Weekly Vulnerabilities Reports > September 19 to 25, 2022
Overview
567 new vulnerabilities reported during this period, including 114 critical vulnerabilities and 205 high severity vulnerabilities. This weekly summary report vulnerabilities in 391 products from 212 vendors including Apple, Jenkins, Otfcc Project, Tenda, and Debian. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "SQL Injection", "Missing Authorization", and "Unrestricted Upload of File with Dangerous Type".
- 435 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 115 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 370 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 70 reported vulnerabilities.
- Online Banking System Project has the most reported critical vulnerabilities, with 10 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
114 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-09-23 | CVE-2022-32845 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 10.0 |
2022-09-21 | CVE-2022-28802 | Zapier | Incorrect Permission Assignment for Critical Resource vulnerability in Zapier Code BY Zapier Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. | 9.9 |
2022-09-24 | CVE-2022-23463 | Nepxion | Unspecified vulnerability in Nepxion Discovery Nepxion Discovery is a solution for Spring Cloud. | 9.8 |
2022-09-23 | CVE-2022-40113 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/send_funds.php. | 9.8 |
2022-09-23 | CVE-2022-40114 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer.php. | 9.8 |
2022-09-23 | CVE-2022-40115 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/delete_beneficiary.php. | 9.8 |
2022-09-23 | CVE-2022-40116 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search parameter at /net-banking/beneficiary.php. | 9.8 |
2022-09-23 | CVE-2022-40117 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/delete_customer.php. | 9.8 |
2022-09-23 | CVE-2022-40118 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/send_funds_action.php. | 9.8 |
2022-09-23 | CVE-2022-40119 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search_term parameter at /net-banking/transactions.php. | 9.8 |
2022-09-23 | CVE-2022-40120 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search_term parameter at /net-banking/customer_transactions.php. | 9.8 |
2022-09-23 | CVE-2022-40121 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search parameter at /net-banking/manage_customers.php. | 9.8 |
2022-09-23 | CVE-2022-40122 | Online Banking System Project | SQL Injection vulnerability in Online Banking System Project Online Banking System 1.0 Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer_action.php. | 9.8 |
2022-09-23 | CVE-2022-40100 | Tenda | Command Injection vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a command injection vulnerability via the FormexeCommand function. | 9.8 |
2022-09-23 | CVE-2022-40630 | Tacitine | Session Fixation vulnerability in Tacitine products This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. | 9.8 |
2022-09-23 | CVE-2022-36944 | Scala Lang Fedoraproject | Deserialization of Untrusted Data vulnerability in multiple products Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. | 9.8 |
2022-09-23 | CVE-2022-2025 | Grandstream | Out-of-bounds Write vulnerability in Grandstream Gds3710 Firmware 1.0.11.13 an attacker with knowledge of user/pass of Grandstream GSD3710 in its 1.0.11.13 version, could overflow the stack since it doesn't check the param length before use the strcopy instruction. | 9.8 |
2022-09-23 | CVE-2022-2070 | Grandstream | Out-of-bounds Write vulnerability in Grandstream Gds3710 Firmware 1.0.11.13 In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction. | 9.8 |
2022-09-23 | CVE-2022-2970 | MZ Automation | Out-of-bounds Write vulnerability in Mz-Automation Libiec61850 MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) does not sanitize input before memcpy is used, which could allow an attacker to crash the device or remotely execute arbitrary code. | 9.8 |
2022-09-23 | CVE-2022-2972 | MZ Automation | Out-of-bounds Write vulnerability in Mz-Automation Libiec61850 MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) is vulnerable to a stack-based buffer overflow, which could allow an attacker to crash the device or remotely execute arbitrary code. | 9.8 |
2022-09-23 | CVE-2022-38742 | Rockwellautomation | Out-of-bounds Write vulnerability in Rockwellautomation Thinmanager Rockwell Automation ThinManager ThinServer versions 11.0.0 - 13.0.0 is vulnerable to a heap-based buffer overflow. | 9.8 |
2022-09-23 | CVE-2022-40628 | Tacitine | Code Injection vulnerability in Tacitine products This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper control of code generation in the Tacitine Firewall web-based management interface. | 9.8 |
2022-09-23 | CVE-2022-40851 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.19 Tenda AC15 V15.03.05.19 contained a stack overflow via the function fromAddressNat. | 9.8 |
2022-09-23 | CVE-2022-40854 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318) Tenda AC18 router contained a stack overflow vulnerability in /goform/fast_setting_wifi_set | 9.8 |
2022-09-23 | CVE-2022-40855 | Tenda | Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6 Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post request 'goform/setPortMapping/'. | 9.8 |
2022-09-23 | CVE-2022-40866 | Tenda | Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6 Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formSetDebugCfg with request /goform/setDebugCfg/ | 9.8 |
2022-09-23 | CVE-2022-40867 | Tenda | Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6 Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formIPMacBindDel with the request /goform/delIpMacBind/ | 9.8 |
2022-09-23 | CVE-2022-40868 | Tenda | Out-of-bounds Write vulnerability in Tenda W20E Firmware 15.11.0.6 Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formDelDhcpRule with the request /goform/delDhcpRules/ | 9.8 |
2022-09-23 | CVE-2022-40853 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware 15.03.05.19 Tenda AC15 router V15.03.05.19 contains a stack overflow via the list parameter at /goform/fast_setting_wifi_set | 9.8 |
2022-09-23 | CVE-2022-40860 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware 15.03.05.19 Tenda AC15 router V15.03.05.19 contains a stack overflow vulnerability in the function formSetQosBand->FUN_0007dd20 with request /goform/SetNetControlList | 9.8 |
2022-09-23 | CVE-2022-40862 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware Tenda AC15 and AC18 router V15.03.05.19 contains stack overflow vulnerability in the function fromNatStaticSetting with the request /goform/NatStaticSetting | 9.8 |
2022-09-23 | CVE-2022-40864 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function setSmartPowerManagement with the request /goform/PowerSaveSet | 9.8 |
2022-09-23 | CVE-2022-40865 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware Tenda AC15 and AC18 routers V15.03.05.19 contain heap overflow vulnerabilities in the function setSchedWifi with the request /goform/openSchedWifi/ | 9.8 |
2022-09-23 | CVE-2022-40869 | Tendacn | Out-of-bounds Write vulnerability in Tendacn Ac15 Firmware and Ac18 Firmware Tenda AC15 and AC18 routers V15.03.05.19 contain stack overflow vulnerabilities in the function fromDhcpListClient with a combined parameter "list*" ("%s%d","list"). | 9.8 |
2022-09-23 | CVE-2022-3236 | Sophos | Code Injection vulnerability in Sophos Firewall 19.0.1 A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older. | 9.8 |
2022-09-23 | CVE-2022-3269 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Rdiffweb Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | 9.8 |
2022-09-23 | CVE-2022-26112 | Apache | Unspecified vulnerability in Apache Pinot In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. | 9.8 |
2022-09-23 | CVE-2022-35951 | Redis Fedoraproject | Integer Overflow or Wraparound vulnerability in multiple products Redis is an in-memory database that persists on disk. | 9.8 |
2022-09-23 | CVE-2022-37232 | Netgear | Out-of-bounds Write vulnerability in Netgear Wnr2000V4 Firmware 1.0.0.70 Netgear N300 wireless router wnr2000v4-V1.0.0.70 is vulnerable to Buffer Overflow via uhttpd. | 9.8 |
2022-09-23 | CVE-2022-37235 | Netgear | Out-of-bounds Write vulnerability in Netgear R7000 Firmware 1.0.11.13410.2.119 Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. | 9.8 |
2022-09-23 | CVE-2022-38573 | 10 Strike | Classic Buffer Overflow vulnerability in 10-Strike Network Inventory Explorer 9.3 10-Strike Network Inventory Explorer v9.3 was discovered to contain a buffer overflow via the Add Computers function. | 9.8 |
2022-09-22 | CVE-2022-31937 | Netgear | Out-of-bounds Write vulnerability in Netgear Wnr2000V4 Firmware 1.0.0.70 Netgear N300 wireless router wnr2000v4-V1.0.0.70 was discovered to contain a stack overflow via strcpy in uhttpd. | 9.8 |
2022-09-22 | CVE-2022-36934 | Integer Overflow or Wraparound vulnerability in Whatsapp An integer overflow in WhatsApp could result in remote code execution in an established video call. | 9.8 | |
2022-09-22 | CVE-2022-40087 | Simple College Website Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple College Website Project Simple College Website 1.0 Simple College Website v1.0 was discovered to contain an arbitrary file write vulnerability via the function file_put_contents(). | 9.8 |
2022-09-22 | CVE-2022-40089 | Simple College Website Project | Unspecified vulnerability in Simple College Website Project Simple College Website 1.0 A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 9.8 |
2022-09-22 | CVE-2022-3268 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Minarca Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. | 9.8 |
2022-09-21 | CVE-2021-43310 | Keylime | Authentication Bypass by Spoofing vulnerability in Keylime A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier. | 9.8 |
2022-09-21 | CVE-2022-40030 | Simple Task Managing System Project | SQL Injection vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0 SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at changeStatus.php. | 9.8 |
2022-09-21 | CVE-2022-41226 | Jenkins | XXE vulnerability in Jenkins Compuware Common Configuration Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
2022-09-21 | CVE-2022-41237 | Jenkins | Unspecified vulnerability in Jenkins Dotci Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | 9.8 |
2022-09-21 | CVE-2022-41238 | Jenkins | Missing Authorization vulnerability in Jenkins Dotci A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits. | 9.8 |
2022-09-21 | CVE-2022-37026 | Erlang | Unspecified vulnerability in Erlang Erlang/Otp In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS. | 9.8 |
2022-09-21 | CVE-2022-41220 | Md2Roff Project | Out-of-bounds Write vulnerability in Md2Roff Project Md2Roff 1.9 md2roff 1.9 has a stack-based buffer overflow via a Markdown file, a different vulnerability than CVE-2022-34913. | 9.8 |
2022-09-21 | CVE-2022-38619 | Bpcbt | SQL Injection vulnerability in Bpcbt Smartvista Front-End 2.2.22 SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /SVFE2/pages/feegroups/mcc_group.jsf. | 9.8 |
2022-09-20 | CVE-2022-32788 | Apple | Classic Buffer Overflow vulnerability in Apple products A buffer overflow was addressed with improved bounds checking. | 9.8 |
2022-09-20 | CVE-2022-32863 | Apple | Out-of-bounds Write vulnerability in Apple Safari A memory corruption issue was addressed with improved state management. | 9.8 |
2022-09-20 | CVE-2022-32882 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed with improved checks. | 9.8 |
2022-09-20 | CVE-2022-40357 | Zblogcn | Server-Side Request Forgery (SSRF) vulnerability in Zblogcn Z-Blogphp A security issue was discovered in Z-BlogPHP <= 1.7.2. | 9.8 |
2022-09-20 | CVE-2022-40008 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a was discovered to contain a heap-buffer overflow via the function readU8 at /lib/ttf.c. | 9.8 |
2022-09-20 | CVE-2022-40009 | Swftools | Use After Free vulnerability in Swftools 20211216 SWFTools commit 772e55a was discovered to contain a heap-use-after-free via the function grow_unicode at /lib/ttf.c. | 9.8 |
2022-09-20 | CVE-2017-20148 | Debian | Unspecified vulnerability in Debian Logcheck 1.3.23 In the ebuild package through logcheck-1.3.23.ebuild for Logcheck on Gentoo, it is possible to achieve root privilege escalation from the logcheck user because of insecure recursive chown calls. | 9.8 |
2022-09-20 | CVE-2022-37265 | Stealjs | Unspecified vulnerability in Stealjs Steal 2.2.4 Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | 9.8 |
2022-09-20 | CVE-2022-41138 | Zutty Project | Unspecified vulnerability in Zutty Project Zutty In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution. | 9.8 |
2022-09-20 | CVE-2022-37204 | Jflyfox | SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 Final CMS 5.1.0 is vulnerable to SQL Injection. | 9.8 |
2022-09-20 | CVE-2022-38916 | Pagekit | Unrestricted Upload of File with Dangerous Type vulnerability in Pagekit 1.0.18 A file upload vulnerability exists in the storage feature of pagekit 1.0.18, which allows an attacker to upload malicious files | 9.8 |
2022-09-20 | CVE-2022-39955 | Owasp Fedoraproject Debian | The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. | 9.8 |
2022-09-20 | CVE-2022-39956 | Owasp Fedoraproject Debian | Improper Encoding or Escaping of Output vulnerability in multiple products The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. | 9.8 |
2022-09-19 | CVE-2022-0143 | Forgerock | Incorrect Authorization vulnerability in Forgerock Ldap Connector When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. | 9.8 |
2022-09-19 | CVE-2022-28321 | Linux PAM | Improper Authentication vulnerability in Linux-Pam The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. | 9.8 |
2022-09-19 | CVE-2022-38509 | Wedding Planner Project | SQL Injection vulnerability in Wedding Planner Project Wedding Planner 1.0 Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php. | 9.8 |
2022-09-19 | CVE-2022-23767 | Hanssak | SQL Injection vulnerability in Hanssak Securegate and Weblink This vulnerability of SecureGate is SQL-Injection using login without password. | 9.8 |
2022-09-19 | CVE-2022-23768 | Neoinfosys | Unspecified vulnerability in Neoinfosys Nis-Hap11Ac Firmware 3.0 This Vulnerability in NIS-HAP11AC is caused by an exposed external port for the telnet service. | 9.8 |
2022-09-19 | CVE-2022-40144 | Trendmicro | Improper Authentication vulnerability in Trendmicro Apex ONE 2019 A vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service could allow an attacker to bypass the product's login authentication by falsifying request parameters on affected installations. | 9.8 |
2022-09-19 | CVE-2022-3218 | Necta | Improper Authentication vulnerability in Necta Wifi Mouse Server 1.7.8.5 Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC's authentication mechanism is trivially bypassed, which can result in remote code execution. | 9.8 |
2022-09-19 | CVE-2022-35914 | Glpi Project | Injection vulnerability in Glpi-Project Glpi /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. | 9.8 |
2022-09-19 | CVE-2022-37203 | Jflyfox | SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 JFinal CMS 5.1.0 is vulnerable to SQL Injection. | 9.8 |
2022-09-19 | CVE-2022-38881 | D8S Archives Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Archives Project D8S-Archives 0.1.0 The d8s-archives for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38882 | D8S Json Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Json Project D8S-Json 0.1.0 The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38883 | D8S Math Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Math Project D8S-Math 0.1.0 The d8s-math for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38884 | D8S Grammars Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Grammars Project D8S-Grammars 0.1.0 The d8s-grammars for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38885 | D8S Netstrings Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Netstrings Project D8S-Netstrings 0.1.0 The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38886 | D8S XML Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Xml Project D8S-Xml 0.1.0 The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38887 | D8S Python Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Python Project D8S-Python 0.1.0 The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40425 | D8S Html Project | Unspecified vulnerability in D8S-Html Project D8S-Html 0.1.0 The d8s-html for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40426 | D8S Asns Project | Unspecified vulnerability in D8S-Asns Project D8S-Asns 0.1.0 The d8s-asns for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40428 | D8S Mpeg Project | Unspecified vulnerability in D8S-Mpeg Project D8S Mpeg 0.1.0 The d8s-mpeg for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40429 | D8S IP Addresses Project | Unspecified vulnerability in D8S-Ip-Addresses Project D8S-Ip-Addresses 0.1.0 The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40430 | D8S Utility Project | Unspecified vulnerability in D8S-Utility Project D8S-Utility 0.1.0 The d8s-utility for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40431 | D8S Pdfs Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Pdfs Project D8S-Pdfs 0.1.0 The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40432 | D8S Strings Project | Unrestricted Upload of File with Dangerous Type vulnerability in D8S-Strings Project D8S-Strings 0.1.0 The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40809 | Democritus Dicts Project | Unspecified vulnerability in Democritus Dicts Project Democritus Dicts 0.1.0 The d8s-dicts for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40810 | Democritus IP Addresses Project | Unspecified vulnerability in Democritus IP Addresses Project Democritus IP Addresses 0.1.0 The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40812 | Democritus Pdfs Project | Unspecified vulnerability in Democritus Pdfs Project Democritus Pdfs 0.1.0 The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40424 | Democritus Urls Project | Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0 The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40427 | Democritus Domains Project | Unspecified vulnerability in Democritus Domains Project Democritus Domains 0.1.0 The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40805 | Democritus Urls Project | Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0 The d8s-urls for python 0.1.0, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40806 | Democritus Uuids Project | Unspecified vulnerability in Democritus Uuids Project Democritus Uuids 0.1.0 The d8s-uuids for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40807 | Democritus Domains Project | Unspecified vulnerability in Democritus Domains Project Democritus Domains 0.1.0 The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40808 | Democritus Dates Project | Unspecified vulnerability in Democritus Dates Project Democritus Dates 0.1.0 The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-40811 | Democritus Urls Project | Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0 The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-2754 | Ketchup Restaurant Reservations Project | Unspecified vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations 1.0.0 The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks | 9.8 |
2022-09-19 | CVE-2022-2840 | Zephyr ONE | SQL Injection vulnerability in Zephyr-One Zephyr Project Manager The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections | 9.8 |
2022-09-19 | CVE-2022-38880 | Democritus Urls Project | Unspecified vulnerability in Democritus Urls Project Democritus Urls 0.1.0 The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. | 9.8 |
2022-09-19 | CVE-2022-38545 | Valine JS | Cross-site Scripting vulnerability in Valine.Js Valine 1.4.18 Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request. | 9.6 |
2022-09-24 | CVE-2022-36025 | Linuxfoundation | Incorrect Conversion between Numeric Types vulnerability in Linuxfoundation Besu Besu is a Java-based Ethereum client. | 9.1 |
2022-09-23 | CVE-2022-32847 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 9.1 |
2022-09-23 | CVE-2022-23144 | ZTE | Unspecified vulnerability in ZTE products There is a broken access control vulnerability in ZTE ZXvSTB product. | 9.1 |
2022-09-23 | CVE-2022-39227 | Python JWT Project | Unspecified vulnerability in Python-Jwt Project Python-Jwt python-jwt is a module for generating and verifying JSON Web Tokens. | 9.1 |
2022-09-22 | CVE-2022-40186 | Hashicorp | Unspecified vulnerability in Hashicorp Vault An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. | 9.1 |
2022-09-21 | CVE-2022-41241 | Jenkins | XXE vulnerability in Jenkins RQM Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.1 |
2022-09-19 | CVE-2022-37032 | Frrouting Debian | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. | 9.1 |
2022-09-19 | CVE-2022-40980 | Trendmicro | Unspecified vulnerability in Trendmicro Mobile Security 9.8 A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files. | 9.1 |
2022-09-21 | CVE-2022-30577 | Tibco | Cross-site Scripting vulnerability in Tibco EBX The Web Server component of TIBCO Software Inc.'s TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. | 9.0 |
2022-09-21 | CVE-2022-30578 | Tibco | Cross-site Scripting vulnerability in Tibco EBX Add-Ons The Web Server component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. | 9.0 |
205 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-09-23 | CVE-2022-22629 | Apple | Out-of-bounds Write vulnerability in Apple products A buffer overflow issue was addressed with improved memory handling. | 8.8 |
2022-09-23 | CVE-2022-22610 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved state management. | 8.8 |
2022-09-23 | CVE-2022-22624 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 8.8 |
2022-09-23 | CVE-2022-22628 | Apple | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 8.8 |
2022-09-23 | CVE-2022-22637 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved state management. | 8.8 |
2022-09-23 | CVE-2022-26700 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved state management. | 8.8 |
2022-09-23 | CVE-2022-32211 | Rocket Chat | SQL Injection vulnerability in Rocket.Chat A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret. | 8.8 |
2022-09-23 | CVE-2022-32787 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved bounds checking. | 8.8 |
2022-09-23 | CVE-2022-32792 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved input validation. | 8.8 |
2022-09-23 | CVE-2022-35248 | Rocket Chat | Improper Authentication vulnerability in Rocket.Chat A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login. | 8.8 |
2022-09-23 | CVE-2022-38079 | Backup Scheduler Project | Unspecified vulnerability in Backup Scheduler Project Backup Scheduler Cross-Site Request Forgery (CSRF) vulnerability Backup Scheduler plugin <= 1.5.13 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-38454 | Kraken | Unspecified vulnerability in Kraken Kraken.Io Image Optimizer Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-38134 | Cusrev | Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-38470 | Cusrev | Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-36388 | Ydesignservices | Unspecified vulnerability in Ydesignservices YDS Support Ticket System 1.0 Cross-Site Request Forgery (CSRF) vulnerability in YDS Support Ticket System plugin <= 1.0 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-38085 | Read More BY Adam Project | Unspecified vulnerability in Read More BY Adam Project Read More BY Adam Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-36798 | Topdigitaltrends | Unspecified vulnerability in Topdigitaltrends Mega Addons for Wpbakery Page Builder Cross-Site Request Forgery (CSRF) vulnerability in Topdigitaltrends Mega Addons For WPBakery Page Builder plugin <= 4.2.7 at WordPress. | 8.8 |
2022-09-23 | CVE-2022-39238 | Arvados | Unspecified vulnerability in Arvados Arvados is an open source platform for managing and analyzing biomedical big data. | 8.8 |
2022-09-23 | CVE-2022-40298 | Crestron | Incorrect Permission Assignment for Critical Resource vulnerability in Crestron Airmedia 4.3.1.39 Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. | 8.8 |
2022-09-21 | CVE-2022-41227 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Ns-Nd Integration Performance Publisher 4.8.0.129/4.8.0.77 A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials. | 8.8 |
2022-09-21 | CVE-2022-41228 | Jenkins | Missing Authorization vulnerability in Jenkins Ns-Nd Integration Performance Publisher 4.8.0.129/4.8.0.77 A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. | 8.8 |
2022-09-21 | CVE-2022-41234 | Jenkins | Missing Authorization vulnerability in Jenkins Rundeck Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck. | 8.8 |
2022-09-21 | CVE-2022-41236 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Security Inspector A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on attacker-specified report generation options. | 8.8 |
2022-09-21 | CVE-2022-41245 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2022-09-21 | CVE-2022-41249 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins SCM Httpclient A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2022-09-21 | CVE-2022-41253 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cons3Rt 1.0.0 A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
2022-09-21 | CVE-2022-3068 | Octoprint | Unspecified vulnerability in Octoprint Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3. | 8.8 |
2022-09-20 | CVE-2022-23685 | Arubanetworks | Cross-Site Request Forgery (CSRF) vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability in the ClearPass Policy Manager web-based management interface exists which exposes some endpoints to a lack of Cross-Site Request Forgery (CSRF) protection. | 8.8 |
2022-09-20 | CVE-2022-23692 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. | 8.8 |
2022-09-20 | CVE-2022-23693 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. | 8.8 |
2022-09-20 | CVE-2022-23694 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. | 8.8 |
2022-09-20 | CVE-2022-23695 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. | 8.8 |
2022-09-20 | CVE-2022-23696 | Arubanetworks | SQL Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. | 8.8 |
2022-09-20 | CVE-2022-26696 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed with improved environment sanitization. | 8.8 |
2022-09-20 | CVE-2022-28639 | HPE | Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71 A remote potential adjacent denial of service (DoS) and potential adjacent arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71. | 8.8 |
2022-09-20 | CVE-2022-28640 | HPE | Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71 A potential local adjacent arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability was discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71. | 8.8 |
2022-09-20 | CVE-2022-32886 | Apple Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products A buffer overflow issue was addressed with improved memory handling. | 8.8 |
2022-09-20 | CVE-2022-32912 | Apple | Out-of-bounds Read vulnerability in Apple Ipados and Iphone OS An out-of-bounds read was addressed with improved bounds checking. | 8.8 |
2022-09-20 | CVE-2022-38931 | Baijiacms Project | Server-Side Request Forgery (SSRF) vulnerability in Baijiacms Project Baijiacms 4.1.4 A Server-Side Request Forgery (SSRF) in fetch_net_file_upload function of baijiacmsV4 v4.1.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter. | 8.8 |
2022-09-20 | CVE-2022-37205 | Jflyfox | SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 JFinal CMS 5.1.0 is affected by: SQL Injection. | 8.8 |
2022-09-20 | CVE-2022-40250 | Intel AMI | Out-of-bounds Write vulnerability in multiple products An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. | 8.8 |
2022-09-20 | CVE-2022-35196 | Testlink | Cross-Site Request Forgery (CSRF) vulnerability in Testlink 1.9.20 TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. | 8.8 |
2022-09-20 | CVE-2022-40955 | Apache | Unspecified vulnerability in Apache Inlong In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. | 8.8 |
2022-09-19 | CVE-2022-38351 | Supremainc | Improper Privilege Management vulnerability in Supremainc Biostar 2 2.8.16 A vulnerability in Suprema BioStar (aka Bio Star) 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page. | 8.8 |
2022-09-19 | CVE-2022-23766 | Bigfile | Improper Input Validation vulnerability in Bigfile Bigfileagent An improper input validation vulnerability leading to arbitrary file execution was discovered in BigFileAgent. | 8.8 |
2022-09-19 | CVE-2022-38577 | Processmaker | Improper Preservation of Permissions vulnerability in Processmaker 3.0.1.7/3.4.11 ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. | 8.8 |
2022-09-19 | CVE-2022-38618 | Bpcbt | SQL Injection vulnerability in Bpcbt Smartvista 2.2.22 SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/country_group.jsf. | 8.8 |
2022-09-19 | CVE-2022-2958 | Badgeos | Unspecified vulnerability in Badgeos Badgos The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections | 8.8 |
2022-09-19 | CVE-2022-3141 | Cozmoslabs | Unspecified vulnerability in Cozmoslabs Translatepress The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. | 8.8 |
2022-09-19 | CVE-2022-3142 | Basixonline | Unspecified vulnerability in Basixonline Nex-Forms The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. | 8.8 |
2022-09-19 | CVE-2022-38617 | Bpcbt | SQL Injection vulnerability in Bpcbt Smartvista 2.2.22 SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the voiceAudit:j_id97 parameter at /SVFE2/pages/audit/voiceaudit.jsf. | 8.8 |
2022-09-20 | CVE-2022-30579 | Tibco | Server-Side Request Forgery (SSRF) vulnerability in Tibco Spotfire Analytics Platform and Spotfire Server The Web Player component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to execute blind Server Side Request Forgery (SSRF) on the affected system. | 8.4 |
2022-09-23 | CVE-2022-35893 | Insyde | Improper Input Validation vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 8.2 |
2022-09-23 | CVE-2022-36338 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 8.2 |
2022-09-22 | CVE-2022-35408 | Insyde | Unspecified vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 8.2 |
2022-09-21 | CVE-2022-35895 | Insyde | Out-of-bounds Write vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 8.2 |
2022-09-21 | CVE-2022-2881 | ISC | Out-of-bounds Read vulnerability in ISC Bind The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. | 8.2 |
2022-09-20 | CVE-2022-26873 | Intel AMI | Out-of-bounds Write vulnerability in multiple products A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. | 8.2 |
2022-09-20 | CVE-2022-40261 | Intel AMI | Classic Buffer Overflow vulnerability in multiple products An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. | 8.2 |
2022-09-20 | CVE-2022-40262 | AMI Intel | Out-of-bounds Write vulnerability in multiple products A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. | 8.2 |
2022-09-23 | CVE-2020-36604 | Hapijs | Unspecified vulnerability in Hapijs Hoek hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | 8.1 |
2022-09-21 | CVE-2022-40616 | IBM | Unspecified vulnerability in IBM Maximo Asset Management 7.6.1.1/7.6.1.2/7.6.1.3 IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3 could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to. | 8.1 |
2022-09-21 | CVE-2022-41243 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Smalltest Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections. | 8.1 |
2022-09-21 | CVE-2022-41244 | Jenkins | Improper Certificate Validation vulnerability in Jenkins View26 Test-Reporting Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections. | 8.1 |
2022-09-21 | CVE-2022-41232 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Build-Publisher A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint. | 8.0 |
2022-09-25 | CVE-2022-3297 | VIM Fedoraproject | Use After Free in GitHub repository vim/vim prior to 9.0.0579. | 7.8 |
2022-09-25 | CVE-2022-3296 | VIM Fedoraproject | Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. | 7.8 |
2022-09-23 | CVE-2022-32814 | Apple | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 7.8 |
2022-09-23 | CVE-2022-32796 | Apple | Out-of-bounds Write vulnerability in Apple Macos A memory corruption issue was addressed with improved state management. | 7.8 |
2022-09-23 | CVE-2022-32798 | Apple | Out-of-bounds Write vulnerability in Apple Macos An out-of-bounds write issue was addressed with improved input validation. | 7.8 |
2022-09-23 | CVE-2022-32801 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed with improved checks. | 7.8 |
2022-09-23 | CVE-2022-32815 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 7.8 |
2022-09-23 | CVE-2022-32819 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved state management. | 7.8 |
2022-09-23 | CVE-2022-32820 | Apple | Out-of-bounds Write vulnerability in Apple products An out-of-bounds write issue was addressed with improved input validation. | 7.8 |
2022-09-23 | CVE-2022-32821 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved validation. | 7.8 |
2022-09-23 | CVE-2022-32826 | Apple | Unspecified vulnerability in Apple products An authorization issue was addressed with improved state management. | 7.8 |
2022-09-23 | CVE-2022-32829 | Apple | Unspecified vulnerability in Apple Iphone OS and Macos This issue was addressed with improved checks. | 7.8 |
2022-09-23 | CVE-2022-32842 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read issue was addressed with improved input validation. | 7.8 |
2022-09-23 | CVE-2022-3263 | Measuresoft | Incorrect Default Permissions vulnerability in Measuresoft Scadapro Server 6.7 The security descriptor of Measuresoft ScadaPro Server version 6.7 has inconsistent permissions, which could allow a local user with limited privileges to modify the service binary path and start malicious commands with SYSTEM privileges. | 7.8 |
2022-09-23 | CVE-2022-27492 | Integer Underflow (Wrap or Wraparound) vulnerability in Whatsapp An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. | 7.8 | |
2022-09-23 | CVE-2022-35257 | UI | Unspecified vulnerability in UI Desktop 0.55.1.2 A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM. | 7.8 |
2022-09-23 | CVE-2022-2566 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg 5.1 A heap out-of-bounds memory write exists in FFMPEG since version 5.1. | 7.8 |
2022-09-23 | CVE-2022-41322 | Kitty Project Fedoraproject | Improper Encoding or Escaping of Output vulnerability in multiple products In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. | 7.8 |
2022-09-23 | CVE-2022-30426 | Acer | Out-of-bounds Write vulnerability in Acer products There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. | 7.8 |
2022-09-22 | CVE-2022-37234 | Netgear | Out-of-bounds Write vulnerability in Netgear R7000 Firmware 1.0.11.13410.2.119 Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. | 7.8 |
2022-09-22 | CVE-2022-3256 | VIM Fedoraproject Debian | Use After Free in GitHub repository vim/vim prior to 9.0.0530. | 7.8 |
2022-09-21 | CVE-2022-39224 | Ruby ARR PM Project | OS Command Injection vulnerability in Ruby-Arr-Pm Project Ruby-Arr-Pm Arr-pm is an RPM reader/writer library written in Ruby. | 7.8 |
2022-09-21 | CVE-2022-38928 | Xpdfreader | NULL Pointer Dereference vulnerability in Xpdfreader Xpdf 4.04 XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393. | 7.8 |
2022-09-20 | CVE-2022-28637 | HPE | Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71 A local Denial of Service (DoS) and local arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71. | 7.8 |
2022-09-20 | CVE-2022-28638 | HPE | Unspecified vulnerability in HPE Integrated Lights-Out 5 Firmware 2.63/2.71 An isolated local disclosure of information and potential isolated local arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability were discovered in HPE Integrated Lights-Out 5 (iLO 5) in Version: 2.71. | 7.8 |
2022-09-20 | CVE-2022-32802 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved checks. | 7.8 |
2022-09-20 | CVE-2022-32908 | Apple | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved input validation. | 7.8 |
2022-09-20 | CVE-2022-32911 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 7.8 |
2022-09-20 | CVE-2022-32917 | Apple | Out-of-bounds Write vulnerability in Apple Ipados and Iphone OS The issue was addressed with improved bounds checks. | 7.8 |
2022-09-20 | CVE-2022-37877 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability in the ClearPass OnGuard macOS agent could allow malicious users on a macOS instance to elevate their user privileges. | 7.8 |
2022-09-19 | CVE-2022-38532 | MSI | Unspecified vulnerability in MSI Center 1.0.50.0 Micro-Star International Co., Ltd MSI Center 1.0.50.0 was discovered to contain a vulnerability in the component C_Features of MSI.CentralServer.exe. | 7.8 |
2022-09-19 | CVE-2022-3239 | Linux | Use After Free vulnerability in Linux Kernel A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. | 7.8 |
2022-09-19 | CVE-2022-34893 | Trendmicro | Link Following vulnerability in Trendmicro Security 12.0 Trend Micro Security 2022 (consumer) has a link following vulnerability where an attacker with lower privileges could manipulate a mountpoint which could lead to escalation of privilege on an affected machine. | 7.8 |
2022-09-19 | CVE-2022-38764 | Trendmicro | Incorrect Default Permissions vulnerability in Trendmicro Housecall 1.62.1.1133 A vulnerability on Trend Micro HouseCall version 1.62.1.1133 and below could allow a local attacker to escalate privlieges due to an overly permissive folder om the product installer. | 7.8 |
2022-09-19 | CVE-2022-40142 | Trendmicro | Improper Privilege Management vulnerability in Trendmicro Apex ONE 2019 A security link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service agents could allow a local attacker to create a writable folder in an arbitrary location and escalate privileges on affected installations. | 7.8 |
2022-09-19 | CVE-2022-29908 | Fabasoft | Improper Certificate Validation vulnerability in Fabasoft Cloud Enterprise Client 22.4.0043 The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation. | 7.8 |
2022-09-19 | CVE-2022-35699 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-09-19 | CVE-2022-35700 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-09-19 | CVE-2022-35701 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. | 7.8 |
2022-09-19 | CVE-2022-35702 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. | 7.8 |
2022-09-19 | CVE-2022-35703 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. | 7.8 |
2022-09-19 | CVE-2022-40978 | Jetbrains | Uncontrolled Search Path Element vulnerability in Jetbrains Intellij Idea The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking | 7.8 |
2022-09-25 | CVE-2022-41343 | Dompdf Project | Files or Directories Accessible to External Parties vulnerability in Dompdf Project Dompdf registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. | 7.5 |
2022-09-24 | CVE-2022-41340 | Secp256K1 JS Project | Improper Verification of Cryptographic Signature vulnerability in Secp256K1-Js Project Secp256K1-Js 1.0.0/1.0.1 The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. | 7.5 |
2022-09-24 | CVE-2022-23464 | Nepxion | Unspecified vulnerability in Nepxion Discovery Nepxion Discovery is a solution for Spring Cloud. | 7.5 |
2022-09-23 | CVE-2022-32790 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 7.5 |
2022-09-23 | CVE-2022-40101 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterSet function. | 7.5 |
2022-09-23 | CVE-2022-40102 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formwrlSSIDset function. | 7.5 |
2022-09-23 | CVE-2022-40104 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formwrlSSIDget function. | 7.5 |
2022-09-23 | CVE-2022-40105 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterGet function. | 7.5 |
2022-09-23 | CVE-2022-40106 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the set_local_time function. | 7.5 |
2022-09-23 | CVE-2022-40107 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formexeCommand function. | 7.5 |
2022-09-23 | CVE-2022-40629 | Tacitine | Unspecified vulnerability in Tacitine products This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to insecure design in the Tacitine Firewall web-based management interface. | 7.5 |
2022-09-23 | CVE-2022-2971 | MZ Automation | Type Confusion vulnerability in Mz-Automation Libiec61850 MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) accesses a resource using an incompatible type, which could allow an attacker to crash the server with a malicious payload. | 7.5 |
2022-09-23 | CVE-2022-2973 | MZ Automation | NULL Pointer Dereference vulnerability in Mz-Automation Libiec61850 MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) uses a NULL pointer in certain situations. | 7.5 |
2022-09-23 | CVE-2022-40188 | NIC Fedoraproject Debian | Algorithmic Complexity vulnerability in multiple products Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. | 7.5 |
2022-09-23 | CVE-2022-40194 | Cusrev | Unspecified vulnerability in Cusrev Customer Reviews for Woocommerce Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress | 7.5 |
2022-09-23 | CVE-2022-38936 | PBC Project | Unchecked Return Value vulnerability in PBC Project PBC An issue has been found in PBC through 2022-8-27. | 7.5 |
2022-09-22 | CVE-2022-34026 | Icecoder | Path Traversal vulnerability in Icecoder 8.1 ICEcoder v8.1 allows attackers to execute a directory traversal. | 7.5 |
2022-09-22 | CVE-2022-1941 | Google Fedoraproject Debian | A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. | 7.5 |
2022-09-22 | CVE-2022-40146 | Apache Debian | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. | 7.5 |
2022-09-22 | CVE-2022-40705 | Apache | XXE vulnerability in Apache Soap 2.2/2.3 An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. | 7.5 |
2022-09-22 | CVE-2022-28981 | Liferay | Path Traversal vulnerability in Liferay Portal 7.4.0/7.4.1/7.4.2 Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter. | 7.5 |
2022-09-21 | CVE-2022-23948 | Keylime | Unspecified vulnerability in Keylime A flaw was found in Keylime before 6.3.0. | 7.5 |
2022-09-21 | CVE-2022-23949 | Keylime | Authentication Bypass by Spoofing vulnerability in Keylime In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar. | 7.5 |
2022-09-21 | CVE-2022-23950 | Keylime | Exposure of Resource to Wrong Sphere vulnerability in Keylime In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations. | 7.5 |
2022-09-21 | CVE-2022-23952 | Keylime | Unspecified vulnerability in Keylime In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable. | 7.5 |
2022-09-21 | CVE-2022-3252 | Apple | Infinite Loop vulnerability in Apple Swift-Nio-Extras Improper detection of complete HTTP body decompression SwiftNIO Extras provides a pair of helpers for transparently decompressing received HTTP request or response bodies. | 7.5 |
2022-09-21 | CVE-2022-2906 | ISC | Memory Leak vulnerability in ISC Bind An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. | 7.5 |
2022-09-21 | CVE-2022-38177 | ISC Debian Fedoraproject Netapp | Memory Leak vulnerability in multiple products By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. | 7.5 |
2022-09-21 | CVE-2022-38178 | ISC Debian Fedoraproject Netapp | Memory Leak vulnerability in multiple products By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. | 7.5 |
2022-09-21 | CVE-2022-3080 | ISC Fedoraproject | By sending specific queries to the resolver, an attacker can cause named to crash. | 7.5 |
2022-09-21 | CVE-2022-40604 | Apache | Use of Externally-Controlled Format String vulnerability in Apache Airflow In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction. | 7.5 |
2022-09-21 | CVE-2022-39221 | Mcwebserver Minecraft MOD FOR Forge Project Mcwebserver Minecraft MOD FOR Fabric AND Quilt Project | McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. | 7.5 |
2022-09-20 | CVE-2022-37395 | Huawei | Improper Input Validation vulnerability in Huawei Cv81-Wdm FW Firmware 01.70.49.29.46 A Huawei device has an input verification vulnerability. | 7.5 |
2022-09-20 | CVE-2022-37884 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager A vulnerability exists in the ClearPass Policy Manager Guest User Interface that can allow an unauthenticated attacker to send specific operations which result in a Denial-of-Service condition. | 7.5 |
2022-09-20 | CVE-2022-39218 | Fastly | Unspecified vulnerability in Fastly Js-Compute The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK. | 7.5 |
2022-09-20 | CVE-2016-20015 | Smokeping | Unspecified vulnerability in Smokeping In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript allows the smokeping user to gain ownership of any file, allowing for the smokeping user to gain root privileges. | 7.5 |
2022-09-20 | CVE-2022-37259 | Stealjs | Unspecified vulnerability in Stealjs Steal 2.2.4 A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js. | 7.5 |
2022-09-20 | CVE-2022-38955 | Netgear | Improper Validation of Integrity Check Value vulnerability in Netgear Wpn824Ext Firmware 1.1.11.1.9 An exploitable firmware modification vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender. | 7.5 |
2022-09-20 | CVE-2022-39974 | Wasm3 Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Wasm3 Project Wasm3 0.5.0 WASM3 v0.5.0 was discovered to contain a segmentation fault via the component op_Select_i32_srs in wasm3/source/m3_exec.h. | 7.5 |
2022-09-20 | CVE-2022-34917 | Apache | Allocation of Resources Without Limits or Throttling vulnerability in Apache Kafka 2.8.0/2.8.1/3.0.0 A security vulnerability has been identified in Apache Kafka. | 7.5 |
2022-09-20 | CVE-2022-39957 | Owasp Fedoraproject Debian | Improper Encoding or Escaping of Output vulnerability in multiple products The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. | 7.5 |
2022-09-20 | CVE-2022-39958 | Owasp Fedoraproject Debian | Improper Encoding or Escaping of Output vulnerability in multiple products The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. | 7.5 |
2022-09-19 | CVE-2022-28203 | Mediawiki Debian | Release of Invalid Pointer or Reference vulnerability in multiple products A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. | 7.5 |
2022-09-19 | CVE-2022-28204 | Mediawiki | Unspecified vulnerability in Mediawiki 1.37.0/1.37.1 A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. | 7.5 |
2022-09-19 | CVE-2022-40141 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE 2019 A vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to intercept and decode certain communication strings that may contain some identification attributes of a particular Apex One server. | 7.5 |
2022-09-19 | CVE-2022-40608 | IBM | Path Traversal vulnerability in IBM Spectrum Protect Plus IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack. | 7.5 |
2022-09-19 | CVE-2022-38333 | Openwrt | Out-of-bounds Read vulnerability in Openwrt Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). | 7.5 |
2022-09-19 | CVE-2022-40468 | Tinyproxy Project | Insecure Default Initialization of Resource vulnerability in Tinyproxy Project Tinyproxy Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. | 7.5 |
2022-09-19 | CVE-2022-37700 | Easycorp | Path Traversal vulnerability in Easycorp Zentao 15.0 Zentao Demo15 is vulnerable to Directory Traversal. | 7.5 |
2022-09-19 | CVE-2022-40067 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetVirtualSer. | 7.5 |
2022-09-19 | CVE-2022-40068 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetQosBand. | 7.5 |
2022-09-19 | CVE-2022-40069 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 ]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime. | 7.5 |
2022-09-19 | CVE-2022-40070 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via bin/httpd, function: formSetFirewallCfg. | 7.5 |
2022-09-19 | CVE-2022-40071 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, formSetDeviceName. | 7.5 |
2022-09-19 | CVE-2022-40072 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: setSmartPowerManagement. | 7.5 |
2022-09-19 | CVE-2022-40073 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, saveParentControlInfo. | 7.5 |
2022-09-19 | CVE-2022-40074 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, setSchedWifi. | 7.5 |
2022-09-19 | CVE-2022-40075 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, form_fast_setting_wifi_set. | 7.5 |
2022-09-19 | CVE-2022-40076 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac21 Firmware 16.03.08.15 Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic. | 7.5 |
2022-09-19 | CVE-2022-40143 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE 2019 A link following local privilege escalation vulnerability in Trend Micro Apex One and Trend Micro Apex One as a Service servers could allow a local attacker to abuse an insecure directory that could allow a low-privileged user to run arbitrary code with elevated privileges. | 7.3 |
2022-09-23 | CVE-2022-40861 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19(6318) Tenda AC18 router V15.03.05.19 contains a stack overflow vulnerability in the formSetQosBand->FUN_0007db78 function with the request /goform/SetNetControlList/ | 7.2 |
2022-09-23 | CVE-2022-40091 | Online Tours AND Travels Management System Project | SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0 Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_packages.php. | 7.2 |
2022-09-23 | CVE-2022-40092 | Online Tours AND Travels Management System Project | SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0 Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_payment.php. | 7.2 |
2022-09-23 | CVE-2022-40093 | Online Tours AND Travels Management System Project | SQL Injection vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0 Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tour/admin/update_tax.php. | 7.2 |
2022-09-22 | CVE-2022-40933 | Online PET Shop WEB Application Project | SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0 Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_order,id. | 7.2 |
2022-09-22 | CVE-2022-40934 | Online PET Shop WEB Application Project | SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0 Online Pet Shop We App v1.0 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_sub_category,id | 7.2 |
2022-09-22 | CVE-2022-40935 | Online PET Shop WEB Application Project | SQL Injection vulnerability in Online PET Shop web Application Project Online PET Shop web Application 1.0 Online Pet Shop We App v1.0 is vulnerable to SQL Injection via /pet_shop/classes/Master.php?f=delete_category,id. | 7.2 |
2022-09-22 | CVE-2022-40932 | Phpgurukul | Unrestricted Upload of File with Dangerous Type vulnerability in PHPgurukul ZOO Management System 1.0 In Zoo Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of the "gallery" file of the "Gallery" module in the background management system. | 7.2 |
2022-09-22 | CVE-2022-40446 | Zzcms | SQL Injection vulnerability in Zzcms 2022 ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=. | 7.2 |
2022-09-22 | CVE-2022-40447 | Zzcms | SQL Injection vulnerability in Zzcms 2022 ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php. | 7.2 |
2022-09-21 | CVE-2022-36386 | Soflyy | Unrestricted Upload of File with Dangerous Type vulnerability in Soflyy WP ALL Import Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress. | 7.2 |
2022-09-21 | CVE-2022-40217 | Xplodedthemes | Unrestricted Upload of File with Dangerous Type vulnerability in Xplodedthemes Wpide Authenticated (admin+) Arbitrary File Edit/Upload vulnerability in XplodedThemes WPide plugin <= 2.6 at WordPress. | 7.2 |
2022-09-21 | CVE-2022-40026 | Simple Task Managing System Project | SQL Injection vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0 SourceCodester Simple Task Managing System v1.0 was discovered to contain a SQL injection vulnerability via the bookId parameter at board.php. | 7.2 |
2022-09-21 | CVE-2022-37027 | Ahsay | Argument Injection or Modification vulnerability in Ahsay Cloud Backup Suite 9.1.4.0 Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. | 7.2 |
2022-09-20 | CVE-2022-37878 | Arubanetworks | OS Command Injection vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-37879 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-37880 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-37881 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-37882 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-37883 | Arubanetworks | Unspecified vulnerability in Arubanetworks Clearpass Policy Manager Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. | 7.2 |
2022-09-20 | CVE-2022-38340 | Safe | Path Traversal vulnerability in Safe FME Server Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload. | 7.2 |
2022-09-20 | CVE-2022-40246 | Intel | Out-of-bounds Write vulnerability in Intel products A potential attacker can write one byte by arbitrary address at the time of the PEI phase (only during S3 resume boot mode) and influence the subsequent boot stages. | 7.2 |
2022-09-19 | CVE-2022-38576 | Interview Management System Project | SQL Injection vulnerability in Interview Management System Project Interview Management System 1.0 Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=. | 7.2 |
2022-09-19 | CVE-2022-40139 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE 2019 Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. | 7.2 |
2022-09-23 | CVE-2020-36521 | Apple | Out-of-bounds Read vulnerability in Apple products An out-of-bounds read was addressed with improved input validation. | 7.1 |
2022-09-23 | CVE-2022-32797 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 7.1 |
2022-09-23 | CVE-2022-32807 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved file handling. | 7.1 |
2022-09-23 | CVE-2022-32831 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read was addressed with improved bounds checking. | 7.1 |
2022-09-23 | CVE-2022-32843 | Apple | Out-of-bounds Write vulnerability in Apple mac OS X and Macos An out-of-bounds write issue was addressed with improved bounds checking. | 7.1 |
2022-09-23 | CVE-2022-32851 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read issue was addressed with improved input validation. | 7.1 |
2022-09-23 | CVE-2022-32852 | Apple | Out-of-bounds Read vulnerability in Apple Macos An out-of-bounds read issue was addressed with improved input validation. | 7.1 |
2022-09-23 | CVE-2022-32853 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read issue was addressed with improved input validation. | 7.1 |
2022-09-23 | CVE-2022-34348 | IBM | XXE vulnerability in IBM Sterling Partner Engagement Manager 6.1/6.1.2/6.2.1.0 IBM Sterling Partner Engagement Manager 6.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. | 7.1 |
2022-09-23 | CVE-2022-2347 | Denx | Out-of-bounds Write vulnerability in Denx U-Boot There exists an unchecked length field in UBoot. | 7.1 |
2022-09-23 | CVE-2021-41803 | Hashicorp | Missing Authorization vulnerability in Hashicorp Consul HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. | 7.1 |
2022-09-19 | CVE-2022-2995 | Kubernetes | Incorrect Permission Assignment for Critical Resource vulnerability in Kubernetes Cri-O 1.25.0 Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | 7.1 |
2022-09-19 | CVE-2022-38341 | Safe | Unspecified vulnerability in Safe FME Server 2021.2.3 Safe Software FME Server v2021.2.5 and below does not employ server-side validation. | 7.1 |
2022-09-21 | CVE-2022-41222 | Linux Debian Netapp Canonical | Use After Free vulnerability in multiple products mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. | 7.0 |
240 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-09-23 | CVE-2022-30124 | Rocket Chat | Improper Authentication vulnerability in Rocket.Chat An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code). | 6.8 |
2022-09-20 | CVE-2021-33076 | Intel | Improper Authentication vulnerability in Intel products Improper authentication in firmware for some Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access. | 6.8 |
2022-09-23 | CVE-2022-32832 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 6.7 |
2022-09-23 | CVE-2022-30121 | Ivanti | Unspecified vulnerability in Ivanti Endpoint Manager The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. | 6.7 |
2022-09-23 | CVE-2021-3782 | Wayland | Integer Overflow or Wraparound vulnerability in Wayland An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. | 6.6 |
2022-09-20 | CVE-2022-35957 | Grafana Fedoraproject | Grafana is an open-source platform for monitoring and observability. | 6.6 |
2022-09-23 | CVE-2022-32220 | Rocket Chat | Missing Authorization vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 6.5 |
2022-09-23 | CVE-2022-32227 | Rocket Chat | Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product. | 6.5 |
2022-09-23 | CVE-2022-32816 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved UI handling. | 6.5 |
2022-09-23 | CVE-2022-3257 | Mattermost | Unrestricted Upload of File with Dangerous Type vulnerability in Mattermost Server Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service. | 6.5 |
2022-09-23 | CVE-2022-40716 | Hashicorp | Unchecked Return Value vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. | 6.5 |
2022-09-23 | CVE-2022-24280 | Apache | Improper Input Validation vulnerability in Apache Pulsar Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. | 6.5 |
2022-09-23 | CVE-2022-39230 | Amazon | Unspecified vulnerability in Amazon Fhir-Works-On-Aws-Authz-Smart 3.1.0/3.1.1/3.1.2 fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. | 6.5 |
2022-09-23 | CVE-2022-41320 | Veritas | Insecure Storage of Sensitive Information vulnerability in Veritas System Recovery Veritas System Recovery (VSR) versions 18 and 21 store a network destination password in the Windows registry during configuration of the backup configuration. | 6.5 |
2022-09-22 | CVE-2022-35021 | Otfcc Project | Classic Buffer Overflow vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a global buffer overflow via /release-x64/otfccdump+0x718693. | 6.5 |
2022-09-22 | CVE-2022-35022 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6badae. | 6.5 |
2022-09-22 | CVE-2022-35023 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /lib/x86_64-linux-gnu/libc.so.6+0xbb384. | 6.5 |
2022-09-22 | CVE-2022-35024 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /multiarch/memmove-vec-unaligned-erms.S. | 6.5 |
2022-09-22 | CVE-2022-35025 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x5266a8. | 6.5 |
2022-09-22 | CVE-2022-35026 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbc0b. | 6.5 |
2022-09-22 | CVE-2022-35027 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fe9a7. | 6.5 |
2022-09-22 | CVE-2022-35028 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fbbb6. | 6.5 |
2022-09-22 | CVE-2022-35029 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6babea. | 6.5 |
2022-09-22 | CVE-2022-35030 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x4fe954. | 6.5 |
2022-09-22 | CVE-2022-35031 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x703969. | 6.5 |
2022-09-22 | CVE-2022-35032 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x6b6a8f. | 6.5 |
2022-09-22 | CVE-2022-35034 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e7e3d. | 6.5 |
2022-09-22 | CVE-2022-35035 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b559f. | 6.5 |
2022-09-22 | CVE-2022-35036 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e1fc8. | 6.5 |
2022-09-22 | CVE-2022-35037 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6adb1e. | 6.5 |
2022-09-22 | CVE-2022-35038 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b064d. | 6.5 |
2022-09-22 | CVE-2022-35039 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e20a0. | 6.5 |
2022-09-22 | CVE-2022-38512 | Liferay | Missing Authorization vulnerability in Liferay DXP and Liferay Portal The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL. | 6.5 |
2022-09-21 | CVE-2022-41246 | Jenkins | Missing Authorization vulnerability in Jenkins Worksoft Execution Manager A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-09-21 | CVE-2022-41250 | Jenkins | Missing Authorization vulnerability in Jenkins SCM Httpclient A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-09-21 | CVE-2022-41254 | Jenkins | Missing Authorization vulnerability in Jenkins Cons3Rt 1.0.0 Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 6.5 |
2022-09-21 | CVE-2022-41255 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Cons3Rt 1.0.0 Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | 6.5 |
2022-09-20 | CVE-2022-32880 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed by enabling hardened runtime. | 6.5 |
2022-09-20 | CVE-2022-33735 | Huawei | Improper Restriction of Excessive Authentication Attempts vulnerability in Huawei Ws7200-10 Firmware 11.0.2.13 There is a password verification vulnerability in WS7200-10 11.0.2.13. | 6.5 |
2022-09-20 | CVE-2017-20147 | Smokeping | Unspecified vulnerability in Smokeping In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user. | 6.5 |
2022-09-19 | CVE-2022-35060 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0a32. | 6.5 |
2022-09-19 | CVE-2022-35061 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e412a. | 6.5 |
2022-09-19 | CVE-2022-35062 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0bc3. | 6.5 |
2022-09-19 | CVE-2022-35063 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41a8. | 6.5 |
2022-09-19 | CVE-2022-35064 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x4adcdb in __asan_memset. | 6.5 |
2022-09-19 | CVE-2022-35065 | Otfcc Project | Unspecified vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a segmentation violation via /release-x64/otfccdump+0x65f724. | 6.5 |
2022-09-19 | CVE-2022-35066 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41b8. | 6.5 |
2022-09-19 | CVE-2022-35067 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e41b0. | 6.5 |
2022-09-19 | CVE-2022-35068 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6e420d. | 6.5 |
2022-09-19 | CVE-2022-35069 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b544e. | 6.5 |
2022-09-19 | CVE-2022-35070 | Otfcc Project | Out-of-bounds Write vulnerability in Otfcc Project Otfcc 20220603 OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x65fc97. | 6.5 |
2022-09-19 | CVE-2022-40713 | Nokia | Path Traversal vulnerability in Nokia 1350 Optical Management System 14.2 An issue was discovered in NOKIA 1350OMS R14.2. | 6.5 |
2022-09-19 | CVE-2022-40715 | Nokia | Path Traversal vulnerability in Nokia 1350 Optical Management System 14.2 An issue was discovered in NOKIA 1350OMS R14.2. | 6.5 |
2022-09-24 | CVE-2022-23461 | Xdsoft | Unspecified vulnerability in Xdsoft Jodit Editor Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. | 6.1 |
2022-09-23 | CVE-2022-40359 | KFM Project | Cross-site Scripting vulnerability in KFM Project KFM Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php. | 6.1 |
2022-09-23 | CVE-2022-36417 | 3D TAG Cloud Project | Unspecified vulnerability in 3D TAG Cloud Project 3D TAG Cloud Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress. | 6.1 |
2022-09-23 | CVE-2022-40193 | Brinidesigner | Unspecified vulnerability in Brinidesigner Awesome Filterable Portfolio Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Awesome Filterable Portfolio plugin <= 1.9.7 at WordPress. | 6.1 |
2022-09-23 | CVE-2022-41319 | Veritas | Cross-site Scripting vulnerability in Veritas Desktop and Laptop Option A Reflected Cross-Site Scripting (XSS) vulnerability affects the Veritas Desktop Laptop Option (DLO) application login page (aka the DLOServer/restore/login.jsp URI). | 6.1 |
2022-09-22 | CVE-2022-23458 | NHN | Unspecified vulnerability in NHN Toast UI Grid Toast UI Grid is a component to display and edit data. | 6.1 |
2022-09-22 | CVE-2022-40088 | Simple College Website Project | Cross-site Scripting vulnerability in Simple College Website Project Simple College Website 1.0 Simple College Website v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /college_website/index.php?page=. | 6.1 |
2022-09-22 | CVE-2022-28977 | Liferay | Open Redirect vulnerability in Liferay DXP and Liferay Portal HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. | 6.1 |
2022-09-22 | CVE-2022-28980 | Liferay | Cross-site Scripting vulnerability in Liferay Portal Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix. | 6.1 |
2022-09-22 | CVE-2022-39197 | Helpsystems | Cross-site Scripting vulnerability in Helpsystems Cobalt Strike An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. | 6.1 |
2022-09-22 | CVE-2022-28979 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. | 6.1 |
2022-09-22 | CVE-2022-28982 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag. | 6.1 |
2022-09-21 | CVE-2022-40027 | Simple Task Managing System Project | Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0 SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newTask.php. | 6.1 |
2022-09-21 | CVE-2022-40754 | Apache | Open Redirect vulnerability in Apache Airflow In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | 6.1 |
2022-09-20 | CVE-2022-39220 | Sftpgo Project | Unspecified vulnerability in Sftpgo Project Sftpgo SFTPGo is an SFTP server written in Go. | 6.1 |
2022-09-20 | CVE-2020-36602 | Huawei | Out-of-bounds Write vulnerability in Huawei products There is an out-of-bounds read and write vulnerability in some headset products. | 6.1 |
2022-09-20 | CVE-2022-3245 | Microweber | Cross-site Scripting vulnerability in Microweber HTML injection attack is closely related to Cross-site Scripting (XSS). | 6.1 |
2022-09-20 | CVE-2022-3242 | Microweber | Cross-site Scripting vulnerability in Microweber Code Injection in GitHub repository microweber/microweber prior to 1.3.2. | 6.1 |
2022-09-19 | CVE-2022-38339 | Safe | Cross-site Scripting vulnerability in Safe FME Server Safe Software FME Server v2021.2.5, v2022.0.0.2 and below contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login page. | 6.1 |
2022-09-19 | CVE-2022-38527 | Ucms Project | Cross-site Scripting vulnerability in Ucms Project Ucms 1.6 UCMS v1.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Import function under the Site Management page. | 6.1 |
2022-09-19 | CVE-2022-40712 | Nokia | Cross-site Scripting vulnerability in Nokia 1350 Optical Management System 14.2 An issue was discovered in NOKIA 1350OMS R14.2. | 6.1 |
2022-09-19 | CVE-2022-40714 | Nokia | Cross-site Scripting vulnerability in Nokia 1350 Optical Management System 14.2 An issue was discovered in NOKIA 1350OMS R14.2. | 6.1 |
2022-09-19 | CVE-2022-2753 | Ketchup Restaurant Reservations Project | Unspecified vulnerability in Ketchup Restaurant Reservations Project Ketchup Restaurant Reservations 1.0.0 The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made | 6.1 |
2022-09-22 | CVE-2022-35894 | Insyde | Memory Leak vulnerability in Insyde Insydeh2O An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 6.0 |
2022-09-22 | CVE-2022-35896 | Insyde | Improper Input Validation vulnerability in Insyde Insydeh2O An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. | 6.0 |
2022-09-23 | CVE-2022-32799 | Apple | Out-of-bounds Read vulnerability in Apple mac OS X and Macos An out-of-bounds read issue was addressed with improved bounds checking. | 5.9 |
2022-09-23 | CVE-2021-45035 | Velneo | Improper Certificate Validation vulnerability in Velneo Vclient 28.1.3 Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. | 5.9 |
2022-09-23 | CVE-2022-33681 | Apache | Improper Certificate Validation vulnerability in Apache Pulsar Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. | 5.9 |
2022-09-23 | CVE-2022-33682 | Apache | Improper Certificate Validation vulnerability in Apache Pulsar TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. | 5.9 |
2022-09-23 | CVE-2022-33683 | Apache | Improper Certificate Validation vulnerability in Apache Pulsar Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. | 5.9 |
2022-09-20 | CVE-2022-34746 | Zyxel | Insufficient Entropy vulnerability in Zyxel products An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70. | 5.9 |
2022-09-19 | CVE-2022-40234 | IBM | Exposure of Resource to Wrong Sphere vulnerability in IBM Spectrum Protect Plus Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. | 5.9 |
2022-09-23 | CVE-2022-38061 | Apasionados | Improper Neutralization of Formula Elements in a CSV File vulnerability in Apasionados Export Post Info Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress. | 5.7 |
2022-09-21 | CVE-2022-41231 | Jenkins | Path Traversal vulnerability in Jenkins Build-Publisher Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. | 5.7 |
2022-09-23 | CVE-2022-3278 | VIM Fedoraproject | NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552. | 5.5 |
2022-09-23 | CVE-2022-26707 | Apple | Improper Input Validation vulnerability in Apple Macos An issue in the handling of environment variables was addressed with improved validation. | 5.5 |
2022-09-23 | CVE-2022-28886 | F Secure | Infinite Loop vulnerability in F-Secure products A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.so/aerdl.dll may go into an infinite loop when unpacking PE files. | 5.5 |
2022-09-23 | CVE-2022-32783 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved checks. | 5.5 |
2022-09-23 | CVE-2022-32785 | Apple | NULL Pointer Dereference vulnerability in Apple products A null pointer dereference was addressed with improved validation. | 5.5 |
2022-09-23 | CVE-2022-32786 | Apple | Unspecified vulnerability in Apple mac OS X and Macos An issue in the handling of environment variables was addressed with improved validation. | 5.5 |
2022-09-23 | CVE-2022-32789 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved checks. | 5.5 |
2022-09-23 | CVE-2022-32800 | Apple | Unspecified vulnerability in Apple mac OS X and Macos This issue was addressed with improved checks. | 5.5 |
2022-09-23 | CVE-2022-32805 | Apple | Unspecified vulnerability in Apple mac OS X and Macos The issue was addressed with improved handling of caches. | 5.5 |
2022-09-23 | CVE-2022-32817 | Apple | Out-of-bounds Read vulnerability in Apple products An out-of-bounds read issue was addressed with improved bounds checking. | 5.5 |
2022-09-23 | CVE-2022-32818 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved memory handling. | 5.5 |
2022-09-23 | CVE-2022-32823 | Apple | Improper Initialization vulnerability in Apple products A memory initialization issue was addressed with improved memory handling. | 5.5 |
2022-09-23 | CVE-2022-32825 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 5.5 |
2022-09-23 | CVE-2022-32828 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 5.5 |
2022-09-23 | CVE-2022-32841 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 5.5 |
2022-09-23 | CVE-2022-32848 | Apple | Unspecified vulnerability in Apple Macos A logic issue was addressed with improved checks. | 5.5 |
2022-09-23 | CVE-2022-32849 | Apple | Unspecified vulnerability in Apple products An information disclosure issue was addressed by removing the vulnerable code. | 5.5 |
2022-09-23 | CVE-2022-40103 | Tenda | Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.8(3828) Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formSetAutoPing function. | 5.5 |
2022-09-23 | CVE-2022-22423 | IBM | Improper Input Validation vulnerability in IBM Common Cryptographic Architecture IBM Common Cryptographic Architecture (CCA 5.x MTM for 4767 and CCA 7.x MTM for 4769) could allow a local user to cause a denial of service due to improper input validation. | 5.5 |
2022-09-23 | CVE-2022-35091 | Swftools | Incorrect Comparison vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a floating point exception (FPE) via DCTStream::readMCURow() at /xpdf/Stream.cc.ow() | 5.5 |
2022-09-23 | CVE-2022-35092 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a segmentation violation via convert_gfxline at /gfxpoly/convert.c. | 5.5 |
2022-09-23 | CVE-2022-35093 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a global buffer overflow via DCTStream::transformDataUnit at /xpdf/Stream.cc. | 5.5 |
2022-09-23 | CVE-2022-35094 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via DCTStream::readHuffSym(DCTHuffTable*) at /xpdf/Stream.cc. | 5.5 |
2022-09-23 | CVE-2022-35095 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a segmentation violation via InfoOutputDev::type3D1 at /pdf/InfoOutputDev.cc. | 5.5 |
2022-09-23 | CVE-2022-35096 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via draw_stroke at /gfxpoly/stroke.c. | 5.5 |
2022-09-23 | CVE-2022-35097 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a segmentation violation via FoFiTrueType::writeTTF at /xpdf/FoFiTrueType.cc. | 5.5 |
2022-09-23 | CVE-2022-35098 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via GfxICCBasedColorSpace::getDefaultColor(GfxColor*) at /xpdf/GfxState.cc. | 5.5 |
2022-09-23 | CVE-2022-35099 | Swftools | Out-of-bounds Write vulnerability in Swftools 20211216 SWFTools commit 772e55a2 was discovered to contain a stack overflow via ImageStream::getPixel(unsigned char*) at /xpdf/Stream.cc. | 5.5 |
2022-09-23 | CVE-2022-2785 | Linux | Out-of-bounds Read vulnerability in Linux Kernel There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. | 5.5 |
2022-09-21 | CVE-2022-23951 | Keylime | Unspecified vulnerability in Keylime In Keylime before 6.3.0, quote responses from the agent can contain possibly untrusted ZIP data which can lead to zip bombs. | 5.5 |
2022-09-21 | CVE-2022-29799 | Microsoft | Path Traversal vulnerability in Microsoft Windows Defender for Endpoint A vulnerability was found in networkd-dispatcher. | 5.5 |
2022-09-21 | CVE-2022-41218 | Linux Debian | Use After Free vulnerability in multiple products In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. | 5.5 |
2022-09-21 | CVE-2022-35085 | Swftools | Memory Leak vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a memory leak via /lib/mem.c. | 5.5 |
2022-09-21 | CVE-2022-35086 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via /multiarch/memmove-vec-unaligned-erms.S. | 5.5 |
2022-09-21 | CVE-2022-35087 | Swftools | NULL Pointer Dereference vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a segmentation violation via MovieAddFrame at /src/gif2swf.c. | 5.5 |
2022-09-21 | CVE-2022-35088 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap buffer-overflow via getGifDelayTime at /home/bupt/Desktop/swftools/src/src/gif2swf.c. | 5.5 |
2022-09-21 | CVE-2022-35089 | Swftools | Allocation of Resources Without Limits or Throttling vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer-overflow via getTransparentColor at /home/bupt/Desktop/swftools/src/gif2swf. | 5.5 |
2022-09-21 | CVE-2022-35090 | Swftools | Out-of-bounds Write vulnerability in Swftools SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via __asan_memcpy at /asan/asan_interceptors_memintrinsics.cpp:. | 5.5 |
2022-09-20 | CVE-2022-32854 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved checks. | 5.5 |
2022-09-20 | CVE-2022-32864 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 5.5 |
2022-09-20 | CVE-2022-32883 | Apple | Unspecified vulnerability in Apple products A logic issue was addressed with improved restrictions. | 5.5 |
2022-09-20 | CVE-2021-46834 | Huawei | Incorrect Default Permissions vulnerability in Huawei Jad-Al50 Firmware 102.0.0.225(C00E220R3P4) A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. | 5.5 |
2022-09-19 | CVE-2022-37347 | Trendmicro | Out-of-bounds Read vulnerability in Trendmicro Security 12.0 Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine. | 5.5 |
2022-09-19 | CVE-2022-37348 | Trendmicro | Out-of-bounds Read vulnerability in Trendmicro Security 12.0 Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine. | 5.5 |
2022-09-19 | CVE-2022-3213 | Imagemagick Fedoraproject | Out-of-bounds Write vulnerability in multiple products A heap buffer overflow issue was found in ImageMagick. | 5.5 |
2022-09-19 | CVE-2022-40140 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation error vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to cause a denial-of-service on affected installations. | 5.5 |
2022-09-19 | CVE-2022-35709 | Adobe | Unspecified vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. | 5.5 |
2022-09-19 | CVE-2022-38425 | Adobe | Use After Free vulnerability in Adobe Bridge Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. | 5.5 |
2022-09-24 | CVE-2022-39240 | Mygraph Project | Cross-site Scripting vulnerability in Mygraph Project Mygraph MyGraph is a permission management system. | 5.4 |
2022-09-23 | CVE-2022-35251 | Rocket Chat | Cross-site Scripting vulnerability in Rocket.Chat A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. | 5.4 |
2022-09-23 | CVE-2022-38438 | Adobe | Unspecified vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2022-09-23 | CVE-2022-38439 | Adobe | Unspecified vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2022-09-23 | CVE-2022-35721 | IBM | Cross-site Scripting vulnerability in IBM Jazz for Service Management 1.1.3 IBM Jazz for Service Management 1.1.3 is vulnerable to stored cross-site scripting. | 5.4 |
2022-09-23 | CVE-2022-40358 | Ajaxplorer | Cross-site Scripting vulnerability in Ajaxplorer 4.2.3 An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload. | 5.4 |
2022-09-23 | CVE-2022-40748 | IBM | Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. | 5.4 |
2022-09-23 | CVE-2022-40215 | Tabs Project | Unspecified vulnerability in Tabs Project Tabs Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in Tabs plugin <= 3.7.1 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-36791 | Awesome | Unspecified vulnerability in Awesome Torro Forms Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Awesome UG Torro Forms plugin <= 1.0.16 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-37328 | Themesawesome | Cross-site Scripting vulnerability in Themesawesome Timeline Awesome Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in Themes Awesome History Timeline plugin <= 1.0.5 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-38460 | Notice Board Project | Unspecified vulnerability in Notice Board Project Notice Board Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in NOTICE BOARD plugin <= 1.1 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-2937 | Oxilab | Unspecified vulnerability in Oxilab Image Hover Effects Ultimate The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. | 5.4 |
2022-09-23 | CVE-2022-37330 | Webhelpagency | Unspecified vulnerability in Webhelpagency WHA Crossword Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WHA Crossword plugin <= 1.1.10 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-37338 | Blossomthemes | Cross-site Scripting vulnerability in Blossomthemes Blossom Recipe Maker Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin <= 1.0.7 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-37339 | Fullworksplugins | Unspecified vulnerability in Fullworksplugins Meet MY Team Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Meet My Team plugin <= 2.0.5 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-40213 | Gsplugins | Unspecified vulnerability in Gsplugins GS Testimonial Slider Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in GS Testimonial Slider plugin <= 1.9.6 at WordPress. | 5.4 |
2022-09-23 | CVE-2022-39239 | Nuxtjs | Unspecified vulnerability in Nuxtjs Netlify-Ipx netlify-ipx is an on-Demand image optimization for Netlify using ipx. | 5.4 |
2022-09-22 | CVE-2021-27774 | Hcltech | Improper Input Validation vulnerability in Hcltech HCL Digital Experience 8.5/9.0/9.5 User input included in error response, which could be used in a phishing attack. | 5.4 |
2022-09-22 | CVE-2022-28978 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0/7.2 Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name. | 5.4 |
2022-09-21 | CVE-2022-36365 | Webhelpagency | Unspecified vulnerability in Webhelpagency WHA Crossword Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Crossword plugin <= 1.1.10 at WordPress. | 5.4 |
2022-09-21 | CVE-2022-36383 | Webhelpagency | Unspecified vulnerability in Webhelpagency WHA Wordsearch Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in WHA Word Search Puzzles game plugin <= 2.0.1 at WordPress. | 5.4 |
2022-09-21 | CVE-2022-36390 | Total Soft | Unspecified vulnerability in Total-Soft Event Calendar Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. | 5.4 |
2022-09-21 | CVE-2022-38073 | Getawesomesupport | Unspecified vulnerability in Getawesomesupport Awesome Support Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress. | 5.4 |
2022-09-21 | CVE-2022-41224 | Jenkins | Cross-site Scripting vulnerability in Jenkins 2.367/2.369 Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component. | 5.4 |
2022-09-21 | CVE-2022-41225 | Jenkins | Cross-site Scripting vulnerability in Jenkins Anchore Container Image Scanner Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine. | 5.4 |
2022-09-21 | CVE-2022-41229 | Jenkins | Cross-site Scripting vulnerability in Jenkins Ns-Nd Integration Performance Publisher Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-09-21 | CVE-2022-41239 | Jenkins | Cross-site Scripting vulnerability in Jenkins Dotci Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. | 5.4 |
2022-09-21 | CVE-2022-41240 | Jenkins | Cross-site Scripting vulnerability in Jenkins Walti 1.0.1 Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti. | 5.4 |
2022-09-21 | CVE-2022-41242 | Jenkins | Missing Authorization vulnerability in Jenkins Extreme-Feedback A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps. | 5.4 |
2022-09-21 | CVE-2022-37246 | Craftcms | Cross-site Scripting vulnerability in Craftcms Craft CMS 4.2.0.1 Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | 5.4 |
2022-09-21 | CVE-2022-2872 | Octoprint | Unspecified vulnerability in Octoprint Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3. | 5.4 |
2022-09-20 | CVE-2022-32167 | Cloudreve | Unspecified vulnerability in Cloudreve Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. | 5.4 |
2022-09-20 | CVE-2022-3005 | Yetiforce | Unspecified vulnerability in Yetiforce Customer Relationship Management Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | 5.4 |
2022-09-20 | CVE-2022-3004 | Yetiforce | Unspecified vulnerability in Yetiforce Customer Relationship Management Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | 5.4 |
2022-09-20 | CVE-2022-3000 | Yetiforce | Unspecified vulnerability in Yetiforce Customer Relationship Management Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | 5.4 |
2022-09-20 | CVE-2022-2924 | Yetiforce | Unspecified vulnerability in Yetiforce Customer Relationship Management Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.3. | 5.4 |
2022-09-19 | CVE-2022-38550 | Jeesns | Cross-site Scripting vulnerability in Jeesns 2.0.0 A stored cross-site scripting (XSS) vulnerability in the /weibo/list component of Jeesns v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 5.4 |
2022-09-19 | CVE-2022-40778 | Opswat | Cross-site Scripting vulnerability in Opswat Metadefender A stored Cross-Site Scripting (XSS) vulnerability in OPSWAT MetaDefender ICAP Server before 4.13.0 allows attackers to execute arbitrary JavaScript or HTML because of the blocked page response. | 5.4 |
2022-09-24 | CVE-2022-39242 | Parity | Incorrect Calculation vulnerability in Parity Frontier 20210903/20211013 Frontier is an Ethereum compatibility layer for Substrate. | 5.3 |
2022-09-23 | CVE-2022-32217 | Rocket Chat | Information Exposure Through Log Files vulnerability in Rocket.Chat A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs. | 5.3 |
2022-09-23 | CVE-2022-36340 | Mailoptin | Unspecified vulnerability in Mailoptin Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress. | 5.3 |
2022-09-23 | CVE-2022-35238 | Brinidesigner | Unspecified vulnerability in Brinidesigner Awesome Filterable Portfolio Unauthenticated Plugin Settings Change vulnerability in Awesome Filterable Portfolio plugin <= 1.9.7 at WordPress. | 5.3 |
2022-09-23 | CVE-2022-40979 | Jetbrains | Information Exposure Through Log Files vulnerability in Jetbrains Teamcity In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable | 5.3 |
2022-09-22 | CVE-2021-39190 | Teclib Edition | Missing Authorization vulnerability in Teclib-Edition System Center Configuration Manager The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. | 5.3 |
2022-09-22 | CVE-2022-38398 | Apache Debian | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. | 5.3 |
2022-09-22 | CVE-2022-38648 | Apache Debian | Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. | 5.3 |
2022-09-22 | CVE-2022-40443 | Zzcms | Path Traversal vulnerability in Zzcms 2022 An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php. | 5.3 |
2022-09-22 | CVE-2022-40444 | Zzcms | Path Traversal vulnerability in Zzcms 2022 ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | 5.3 |
2022-09-21 | CVE-2022-35621 | Evohclaimable Project | Unspecified vulnerability in Evohclaimable Project Evohclaimable Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers. | 5.3 |
2022-09-21 | CVE-2022-3250 | Ikus Soft | Missing Encryption of Sensitive Data vulnerability in Ikus-Soft Rdiffweb Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6. | 5.3 |
2022-09-21 | CVE-2022-3251 | Ikus Soft | Missing Encryption of Sensitive Data vulnerability in Ikus-Soft Minarca Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2. | 5.3 |
2022-09-21 | CVE-2022-41235 | Jenkins | Unspecified vulnerability in Jenkins Wildfly Deployer 1.0.2 Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | 5.3 |
2022-09-21 | CVE-2022-41248 | Jenkins | Cleartext Storage of Sensitive Information vulnerability in Jenkins Bigpanda Notifier Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it. | 5.3 |
2022-09-21 | CVE-2019-5641 | Rapid7 | Insufficient Session Expiration vulnerability in Rapid7 Insightvm Rapid7 InsightVM suffers from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user | 5.3 |
2022-09-21 | CVE-2022-2795 | ISC Debian Fedoraproject | By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. | 5.3 |
2022-09-20 | CVE-2022-32861 | Apple | Unspecified vulnerability in Apple Safari A logic issue was addressed with improved state management. | 5.3 |
2022-09-20 | CVE-2022-38956 | Netgear | Improper Validation of Integrity Check Value vulnerability in Netgear Wpn824Ext Firmware 1.1.11.1.9 An exploitable firmware downgrade vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender. | 5.3 |
2022-09-19 | CVE-2022-29835 | Westerndigital | Inadequate Encryption Strength vulnerability in Westerndigital WD Discovery 4.0.251.0 WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. | 5.3 |
2022-09-23 | CVE-2022-37342 | ADD Shortcodes Actions AND Filters Project | Unspecified vulnerability in ADD Shortcodes Actions and Filters Project ADD Shortcodes Actions and Filters Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability Add Shortcodes Actions And Filters plugin <= 2.0.9 at WordPress. | 4.8 |
2022-09-23 | CVE-2022-40195 | Loqate | Unspecified vulnerability in Loqate Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PCA Predict plugin <= 1.0.3 at WordPress. | 4.8 |
2022-09-23 | CVE-2022-40672 | Wpchill | Unspecified vulnerability in Wpchill CPO Shortcodes Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CPO Shortcodes plugin <= 1.5.0 at WordPress. | 4.8 |
2022-09-23 | CVE-2022-38703 | Maxfoundry | Unspecified vulnerability in Maxfoundry Maxbuttons Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Max Foundry Button Plugin MaxButtons plugin <= 9.2 at WordPress | 4.8 |
2022-09-23 | CVE-2022-3144 | Wordfence | Unspecified vulnerability in Wordfence Security The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. | 4.8 |
2022-09-21 | CVE-2022-40028 | Simple Task Managing System Project | Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0 SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. | 4.8 |
2022-09-21 | CVE-2022-40029 | Simple Task Managing System Project | Cross-site Scripting vulnerability in Simple Task Managing System Project Simple Task Managing System 1.0 SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component newProjectValidation.php. | 4.8 |
2022-09-21 | CVE-2022-3255 | Pimcore | Cross-site Scripting vulnerability in Pimcore If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. | 4.8 |
2022-09-19 | CVE-2022-2567 | Codepeople | Unspecified vulnerability in Codepeople Form Builder CP The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-09-19 | CVE-2022-2709 | Cagewebdesign | Cross-site Scripting vulnerability in Cagewebdesign Float to TOP Button The Float to Top Button WordPress plugin through 2.3.6 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-09-19 | CVE-2022-2710 | Scroll TO TOP Project | Unspecified vulnerability in Scroll to TOP Project Scroll to TOP The Scroll To Top WordPress plugin before 1.4.1 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-09-19 | CVE-2022-3021 | Diywebmastery | Unspecified vulnerability in Diywebmastery Slickr Flickr 2.8.1 The Slickr Flickr WordPress plugin through 2.8.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-09-19 | CVE-2022-3036 | Gettext Override Translations Project | Unspecified vulnerability in Gettext Override Translations Project Gettext Override Translations 1.0.0/1.0.1 The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-09-21 | CVE-2022-29800 | Microsoft | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Microsoft Windows Defender for Endpoint A time-of-check-time-of-use (TOCTOU) race condition vulnerability was found in networkd-dispatcher. | 4.7 |
2022-09-23 | CVE-2022-32781 | Apple | Unspecified vulnerability in Apple products This issue was addressed by enabling hardened runtime. | 4.4 |
2022-09-23 | CVE-2022-32782 | Apple | Unspecified vulnerability in Apple Macos This issue was addressed by enabling hardened runtime. | 4.4 |
2022-09-21 | CVE-2022-2888 | Octoprint | Unspecified vulnerability in Octoprint If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. | 4.4 |
2022-09-20 | CVE-2021-33079 | Intel | Unspecified vulnerability in Intel products Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access. | 4.4 |
2022-09-20 | CVE-2021-33081 | Intel | Unspecified vulnerability in Intel products Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access. | 4.4 |
2022-09-19 | CVE-2022-28201 | Mediawiki Debian | Uncontrolled Recursion vulnerability in multiple products An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. | 4.4 |
2022-09-23 | CVE-2022-32218 | Rocket Chat | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries. | 4.3 |
2022-09-23 | CVE-2022-32219 | Rocket Chat | Information Exposure vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). | 4.3 |
2022-09-23 | CVE-2022-32226 | Rocket Chat | Improper Input Validation vulnerability in Rocket.Chat An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that instead of a matching rid String a$regex query can be executed, bypassing the room access permission check for every but the first matching room. | 4.3 |
2022-09-23 | CVE-2022-32228 | Rocket Chat | Unspecified vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs. | 4.3 |
2022-09-23 | CVE-2022-32229 | Rocket Chat | Unspecified vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection. | 4.3 |
2022-09-23 | CVE-2022-35246 | Rocket Chat | Unspecified vulnerability in Rocket.Chat A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access. | 4.3 |
2022-09-23 | CVE-2022-35247 | Rocket Chat | Missing Authorization vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients. | 4.3 |
2022-09-23 | CVE-2022-35249 | Rocket Chat | Missing Authorization vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 4.3 |
2022-09-23 | CVE-2022-35250 | Rocket Chat | Incorrect Permission Assignment for Critical Resource vulnerability in Rocket.Chat A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | 4.3 |
2022-09-23 | CVE-2022-38704 | Clogica | Unspecified vulnerability in Clogica SEO Redirection Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 404 errors and redirection history. | 4.3 |
2022-09-23 | CVE-2022-40132 | Castos | Cross-Site Request Forgery (CSRF) vulnerability in Castos Seriously Simple Podcasting Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change. | 4.3 |
2022-09-23 | CVE-2022-40671 | Blazzdev | Unspecified vulnerability in Blazzdev Rate MY Post - WP Rating System Cross-Site Request Forgery (CSRF) vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress. | 4.3 |
2022-09-23 | CVE-2022-38095 | Algolplus | Unspecified vulnerability in Algolplus Advanced Dynamic Pricing for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 at WordPress. | 4.3 |
2022-09-22 | CVE-2022-3267 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Rdiffweb Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6. | 4.3 |
2022-09-22 | CVE-2022-39975 | Liferay | Missing Authorization vulnerability in Liferay DXP and Liferay Portal The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation. | 4.3 |
2022-09-21 | CVE-2022-3233 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Rdiffweb Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6. | 4.3 |
2022-09-21 | CVE-2022-40219 | Sedlex | Unspecified vulnerability in Sedlex Favicon-Switcher Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change. | 4.3 |
2022-09-21 | CVE-2022-41230 | Jenkins | Missing Authorization vulnerability in Jenkins Build-Publisher Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. | 4.3 |
2022-09-21 | CVE-2022-41233 | Jenkins | Missing Authorization vulnerability in Jenkins Rundeck Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. | 4.3 |
2022-09-21 | CVE-2022-41247 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Bigpanda Notifier Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | 4.3 |
2022-09-21 | CVE-2022-41251 | Jenkins | Missing Authorization vulnerability in Jenkins Apprenda A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-09-21 | CVE-2022-41252 | Jenkins | Missing Authorization vulnerability in Jenkins Cons3Rt 1.0.0 Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allows users with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins. | 4.3 |
2022-09-20 | CVE-2022-32795 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS This issue was addressed with improved checks. | 4.3 |
2022-09-20 | CVE-2022-32868 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A logic issue was addressed with improved state management. | 4.3 |
2022-09-20 | CVE-2021-46835 | Huawei | Unspecified vulnerability in Huawei Ws7200-10 Firmware 11.0.2.13 There is a traffic hijacking vulnerability in WS7200-10 11.0.2.13. | 4.3 |
2022-09-19 | CVE-2022-1580 | Freehtmldesigns | Unspecified vulnerability in Freehtmldesigns Site Offline The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. | 4.3 |
2022-09-19 | CVE-2022-1591 | Wordpress Ping Optimizer Project | Unspecified vulnerability in Wordpress Ping Optimizer Project Wordpress Ping Optimizer The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
8 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-09-22 | CVE-2022-36062 | Grafana | Unspecified vulnerability in Grafana Grafana is an open-source platform for monitoring and observability. | 3.8 |
2022-09-23 | CVE-2022-35252 | Haxx Netapp Apple Debian Splunk | When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. | 3.7 |
2022-09-23 | CVE-2022-39231 | Parseplatform | Unspecified vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 3.7 |
2022-09-21 | CVE-2022-31679 | Vmware | Unspecified vulnerability in VMWare Spring Data Rest Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes. | 3.7 |
2022-09-22 | CVE-2022-3274 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Rdiffweb Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7. | 3.5 |
2022-09-23 | CVE-2022-40310 | Blazzdev | Race Condition vulnerability in Blazzdev Rate MY Post - WP Rating System Authenticated (subscriber+) Race Condition vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress allows attackers to increase/decrease votes. | 3.1 |
2022-09-23 | CVE-2022-39225 | Parseplatform | Unspecified vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 3.1 |
2022-09-20 | CVE-2022-32872 | Apple | Unspecified vulnerability in Apple Ipados and Iphone OS A logic issue was addressed with improved restrictions. | 2.4 |