Weekly Vulnerabilities Reports > October 3 to 9, 2022

Overview

239 new vulnerabilities reported during this period, including 47 critical vulnerabilities and 92 high severity vulnerabilities. This weekly summary report vulnerabilities in 136 products from 85 vendors including Google, Samsung, Autodesk, Codeigniter, and Arubanetworks. Vulnerabilities are notably categorized as "Out-of-bounds Write", "SQL Injection", "Cross-site Scripting", "Exposure of Resource to Wrong Sphere", and "Classic Buffer Overflow".

  • 173 reported vulnerabilities are remotely exploitables.
  • 77 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 122 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 22 reported vulnerabilities.
  • Codeigniter has the most reported critical vulnerabilities, with 12 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

47 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-10-07 CVE-2022-3275 Puppet Command Injection vulnerability in Puppet Puppetlabs-Mysql

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0.

9.8
2022-10-07 CVE-2022-42075 Wedding Planner Project Unspecified vulnerability in Wedding Planner Project Wedding Planner 1.0

Wedding Planner v1.0 is vulnerable to arbitrary code execution.

9.8
2022-10-07 CVE-2022-37885 Arubanetworks Classic Buffer Overflow vulnerability in Arubanetworks Arubaos and Instant

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

9.8
2022-10-07 CVE-2022-37886 Arubanetworks Classic Buffer Overflow vulnerability in Arubanetworks Arubaos and Instant

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

9.8
2022-10-07 CVE-2022-37887 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

9.8
2022-10-07 CVE-2022-37889 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

9.8
2022-10-07 CVE-2022-37890 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface.

9.8
2022-10-07 CVE-2022-37891 Arubanetworks
Siemens
Classic Buffer Overflow vulnerability in multiple products

Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface.

9.8
2022-10-07 CVE-2022-39862 Samsung Incorrect Authorization vulnerability in Samsung Dynamic Lockscreen

Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api.

9.8
2022-10-07 CVE-2022-40824 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40825 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40826 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40827 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40828 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40829 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40830 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40831 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40832 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40833 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40834 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40835 Codeigniter SQL Injection vulnerability in Codeigniter

B.C.

9.8
2022-10-07 CVE-2022-40872 Simple E Learning System Project SQL Injection vulnerability in Simple E-Learning System Project Simple E-Learning System 1.0

An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode.

9.8
2022-10-07 CVE-2022-3414 WEB Based Student Clearance System Project Improper Enforcement of Message or Data Structure vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System

A vulnerability was found in SourceCodester Web-Based Student Clearance System.

9.8
2022-10-06 CVE-2022-40494 NPS Project Improper Authentication vulnerability in NPS Project NPS

NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters.

9.8
2022-10-06 CVE-2022-41522 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an unauthenticated stack overflow via the "main" function.

9.8
2022-10-06 CVE-2022-41525 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi.

9.8
2022-10-06 CVE-2022-41852 Apache Unsafe Reflection vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

9.8
2022-10-06 CVE-2022-41853 Hsqldb Unspecified vulnerability in Hsqldb Hypersql Database

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack.

9.8
2022-10-06 CVE-2022-37888 Arubanetworks Classic Buffer Overflow vulnerability in Arubanetworks Arubaos and Instant

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

9.8
2022-10-06 CVE-2022-39237 Sylabs Improper Verification of Cryptographic Signature vulnerability in Sylabs Singularity Image Format

syslabs/sif is the Singularity Image Format (SIF) reference implementation.

9.8
2022-10-06 CVE-2022-39244 Pjsip Classic Buffer Overflow vulnerability in Pjsip

PJSIP is a free and open source multimedia communication library written in C.

9.8
2022-10-06 CVE-2022-39274 Semtech Classic Buffer Overflow vulnerability in Semtech Loramac-Node

LoRaMac-node is a reference implementation and documentation of a LoRa network node.

9.8
2022-10-06 CVE-2022-3273 Ikus Soft Inadequate Encryption Strength vulnerability in Ikus-Soft Rdiffweb

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

9.8
2022-10-06 CVE-2022-3396 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code.

9.8
2022-10-06 CVE-2022-3397 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code.

9.8
2022-10-06 CVE-2022-3398 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code.

9.8
2022-10-06 CVE-2022-41518 Totolink Command Injection vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi.

9.8
2022-10-03 CVE-2022-33882 Autodesk Unspecified vulnerability in Autodesk Desktop 7.0.16.29/8.4.0.50

Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA).

9.8
2022-10-03 CVE-2022-41443 Phpipam Improper Encoding or Escaping of Output vulnerability in PHPipam 1.5.0

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.

9.8
2022-10-03 CVE-2022-40721 Creativedream File Uploader Project Unrestricted Upload of File with Dangerous Type vulnerability in Creativedream File Uploader Project Creativedream File Uploader 0.3

Arbitrary file upload vulnerability in php uploader

9.8
2022-10-03 CVE-2022-42302 Veritas SQL Injection vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products.

9.8
2022-10-03 CVE-2022-42303 Veritas SQL Injection vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products.

9.8
2022-10-03 CVE-2022-42304 Veritas SQL Injection vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products.

9.8
2022-10-03 CVE-2022-42307 Veritas XXE vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products.

9.8
2022-10-07 CVE-2022-31680 Vmware Deserialization of Untrusted Data vulnerability in VMWare Vcenter Server

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller).

9.1
2022-10-06 CVE-2022-39269 Pjsip Unspecified vulnerability in Pjsip 2.11/2.11.1/2.12

PJSIP is a free and open source multimedia communication library written in C.

9.1
2022-10-06 CVE-2022-40895 Nedi Information Exposure Through Discrepancy vulnerability in Nedi 1.0.7

In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability.

9.1

92 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-10-07 CVE-2022-36635 Zkteco SQL Injection vulnerability in Zkteco Zkbiosecurity V5000 4.1.3

ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

8.8
2022-10-07 CVE-2022-3276 Puppet Command Injection vulnerability in Puppet Puppetlabs-Mysql

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0.

8.8
2022-10-07 CVE-2022-36634 Zkteco Incorrect Authorization vulnerability in Zkteco Zkbiosecurity V5000 3.0.5.0R

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

8.8
2022-10-07 CVE-2022-22493 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Automation for IBM Cloud PAK for Watson Aiops

IBM WebSphere Automation for Cloud Pak for Watson AIOps 1.4.2 is vulnerable to cross-site request forgery, caused by improper cookie attribute setting.

8.8
2022-10-06 CVE-2022-41523 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the command parameter in the setTracerouteCfg function.

8.8
2022-10-06 CVE-2022-41524 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the week, sTime, and eTime parameters in the setParentalRules function.

8.8
2022-10-06 CVE-2022-41526 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the ip parameter in the setDiagnosisCfg function.

8.8
2022-10-06 CVE-2022-41527 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the pppoeUser parameter in the setOpModeCfg function.

8.8
2022-10-06 CVE-2022-41528 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the text parameter in the setSmsCfg function.

8.8
2022-10-06 CVE-2022-41520 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the File parameter in the UploadCustomModule function.

8.8
2022-10-06 CVE-2022-41521 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the sPort/ePort parameter in the setIpPortFilterRules function.

8.8
2022-10-06 CVE-2022-2986 Moodle Cross-Site Request Forgery (CSRF) vulnerability in Moodle

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

8.8
2022-10-06 CVE-2022-41517 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a stack overflow in the lang parameter in the setLanguageCfg function

8.8
2022-10-06 CVE-2021-40556 Asus Out-of-bounds Write vulnerability in Asus Rt-Ax56U Firmware 3.0.0.4.386.44266

A stack overflow vulnerability exists in the httpd service in ASUS RT-AX56U Router Version 3.0.0.4.386.44266.

8.8
2022-10-06 CVE-2022-2637 Hitachi Improper Privilege Management vulnerability in Hitachi Storage Plug-In 04.8.0

Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation.

8.8
2022-10-03 CVE-2022-42301 Veritas XXE vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products.

8.8
2022-10-03 CVE-2022-3125 Najeebmedia Unrestricted Upload of File with Dangerous Type vulnerability in Najeebmedia Frontend File Manager

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

8.8
2022-10-03 CVE-2022-41428 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBits function in mp4mux.

8.8
2022-10-03 CVE-2022-41429 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_Atom::TypeFromString function in mp4tag.

8.8
2022-10-03 CVE-2022-41430 Axiosys Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBit function in mp4mux.

8.8
2022-10-03 CVE-2022-41040 Microsoft Improper Privilege Management vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Elevation of Privilege Vulnerability.

8.8
2022-10-03 CVE-2022-41082 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Remote Code Execution Vulnerability.

8.8
2022-10-07 CVE-2022-41672 Apache Insufficient Session Expiration vulnerability in Apache Airflow

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

8.1
2022-10-07 CVE-2022-39959 Panini Unquoted Search Path or Element vulnerability in Panini Everest Engine 2.0.4

Panini Everest Engine 2.0.4 allows unprivileged users to create a file named Everest.exe in the %PROGRAMDATA%\Panini folder.

7.8
2022-10-07 CVE-2022-26471 Google Deserialization of Untrusted Data vulnerability in Google Android 12.0

In telephony, there is a possible escalation of privilege due to a parcel format mismatch.

7.8
2022-10-07 CVE-2022-26472 Google Deserialization of Untrusted Data vulnerability in Google Android 10.0/11.0/12.0

In ims, there is a possible escalation of privilege due to a parcel format mismatch.

7.8
2022-10-07 CVE-2022-37893 Arubanetworks
Siemens
Command Injection vulnerability in multiple products

An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface.

7.8
2022-10-07 CVE-2021-40162 Autodesk Out-of-bounds Read vulnerability in Autodesk products

A maliciously crafted TIF, PICT, TGA, or RLC files in Autodesk Image Processing component may be forced to read beyond allocated boundaries when parsing the TIFF, PICT, TGA, or RLC files.

7.8
2022-10-07 CVE-2021-40163 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through Autodesk Image Processing component.

7.8
2022-10-07 CVE-2021-40164 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A heap-based buffer overflow could occur while parsing TIFF, PICT, TGA, or RLC files.

7.8
2022-10-07 CVE-2021-40165 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted TIFF, PICT, TGA, or RLC file in Autodesk Image Processing component may be used to write beyond the allocated buffer while parsing TIFF, PICT, TGA, or RLC files.

7.8
2022-10-07 CVE-2021-40166 Autodesk Use After Free vulnerability in Autodesk products

A maliciously crafted PNG file in Autodesk Image Processing component may be used to attempt to free an object that has already been freed while parsing them.

7.8
2022-10-07 CVE-2022-33896 Hancom Buffer Underflow vulnerability in Hancom Office 2020 11.0.0.5357

A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files.

7.8
2022-10-07 CVE-2022-39852 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

A heap-based overflow vulnerability in makeContactAGIF in libagifencoder.quram.so library prior to SMR Oct-2022 Release 1 allows attacker to perform code execution.

7.8
2022-10-07 CVE-2022-39853 Google Use After Free vulnerability in Google Android 10.0/11.0/12.0

A use after free vulnerability in perf-mgr driver prior to SMR Oct-2022 Release 1 allows attacker to cause memory access fault.

7.8
2022-10-07 CVE-2022-39854 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper protection in IOMMU prior to SMR Oct-2022 Release 1 allows unauthorized access to secure memory.

7.8
2022-10-07 CVE-2022-39858 Samsung Path Traversal vulnerability in Samsung Factorycamera 2.1.96

Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege.

7.8
2022-10-06 CVE-2022-26235 Beckmancoulter Incorrect Default Permissions vulnerability in Beckmancoulter Remisol Advance

A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server.

7.8
2022-10-03 CVE-2022-33883 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A malicious crafted file consumed through Moldflow Synergy, Moldflow Adviser, Moldflow Communicator, and Advanced Material Exchange applications could lead to memory corruption vulnerability.

7.8
2022-10-03 CVE-2022-33885 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted X_B, CATIA, and PDF file when parsed through Autodesk AutoCAD 2023 and 2022 can be used to write beyond the allocated buffer.

7.8
2022-10-03 CVE-2022-33886 Autodesk Improper Handling of Exceptional Conditions vulnerability in Autodesk products

A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022.

7.8
2022-10-03 CVE-2022-33887 Autodesk Improper Handling of Exceptional Conditions vulnerability in Autodesk products

A maliciously crafted PDF file when parsed through Autodesk AutoCAD 2023 causes an unhandled exception.

7.8
2022-10-03 CVE-2022-33888 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A malicious crafted Dwg2Spd file when processed through Autodesk DWG application could lead to memory corruption vulnerability by write access violation.

7.8
2022-10-03 CVE-2022-33889 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted GIF or JPEG files when parsed through Autodesk Design Review 2018, and AutoCAD 2023 and 2022 could be used to write beyond the allocated heap buffer.

7.8
2022-10-03 CVE-2022-33890 Autodesk Out-of-bounds Write vulnerability in Autodesk products

A maliciously crafted PCT or DWF file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation.

7.8
2022-10-03 CVE-2022-40764 Snyk Command Injection vulnerability in Snyk CLI and Golang CLI

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package.

7.8
2022-10-03 CVE-2022-41301 Autodesk Out-of-bounds Write vulnerability in Autodesk Subassembly Composer

A maliciously crafted PKT file when consumed through SubassemblyComposer.exe application could lead to memory corruption vulnerability by read access violation.

7.8
2022-10-09 CVE-2022-3436 WEB Based Student Clearance System Project Unrestricted Upload of File with Dangerous Type vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0

A vulnerability classified as critical was found in SourceCodester Web-Based Student Clearance System 1.0.

7.5
2022-10-07 CVE-2022-39289 Zoneminder Information Exposure vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application.

7.5
2022-10-07 CVE-2022-41574 Gradle Incorrect Authorization vulnerability in Gradle Enterprise

An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint.

7.5
2022-10-07 CVE-2022-32589 Google
Linuxfoundation
Improper Resource Shutdown or Release vulnerability in multiple products

In Wi-Fi driver, there is a possible way to disconnect Wi-Fi due to an improper resource release.

7.5
2022-10-07 CVE-2022-32591 Google Improper Input Validation vulnerability in Google Android 11.0/12.0

In ril, there is a possible system crash due to an incorrect bounds check.

7.5
2022-10-07 CVE-2022-22480 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure.

7.5
2022-10-07 CVE-2022-39864 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12

Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.

7.5
2022-10-07 CVE-2022-39865 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

7.5
2022-10-07 CVE-2022-39866 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

7.5
2022-10-07 CVE-2022-39867 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.

7.5
2022-10-07 CVE-2022-39868 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

7.5
2022-10-07 CVE-2022-39869 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.

7.5
2022-10-07 CVE-2022-39870 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.

7.5
2022-10-07 CVE-2022-39871 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25

Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.

7.5
2022-10-07 CVE-2022-3422 Tooljet Improper Privilege Management vulnerability in Tooljet

Account Takeover :: when see the info i can see the hash pass i can creaked it ...............

7.5
2022-10-06 CVE-2022-27810 Facebook Uncontrolled Recursion vulnerability in Facebook Hermes

It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript.

7.5
2022-10-06 CVE-2022-41556 Lighttpd
Fedoraproject
Memory Leak vulnerability in multiple products

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients.

7.5
2022-10-06 CVE-2022-31008 Vmware Use of Insufficiently Random Values vulnerability in VMWare Rabbitmq

RabbitMQ is a multi-protocol messaging and streaming broker.

7.5
2022-10-06 CVE-2022-39273 Flyte Use of Hard-coded Credentials vulnerability in Flyte Flyteadmin

FlyteAdmin is the control plane for the data processing platform Flyte.

7.5
2022-10-06 CVE-2022-39280 Pyup Resource Exhaustion vulnerability in Pyup Dependency Parser

dparse is a parser for Python dependency files.

7.5
2022-10-06 CVE-2022-3389 Ikus Soft Path Traversal vulnerability in Ikus-Soft Rdiffweb

Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10.

7.5
2022-10-03 CVE-2022-33884 Autodesk Out-of-bounds Read vulnerability in Autodesk products

Parsing a maliciously crafted X_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries.

7.5
2022-10-03 CVE-2022-42299 Veritas Unspecified vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products.

7.5
2022-10-03 CVE-2022-42305 Veritas Path Traversal vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products.

7.5
2022-10-03 CVE-2022-38817 Linuxfoundation Unspecified vulnerability in Linuxfoundation Dapr Dashboard

Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

7.5
2022-10-07 CVE-2022-41377 Online PET Shop WE APP Project SQL Injection vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=maintenance/manage_category.

7.2
2022-10-07 CVE-2022-41378 Online PET Shop WE APP Project SQL Injection vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0

Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=inventory/manage_inventory.

7.2
2022-10-07 CVE-2022-41379 Online Leave Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Leave Management System Project Online Leave Management System 1.0

An arbitrary file upload vulnerability in the component /leave_system/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

7.2
2022-10-07 CVE-2022-42073 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editclient.php?id=.

7.2
2022-10-07 CVE-2022-42074 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editcategory.php?id=.

7.2
2022-10-07 CVE-2022-41512 Online Diagnostic LAB Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

7.2
2022-10-07 CVE-2022-41513 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php.

7.2
2022-10-07 CVE-2022-41514 Open Source Sacco Management System Project SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan.

7.2
2022-10-07 CVE-2022-41515 Open Source Sacco Management System Project SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment.

7.2
2022-10-07 CVE-2022-42092 Backdropcms Unrestricted Upload of File with Dangerous Type vulnerability in Backdropcms Backdrop CMS 1.22.0

Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution.

7.2
2022-10-06 CVE-2022-41355 Online Leave Management System Project SQL Injection vulnerability in Online Leave Management System Project Online Leave Management System 1.0

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department.

7.2
2022-10-06 CVE-2022-42242 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_booking.

7.2
2022-10-06 CVE-2022-42243 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/manage_storage.php?id=.

7.2
2022-10-06 CVE-2022-42249 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/view_storage.php?id=.

7.2
2022-10-06 CVE-2022-42250 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/inquiries/view_details.php?id=.

7.2
2022-10-06 CVE-2022-42457 Generex Unspecified vulnerability in Generex Cs141 Firmware

Generex CS141 through 2.10 allows remote command execution by administrators via a web interface that reaches run_update in /usr/bin/gxserve-update.sh (e.g., command execution can occur via a reverse shell installed by install.sh).

7.2
2022-10-06 CVE-2022-42241 Simple Cold Storage Management System Project SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_message.

7.2
2022-10-06 CVE-2022-39265 Mybb Command Injection vulnerability in Mybb

MyBB is a free and open source forum software.

7.2
2022-10-03 CVE-2022-40886 Dedecms Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.98

DedeCMS 5.7.98 has a file upload vulnerability in the background.

7.2
2022-10-03 CVE-2022-42308 Veritas Path Traversal vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products.

7.1

89 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-10-07 CVE-2022-26452 Google Improper Synchronization vulnerability in Google Android

In isp, there is a possible use after free due to improper locking.

6.7
2022-10-07 CVE-2022-26473 Google Improper Synchronization vulnerability in Google Android 12.0

In vdec fmt, there is a possible use after free due to improper locking.

6.7
2022-10-07 CVE-2022-26474 Google Incorrect Calculation of Buffer Size vulnerability in Google Android 12.0

In sensorhub, there is a possible out of bounds write due to an incorrect calculation of buffer size.

6.7
2022-10-07 CVE-2022-26475 Google
Linuxfoundation
Improper Input Validation vulnerability in multiple products

In wlan, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-10-07 CVE-2022-32590 Google
Linuxfoundation
Improper Handling of Exceptional Conditions vulnerability in multiple products

In wlan, there is a possible use after free due to an incorrect status check.

6.7
2022-10-07 CVE-2022-32592 Google
Linuxfoundation
Out-of-bounds Write vulnerability in multiple products

In cpu dvfs, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-10-07 CVE-2022-32593 Google Improper Input Validation vulnerability in Google Android 12.0

In vowe, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-10-06 CVE-2022-2975 Avaya Incorrect Permission Assignment for Critical Resource vulnerability in Avaya Aura Application Enablement Services

A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user.

6.7
2022-10-08 CVE-2022-39281 Fatfreecrm Unspecified vulnerability in Fatfreecrm

fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM).

6.5
2022-10-07 CVE-2022-31681 Vmware NULL Pointer Dereference vulnerability in VMWare Esxi

VMware ESXi contains a null-pointer deference vulnerability.

6.5
2022-10-07 CVE-2022-39290 Zoneminder Improper Authentication vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application.

6.5
2022-10-07 CVE-2022-39287 Tiny Csrf Project Cleartext Transmission of Sensitive Information vulnerability in Tiny-Csrf Project Tiny-Csrf

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware.

6.5
2022-10-07 CVE-2022-37894 Arubanetworks
Siemens
An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10.
6.5
2022-10-07 CVE-2022-21936 Johnsoncontrols Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0

On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.

6.5
2022-10-07 CVE-2022-36772 IBM Improper Privilege Management vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that should only be available to a privileged user.

6.5
2022-10-07 CVE-2022-41291 IBM Insufficient Session Expiration vulnerability in IBM Infosphere Information Server 11.7

IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

6.5
2022-10-07 CVE-2022-3423 Xgenecloud Resource Exhaustion vulnerability in Xgenecloud Nocodb

Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.

6.5
2022-10-07 CVE-2022-2928 ISC
Debian
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field.

6.5
2022-10-07 CVE-2022-2929 ISC
Debian
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.

6.5
2022-10-06 CVE-2022-39222 Linuxfoundation Information Exposure vulnerability in Linuxfoundation DEX

Dex is an identity service that uses OpenID Connect to drive authentication for other apps.

6.5
2022-10-06 CVE-2022-40157 Apache Out-of-bounds Write vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

6.5
2022-10-06 CVE-2022-40158 Apache Out-of-bounds Write vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

6.5
2022-10-06 CVE-2022-40159 Apache Out-of-bounds Write vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

6.5
2022-10-06 CVE-2022-40160 Apache Out-of-bounds Write vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

6.5
2022-10-06 CVE-2022-40161 Apache Out-of-bounds Write vulnerability in Apache Commons Jxpath

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation.

6.5
2022-10-06 CVE-2022-41294 IBM Origin Validation Error vulnerability in IBM Robotic Process Automation

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api.

6.5
2022-10-06 CVE-2022-26240 Beckmancoulter Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance

The default privileges for the running service Normand Message Buffer in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries.

6.5
2022-10-03 CVE-2022-42300 Veritas Unspecified vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products.

6.5
2022-10-03 CVE-2022-41419 Axiosys Memory Leak vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_Processor::Process function in the mp4encrypt binary.

6.5
2022-10-03 CVE-2022-41423 Axiosys Unspecified vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a segmentation violation in the mp4fragment component.

6.5
2022-10-03 CVE-2022-41424 Axiosys Memory Leak vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_SttsAtom::Create function in mp42hls.

6.5
2022-10-03 CVE-2022-41425 Axiosys Unspecified vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a segmentation violation via the AP4_Processor::ProcessFragments function in mp4decrypt.

6.5
2022-10-03 CVE-2022-41426 Axiosys Memory Leak vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_AtomFactory::CreateAtomFromStream function in mp4split.

6.5
2022-10-03 CVE-2022-41427 Axiosys Memory Leak vulnerability in Axiosys Bento4 1.6.0639

Bento4 v1.6.0-639 was discovered to contain a memory leak in the AP4_AvcFrameParser::Feed function in mp4mux.

6.5
2022-10-03 CVE-2022-40123 Mojoportal Path Traversal vulnerability in Mojoportal 2.7.0.0

mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx.

6.5
2022-10-03 CVE-2022-40922 Lief Project Unspecified vulnerability in Lief-Project Lief 0.12.1

A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.

6.5
2022-10-03 CVE-2022-36551 Heartex Server-Side Request Forgery (SSRF) vulnerability in Heartex Label Studio

A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system.

6.5
2022-10-07 CVE-2022-41442 Picuploader Project Cross-site Scripting vulnerability in Picuploader Project Picuploader 2.6.3

PicUploader v2.6.3 was discovered to contain cross-site scripting (XSS) vulnerability via the setStorageParams function in SettingController.php.

6.1
2022-10-07 CVE-2022-37896 Arubanetworks
Siemens
Cross-site Scripting vulnerability in multiple products

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface.

6.1
2022-10-07 CVE-2020-15855 Redhat Cross-site Scripting vulnerability in Redhat Bodhi

Two cross-site scripting vulnerabilities were fixed in Bodhi 5.6.1.

6.1
2022-10-06 CVE-2022-38709 IBM Cross-site Scripting vulnerability in IBM Robotic Process Automation for Cloud PAK

IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 for Cloud Pak is vulnerable to cross-site scripting.

6.1
2022-10-06 CVE-2022-22503 IBM Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM products

IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim.

6.1
2022-10-03 CVE-2022-42247 Pfsense Cross-site Scripting vulnerability in Pfsense 2.5.2

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component.

6.1
2022-10-09 CVE-2022-42703 Linux Use After Free vulnerability in Linux Kernel

mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.

5.5
2022-10-07 CVE-2022-30613 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.4 and 7.5 could disclose sensitive information via a local service to a privileged user.

5.5
2022-10-07 CVE-2022-34308 IBM Allocation of Resources Without Limits or Throttling vulnerability in IBM Cics TX 11.1

IBM CICS TX 11.1 could allow a local user to cause a denial of service due to improper load handling.

5.5
2022-10-07 CVE-2022-39857 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Factorycamerafb 3.4.74

Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege.

5.5
2022-10-07 CVE-2022-39874 Samsung Information Exposure Through Log Files vulnerability in Samsung Account

Sensitive log information leakage vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout.

5.5
2022-10-07 CVE-2022-39878 Samsung Unspecified vulnerability in Samsung Checkout 5.0.53.1

Improper access control vulnerability in Samsung Checkout prior to version 5.0.55.3 allows attackers to access sensitive information via implicit intent broadcast.

5.5
2022-10-06 CVE-2022-26236 Beckmancoulter Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance

The default privileges for the running service Normand Remisol Advance Launcher in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries.

5.5
2022-10-06 CVE-2022-26238 Beckmancoulter Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance

The default privileges for the running service Normand Service Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries.

5.5
2022-10-06 CVE-2022-26237 Beckmancoulter Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance

The default privileges for the running service Normand Viewer Service in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries.

5.5
2022-10-06 CVE-2022-26239 Beckmancoulter Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance

The default privileges for the running service Normand License Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows unprivileged users to overwrite and manipulate executables and libraries.

5.5
2022-10-03 CVE-2022-42306 Veritas NULL Pointer Dereference vulnerability in Veritas Netbackup

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products.

5.5
2022-10-03 CVE-2022-41420 Nasm Out-of-bounds Write vulnerability in Nasm Netwide Assembler 2.16

nasm v2.16 was discovered to contain a stack overflow in the Ndisasm component

5.5
2022-10-08 CVE-2022-3434 WEB Based Student Clearance System Project Cross-site Scripting vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0

A vulnerability was found in SourceCodester Web-Based Student Clearance System.

5.4
2022-10-07 CVE-2022-39285 Zoneminder Cross-site Scripting vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets.

5.4
2022-10-07 CVE-2022-39291 Zoneminder Improper Input Validation vulnerability in Zoneminder

ZoneMinder is a free, open source Closed-circuit television software application.

5.4
2022-10-07 CVE-2022-41392 Totaljs Cross-site Scripting vulnerability in Totaljs Total.Js 20220820

A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

5.4
2022-10-07 CVE-2022-37892 Arubanetworks
Siemens
Cross-site Scripting vulnerability in multiple products

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.

5.4
2022-10-06 CVE-2022-39279 Discourse Cross-site Scripting vulnerability in Discourse Discourse-Chat 0.3/0.4

discourse-chat is a plugin for the Discourse message board which adds chat functionality.

5.4
2022-10-06 CVE-2022-32171 Zinclabs Cross-site Scripting vulnerability in Zinclabs Zinc

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality.

5.4
2022-10-06 CVE-2022-32172 Zinclabs Cross-site Scripting vulnerability in Zinclabs Zinc

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality.

5.4
2022-10-06 CVE-2022-39270 Discourse Cross-site Scripting vulnerability in Discourse Discotoc

DiscoTOC is a Discourse theme component that generates a table of contents for topics.

5.4
2022-10-06 CVE-2022-39988 Centreon Cross-site Scripting vulnerability in Centreon 22.04.0

A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter.

5.4
2022-10-06 CVE-2022-3002 Yetiforce Cross-site Scripting vulnerability in Yetiforce Customer Relationship Management

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

5.4
2022-10-03 CVE-2022-2839 Zephyr ONE Cross-site Scripting vulnerability in Zephyr-One Zephyr Project Manager

The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks.

5.4
2022-10-03 CVE-2022-32173 Orchardcore Cross-site Scripting vulnerability in Orchardcore

In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.

5.4
2022-10-07 CVE-2022-41414 Liferay Incorrect Default Permissions vulnerability in Liferay Portal

An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages.

5.3
2022-10-07 CVE-2022-39847 Google Use After Free vulnerability in Google Android 10.0/11.0/12.0

Use after free vulnerability in set_nft_pid and signal_handler function of NFC driver prior to SMR Oct-2022 Release 1 allows attackers to perform malicious actions.

5.3
2022-10-07 CVE-2022-39877 Samsung Improper Privilege Management vulnerability in Samsung Group Sharing 10.8.03.2

Improper access control vulnerability in ProfileSharingAccount in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device.

5.3
2022-10-06 CVE-2022-36774 IBM Improper Authentication vulnerability in IBM products

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to man in the middle attacks through manipulation of the client proxy configuration.

5.3
2022-10-06 CVE-2022-3376 Ikus Soft Weak Password Requirements vulnerability in Ikus-Soft Rdiffweb

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

5.3
2022-10-06 CVE-2022-2781 Octopus Inadequate Encryption Strength vulnerability in Octopus Server

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.

5.3
2022-10-06 CVE-2022-2783 Octopus Insufficient Session Expiration vulnerability in Octopus Server

In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token

5.3
2022-10-03 CVE-2022-3124 Najeebmedia Missing Authorization vulnerability in Najeebmedia Frontend File Manager

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users.

5.3
2022-10-07 CVE-2022-37895 Arubanetworks
Siemens
An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10.
4.9
2022-10-03 CVE-2022-2628 Dsgvo FOR WP Cross-site Scripting vulnerability in Dsgvo-For-Wp Dsgvo ALL in ONE for WP

The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-10-03 CVE-2022-2763 WP Socializer Project Cross-site Scripting vulnerability in WP Socializer Project WP Socializer

The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-10-03 CVE-2022-3128 Donation Thermometer Project Cross-site Scripting vulnerability in Donation Thermometer Project Donation Thermometer

The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-10-03 CVE-2022-3132 Goolytics Project Cross-site Scripting vulnerability in Goolytics Project Goolytics

The Goolytics WordPress plugin before 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-10-07 CVE-2022-39863 Samsung Unspecified vulnerability in Samsung Account

Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3 allows attackers to access content providers without permission.

4.7
2022-10-07 CVE-2022-39873 Samsung Incorrect Authorization vulnerability in Samsung Internet

Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication.

4.6
2022-10-07 CVE-2022-39875 Samsung Unspecified vulnerability in Samsung Account

Improper component protection vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout.

4.4
2022-10-06 CVE-2022-31252 Suse
Opensuse
Incorrect Authorization vulnerability in multiple products

A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution.

4.4
2022-10-08 CVE-2022-3435 Linux
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

A vulnerability classified as problematic has been found in Linux Kernel.

4.3
2022-10-07 CVE-2022-39855 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in FACM application prior to SMR Oct-2022 Release 1 allows a local attacker to connect arbitrary AP and Bluetooth devices.

4.3
2022-10-06 CVE-2022-39284 Codeigniter Improper Initialization vulnerability in Codeigniter

CodeIgniter is a PHP full-stack web framework.

4.3
2022-10-06 CVE-2022-39275 Saleor Incorrect Authorization vulnerability in Saleor

Saleor is a headless, GraphQL commerce platform.

4.3

11 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-10-07 CVE-2022-39860 Samsung Exposure of Resource to Wrong Sphere vulnerability in Samsung Quick Share 13.1.2.4

Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.

3.5
2022-10-07 CVE-2022-36868 Google Unspecified vulnerability in Google Android 11.0/12.0

Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device.

3.3
2022-10-07 CVE-2022-39848 Google Information Exposure vulnerability in Google Android 10.0/11.0/12.0

Exposure of sensitive information in AT_Distributor prior to SMR Oct-2022 Release 1 allows local attacker to access SerialNo via log.

3.3
2022-10-07 CVE-2022-39849 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control in knox_vpn_policy service prior to SMR Oct-2022 Release 1 allows allows unauthorized read of configuration data.

3.3
2022-10-07 CVE-2022-39850 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control in mum_container_policy service prior to SMR Oct-2022 Release 1 allows allows unauthorized read of configuration data.

3.3
2022-10-07 CVE-2022-39851 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in CocktailBarService prior to SMR Oct-2022 Release 1 allows local attacker to bind service that require BIND_REMOTEVIEWS permission.

3.3
2022-10-07 CVE-2022-39856 Google Unspecified vulnerability in Google Android 12.0

Improper access control vulnerability in imsservice application prior to SMR Oct-2022 Release 1 allows local attackers to access call information.

3.3
2022-10-07 CVE-2022-39859 Samsung Unspecified vulnerability in Samsung Uphelper Library

Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12 allows attackers to access sensitive information via implicit intent.

3.3
2022-10-07 CVE-2022-39861 Samsung Missing Authorization vulnerability in Samsung Factorycamera 2.1.96

Unprotected Receiver in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege.

3.3
2022-10-07 CVE-2022-39872 Samsung Improper Handling of Exceptional Conditions vulnerability in Samsung Sharelive

Improper restriction of broadcasting Intent in ShareLive prior to version 13.2.03.5 leaks MAC address of the connected Bluetooth device.

3.3
2022-10-07 CVE-2022-39876 Samsung Information Exposure Through Log Files vulnerability in Samsung Reminder

Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.

3.3