the vulnerable code.

5.5
2022-09-23 CVE-2022-40103 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828)

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formSetAutoPing function.

5.5
2022-09-23 CVE-2022-22423 IBM Improper Input Validation vulnerability in IBM Common Cryptographic Architecture

IBM Common Cryptographic Architecture (CCA 5.x MTM for 4767 and CCA 7.x MTM for 4769) could allow a local user to cause a denial of service due to improper input validation.

5.5
2022-09-23 CVE-2022-35091 Swftools Incorrect Comparison vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a floating point exception (FPE) via DCTStream::readMCURow() at /xpdf/Stream.cc.ow()

5.5
2022-09-23 CVE-2022-35092 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via convert_gfxline at /gfxpoly/convert.c.

5.5
2022-09-23 CVE-2022-35093 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a global buffer overflow via DCTStream::transformDataUnit at /xpdf/Stream.cc.

5.5
2022-09-23 CVE-2022-35094 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via DCTStream::readHuffSym(DCTHuffTable*) at /xpdf/Stream.cc.

5.5
2022-09-23 CVE-2022-35095 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via InfoOutputDev::type3D1 at /pdf/InfoOutputDev.cc.

5.5
2022-09-23 CVE-2022-35096 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via draw_stroke at /gfxpoly/stroke.c.

5.5
2022-09-23 CVE-2022-35097 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via FoFiTrueType::writeTTF at /xpdf/FoFiTrueType.cc.

5.5
2022-09-23 CVE-2022-35098 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via GfxICCBasedColorSpace::getDefaultColor(GfxColor*) at /xpdf/GfxState.cc.

5.5
2022-09-23 CVE-2022-35099 Swftools Out-of-bounds Write vulnerability in Swftools 20211216

SWFTools commit 772e55a2 was discovered to contain a stack overflow via ImageStream::getPixel(unsigned char*) at /xpdf/Stream.cc.

5.5
2022-09-23 CVE-2022-2785 Linux Out-of-bounds Read vulnerability in Linux Kernel

There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF.

5.5
2022-09-21 CVE-2022-23951 Keylime Unspecified vulnerability in Keylime

In Keylime before 6.3.0, quote responses from the agent can contain possibly untrusted ZIP data which can lead to zip bombs.

5.5
2022-09-21 CVE-2022-29799 Microsoft Path Traversal vulnerability in Microsoft Windows Defender for Endpoint

A vulnerability was found in networkd-dispatcher.

5.5
2022-09-21 CVE-2022-41218 Linux
Debian
Use After Free vulnerability in multiple products

In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release.

5.5
2022-09-21 CVE-2022-35085 Swftools Memory Leak vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a memory leak via /lib/mem.c.

5.5
2022-09-21 CVE-2022-35086 Swftools Out-of-bounds Write vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via /multiarch/memmove-vec-unaligned-erms.S.

5.5
2022-09-21 CVE-2022-35087 Swftools NULL Pointer Dereference vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via MovieAddFrame at /src/gif2swf.c.

5.5
2022-09-21 CVE-2022-35088 Swftools Out-of-bounds Write vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a heap buffer-overflow via getGifDelayTime at /home/bupt/Desktop/swftools/src/src/gif2swf.c.

5.5
2022-09-21 CVE-2022-35089 Swftools Allocation of Resources Without Limits or Throttling vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a heap-buffer-overflow via getTransparentColor at /home/bupt/Desktop/swftools/src/gif2swf.

5.5
2022-09-21 CVE-2022-35090 Swftools Out-of-bounds Write vulnerability in Swftools

SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via __asan_memcpy at /asan/asan_interceptors_memintrinsics.cpp:.

5.5
2022-09-20 CVE-2022-32854 Apple Unspecified vulnerability in Apple products

This issue was addressed with improved checks.

5.5
2022-09-20 CVE-2022-32864 Apple Unspecified vulnerability in Apple products

The issue was addressed with improved memory handling.

5.5
2022-09-20 CVE-2022-32883 Apple Unspecified vulnerability in Apple products

A logic issue was addressed with improved restrictions.

5.5
2022-09-20 CVE-2021-46834 Huawei Incorrect Default Permissions vulnerability in Huawei Jad-Al50 Firmware 102.0.0.225(C00E220R3P4)

A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices.

5.5
2022-09-19 CVE-2022-37347 Trendmicro Out-of-bounds Read vulnerability in Trendmicro Security 12.0

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine.

5.5
2022-09-19 CVE-2022-37348 Trendmicro Out-of-bounds Read vulnerability in Trendmicro Security 12.0

Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine.

5.5
2022-09-19 CVE-2022-3213 Imagemagick
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A heap buffer overflow issue was found in ImageMagick.

5.5
2022-09-19 CVE-2022-40140 Trendmicro Origin Validation Error vulnerability in Trendmicro Apex ONE 2019

An origin validation error vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to cause a denial-of-service on affected installations.

5.5
2022-09-19 CVE-2022-35709 Adobe Unspecified vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory.

5.5
2022-09-19 CVE-2022-38425 Adobe Use After Free vulnerability in Adobe Bridge

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory.

5.5
2022-09-24 CVE-2022-39240 Mygraph Project Cross-site Scripting vulnerability in Mygraph Project Mygraph

MyGraph is a permission management system.

5.4
2022-09-23 CVE-2022-35251 Rocket Chat Cross-site Scripting vulnerability in Rocket.Chat

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users.

5.4
2022-09-23 CVE-2022-38438 Adobe Unspecified vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2022-09-23 CVE-2022-38439 Adobe Unspecified vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2022-09-23 CVE-2022-35721 IBM Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3

IBM Jazz for Service Management 1.1.3 is vulnerable to stored cross-site scripting.

5.4
2022-09-23 CVE-2022-40358 Ajaxplorer Cross-site Scripting vulnerability in Ajaxplorer 4.2.3

An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload.

5.4
2022-09-23 CVE-2022-40748 IBM Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting.

5.4
2022-09-23 CVE-2022-40215 Tabs Project Unspecified vulnerability in Tabs Project Tabs

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in Tabs plugin <= 3.7.1 at WordPress.

5.4
2022-09-23 CVE-2022-36791 Awesome Unspecified vulnerability in Awesome Torro Forms

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Awesome UG Torro Forms plugin <= 1.0.16 at WordPress.

5.4
2022-09-23 CVE-2022-37328 Themesawesome Cross-site Scripting vulnerability in Themesawesome Timeline Awesome

Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in Themes Awesome History Timeline plugin <= 1.0.5 at WordPress.

5.4
2022-09-23 CVE-2022-38460 Notice Board Project Unspecified vulnerability in Notice Board Project Notice Board

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in NOTICE BOARD plugin <= 1.1 at WordPress.

5.4
2022-09-23 CVE-2022-2937 Oxilab Unspecified vulnerability in Oxilab Image Hover Effects Ultimate

The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping.

5.4
2022-09-23 CVE-2022-37330 Webhelpagency Unspecified vulnerability in Webhelpagency WHA Crossword

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WHA Crossword plugin <= 1.1.10 at WordPress.

5.4
2022-09-23 CVE-2022-37338 Blossomthemes Cross-site Scripting vulnerability in Blossomthemes Blossom Recipe Maker

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin <= 1.0.7 at WordPress.

5.4
2022-09-23 CVE-2022-37339 Fullworksplugins Unspecified vulnerability in Fullworksplugins Meet MY Team

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Meet My Team plugin <= 2.0.5 at WordPress.

5.4
2022-09-23 CVE-2022-40213 Gsplugins Unspecified vulnerability in Gsplugins GS Testimonial Slider

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in GS Testimonial Slider plugin <= 1.9.6 at WordPress.

5.4
2022-09-23 CVE-2022-39239 Nuxtjs Unspecified vulnerability in Nuxtjs Netlify-Ipx

netlify-ipx is an on-Demand image optimization for Netlify using ipx.

5.4
2022-09-22 CVE-2021-27774 Hcltech Improper Input Validation vulnerability in Hcltech HCL Digital Experience 8.5/9.0/9.5

User input included in error response, which could be used in a phishing attack.

5.4
2022-09-22 CVE-2022-28978 Liferay Cross-site Scripting vulnerability in Liferay DXP 7.0/7.2

Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.

5.4
2022-09-21 CVE-2022-36365 Webhelpagency Unspecified vulnerability in Webhelpagency WHA Crossword

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin <= 1.1.10 at WordPress.

5.4
2022-09-21 CVE-2022-36383 Webhelpagency Unspecified vulnerability in Webhelpagency WHA Wordsearch

Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin <= 2.0.1 at WordPress.

5.4
2022-09-21 CVE-2022-36390 Total Soft Unspecified vulnerability in Total-Soft Event Calendar

Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.

5.4
2022-09-21 CVE-2022-38073 Getawesomesupport Unspecified vulnerability in Getawesomesupport Awesome Support

Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

5.4
2022-09-21 CVE-2022-41224 Jenkins Cross-site Scripting vulnerability in Jenkins 2.367/2.369

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

5.4
2022-09-21 CVE-2022-41225 Jenkins Cross-site Scripting vulnerability in Jenkins Anchore Container Image Scanner

Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

5.4
2022-09-21 CVE-2022-41229 Jenkins Cross-site Scripting vulnerability in Jenkins Ns-Nd Integration Performance Publisher

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

5.4
2022-09-21 CVE-2022-41239 Jenkins Cross-site Scripting vulnerability in Jenkins Dotci

Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

5.4
2022-09-21 CVE-2022-41240 Jenkins Cross-site Scripting vulnerability in Jenkins Walti 1.0.1

Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

5.4
2022-09-21 CVE-2022-41242 Jenkins Missing Authorization vulnerability in Jenkins Extreme-Feedback

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

5.4
2022-09-21 CVE-2022-37246 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS 4.2.0.1

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

5.4
2022-09-21 CVE-2022-2872 Octoprint Unspecified vulnerability in Octoprint

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

5.4
2022-09-20 CVE-2022-32167 Cloudreve Unspecified vulnerability in Cloudreve

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality.

5.4
2022-09-20 CVE-2022-3005 Yetiforce Unspecified vulnerability in Yetiforce Customer Relationship Management

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

5.4
2022-09-20 CVE-2022-3004 Yetiforce Unspecified vulnerability in Yetiforce Customer Relationship Management

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

5.4
2022-09-20 CVE-2022-3000 Yetiforce Unspecified vulnerability in Yetiforce Customer Relationship Management

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

5.4
2022-09-20 CVE-2022-2924 Yetiforce Unspecified vulnerability in Yetiforce Customer Relationship Management

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.3.

5.4
2022-09-19 CVE-2022-38550 Jeesns Cross-site Scripting vulnerability in Jeesns 2.0.0

A stored cross-site scripting (XSS) vulnerability in the /weibo/list component of Jeesns v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

5.4
2022-09-19 CVE-2022-40778 Opswat Cross-site Scripting vulnerability in Opswat Metadefender

A stored Cross-Site Scripting (XSS) vulnerability in OPSWAT MetaDefender ICAP Server before 4.13.0 allows attackers to execute arbitrary JavaScript or HTML because of the blocked page response.

5.4
2022-09-24 CVE-2022-39242 Parity Incorrect Calculation vulnerability in Parity Frontier 20210903/20211013

Frontier is an Ethereum compatibility layer for Substrate.

5.3
2022-09-23 CVE-2022-32217 Rocket Chat Information Exposure Through Log Files vulnerability in Rocket.Chat

A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.

5.3
2022-09-23 CVE-2022-36340 Mailoptin Unspecified vulnerability in Mailoptin

Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress.

5.3
2022-09-23 CVE-2022-35238 Brinidesigner Unspecified vulnerability in Brinidesigner Awesome Filterable Portfolio

Unauthenticated Plugin Settings Change vulnerability in Awesome Filterable Portfolio plugin <= 1.9.7 at WordPress.

5.3
2022-09-23 CVE-2022-40979 Jetbrains Information Exposure Through Log Files vulnerability in Jetbrains Teamcity

In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable

5.3
2022-09-22 CVE-2021-39190 Teclib Edition Missing Authorization vulnerability in Teclib-Edition System Center Configuration Manager

The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI.

5.3
2022-09-22 CVE-2022-38398 Apache
Debian
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol.
5.3
2022-09-22 CVE-2022-38648 Apache
Debian
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources.
5.3
2022-09-22 CVE-2022-40443 Zzcms Path Traversal vulnerability in Zzcms 2022

An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.

5.3
2022-09-22 CVE-2022-40444 Zzcms Path Traversal vulnerability in Zzcms 2022

ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.

5.3
2022-09-21 CVE-2022-35621 Evohclaimable Project Unspecified vulnerability in Evohclaimable Project Evohclaimable

Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers.

5.3
2022-09-21 CVE-2022-3250 Ikus Soft Missing Encryption of Sensitive Data vulnerability in Ikus-Soft Rdiffweb

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.

5.3
2022-09-21 CVE-2022-3251 Ikus Soft Missing Encryption of Sensitive Data vulnerability in Ikus-Soft Minarca

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2.

5.3
2022-09-21 CVE-2022-41235 Jenkins Unspecified vulnerability in Jenkins Wildfly Deployer 1.0.2

Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

5.3
2022-09-21 CVE-2022-41248 Jenkins Cleartext Storage of Sensitive Information vulnerability in Jenkins Bigpanda Notifier

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

5.3
2022-09-21 CVE-2019-5641 Rapid7 Insufficient Session Expiration vulnerability in Rapid7 Insightvm

Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user

5.3
2022-09-21 CVE-2022-2795 ISC
Debian
Fedoraproject
By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
5.3
2022-09-20 CVE-2022-32861 Apple Unspecified vulnerability in Apple Safari

A logic issue was addressed with improved state management.

5.3
2022-09-20 CVE-2022-38956 Netgear Improper Validation of Integrity Check Value vulnerability in Netgear Wpn824Ext Firmware 1.1.11.1.9

An exploitable firmware downgrade vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender.

5.3
2022-09-19 CVE-2022-29835 Westerndigital Inadequate Encryption Strength vulnerability in Westerndigital WD Discovery 4.0.251.0

WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm.

5.3
2022-09-23 CVE-2022-37342 ADD Shortcodes Actions AND Filters Project Unspecified vulnerability in ADD Shortcodes Actions and Filters Project ADD Shortcodes Actions and Filters

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability Add Shortcodes Actions And Filters plugin <= 2.0.9 at WordPress.

4.8
2022-09-23 CVE-2022-40195 Loqate Unspecified vulnerability in Loqate

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PCA Predict plugin <= 1.0.3 at WordPress.

4.8
2022-09-23 CVE-2022-40672 Wpchill Unspecified vulnerability in Wpchill CPO Shortcodes

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CPO Shortcodes plugin <= 1.5.0 at WordPress.

4.8
2022-09-23 CVE-2022-38703 Maxfoundry Unspecified vulnerability in Maxfoundry Maxbuttons

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Max Foundry Button Plugin MaxButtons plugin <= 9.2 at WordPress

4.8
2022-09-23 CVE-2022-3144 Wordfence Unspecified vulnerability in Wordfence Security

The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value.

4.8
2022-09-21 CVE-2022-40028 Simple Task Managing System Project Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php.

4.8
2022-09-21 CVE-2022-40029 Simple Task Managing System Project Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php.

4.8
2022-09-21 CVE-2022-3255 Pimcore Cross-site Scripting vulnerability in Pimcore

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

4.8
2022-09-19 CVE-2022-2567 Codepeople Unspecified vulnerability in Codepeople Form Builder CP

The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-09-19 CVE-2022-2709 Cagewebdesign Cross-site Scripting vulnerability in Cagewebdesign Float to TOP Button

The Float to Top Button WordPress plugin through 2.3.6 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-09-19 CVE-2022-2710 Scroll TO TOP Project Unspecified vulnerability in Scroll to TOP Project Scroll to TOP

The Scroll To Top WordPress plugin before 1.4.1 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-09-19 CVE-2022-3021 Diywebmastery Unspecified vulnerability in Diywebmastery Slickr Flickr 2.8.1

The Slickr Flickr WordPress plugin through 2.8.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-09-19 CVE-2022-3036 Gettext Override Translations Project Unspecified vulnerability in Gettext Override Translations Project Gettext Override Translations 1.0.0/1.0.1

The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-09-21 CVE-2022-29800 Microsoft Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Microsoft Windows Defender for Endpoint

A time-of-check-time-of-use (TOCTOU) race condition vulnerability was found in networkd-dispatcher.

4.7
2022-09-23 CVE-2022-32781 Apple Unspecified vulnerability in Apple products

This issue was addressed by enabling hardened runtime.

4.4
2022-09-23 CVE-2022-32782 Apple Unspecified vulnerability in Apple Macos

This issue was addressed by enabling hardened runtime.

4.4
2022-09-21 CVE-2022-2888 Octoprint Unspecified vulnerability in Octoprint

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.

4.4
2022-09-20 CVE-2021-33079 Intel Unspecified vulnerability in Intel products

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

4.4
2022-09-20 CVE-2021-33081 Intel Unspecified vulnerability in Intel products

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

4.4
2022-09-19 CVE-2022-28201 Mediawiki
Debian
Uncontrolled Recursion vulnerability in multiple products

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2.

4.4
2022-09-23 CVE-2022-32218 Rocket Chat Information Exposure Through Discrepancy vulnerability in Rocket.Chat

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

4.3
2022-09-23 CVE-2022-32219 Rocket Chat Information Exposure vulnerability in Rocket.Chat

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide).

4.3
2022-09-23 CVE-2022-32226 Rocket Chat Improper Input Validation vulnerability in Rocket.Chat

An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that instead of a matching rid String a$regex query can be executed, bypassing the room access permission check for every but the first matching room.

4.3
2022-09-23 CVE-2022-32228 Rocket Chat Unspecified vulnerability in Rocket.Chat

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.

4.3
2022-09-23 CVE-2022-32229 Rocket Chat Unspecified vulnerability in Rocket.Chat

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.

4.3
2022-09-23 CVE-2022-35246 Rocket Chat Unspecified vulnerability in Rocket.Chat

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

4.3
2022-09-23 CVE-2022-35247 Rocket Chat Missing Authorization vulnerability in Rocket.Chat

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.

4.3
2022-09-23 CVE-2022-35249 Rocket Chat Missing Authorization vulnerability in Rocket.Chat

A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

4.3
2022-09-23 CVE-2022-35250 Rocket Chat Incorrect Permission Assignment for Critical Resource vulnerability in Rocket.Chat

A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions.

4.3
2022-09-23 CVE-2022-38704 Clogica Unspecified vulnerability in Clogica SEO Redirection

Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 404 errors and redirection history.

4.3
2022-09-23 CVE-2022-40132 Castos Cross-Site Request Forgery (CSRF) vulnerability in Castos Seriously Simple Podcasting

Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change.

4.3
2022-09-23 CVE-2022-40671 Blazzdev Unspecified vulnerability in Blazzdev Rate MY Post - WP Rating System

Cross-Site Request Forgery (CSRF) vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress.

4.3
2022-09-23 CVE-2022-38095 Algolplus Unspecified vulnerability in Algolplus Advanced Dynamic Pricing for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 at WordPress.

4.3
2022-09-22 CVE-2022-3267 Ikus Soft Unspecified vulnerability in Ikus-Soft Rdiffweb

Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6.

4.3
2022-09-22 CVE-2022-39975 Liferay Missing Authorization vulnerability in Liferay DXP and Liferay Portal

The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.

4.3
2022-09-21 CVE-2022-3233 Ikus Soft Unspecified vulnerability in Ikus-Soft Rdiffweb

Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6.

4.3
2022-09-21 CVE-2022-40219 Sedlex Unspecified vulnerability in Sedlex Favicon-Switcher

Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change.

4.3
2022-09-21 CVE-2022-41230 Jenkins Missing Authorization vulnerability in Jenkins Build-Publisher

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

4.3
2022-09-21 CVE-2022-41233 Jenkins Missing Authorization vulnerability in Jenkins Rundeck

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

4.3
2022-09-21 CVE-2022-41247 Jenkins Insufficiently Protected Credentials vulnerability in Jenkins Bigpanda Notifier

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

4.3
2022-09-21 CVE-2022-41251 Jenkins Missing Authorization vulnerability in Jenkins Apprenda

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

4.3
2022-09-21 CVE-2022-41252 Jenkins Missing Authorization vulnerability in Jenkins Cons3Rt 1.0.0

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

4.3
2022-09-20 CVE-2022-32795 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

This issue was addressed with improved checks.

4.3
2022-09-20 CVE-2022-32868 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved state management.

4.3
2022-09-20 CVE-2021-46835 Huawei Unspecified vulnerability in Huawei Ws7200-10 Firmware 11.0.2.13

There is a traffic hijacking vulnerability in WS7200-10 11.0.2.13.

4.3
2022-09-19 CVE-2022-1580 Freehtmldesigns Unspecified vulnerability in Freehtmldesigns Site Offline

The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords.

4.3
2022-09-19 CVE-2022-1591 Wordpress Ping Optimizer Project Unspecified vulnerability in Wordpress Ping Optimizer Project Wordpress Ping Optimizer

The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-09-22 CVE-2022-36062 Grafana Unspecified vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

3.8
2022-09-23 CVE-2022-35252 Haxx
Netapp
Apple
Debian
Splunk
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses.
3.7
2022-09-23 CVE-2022-39231 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

3.7
2022-09-21 CVE-2022-31679 Vmware Unspecified vulnerability in VMWare Spring Data Rest

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

3.7
2022-09-22 CVE-2022-3274 Ikus Soft Unspecified vulnerability in Ikus-Soft Rdiffweb

Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7.

3.5
2022-09-23 CVE-2022-40310 Blazzdev Race Condition vulnerability in Blazzdev Rate MY Post - WP Rating System

Authenticated (subscriber+) Race Condition vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress allows attackers to increase/decrease votes.

3.1
2022-09-23 CVE-2022-39225 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

3.1
2022-09-20 CVE-2022-32872 Apple Unspecified vulnerability in Apple Ipados and Iphone OS

A logic issue was addressed with improved restrictions.

2.4