Weekly Vulnerabilities Reports > October 3 to 9, 2022
Overview
233 new vulnerabilities reported during this period, including 46 critical vulnerabilities and 92 high severity vulnerabilities. This weekly summary report vulnerabilities in 135 products from 84 vendors including Google, Samsung, Autodesk, Codeigniter, and Siemens. Vulnerabilities are notably categorized as "Out-of-bounds Write", "SQL Injection", "Cross-site Scripting", "Classic Buffer Overflow", and "Unrestricted Upload of File with Dangerous Type".
- 166 reported vulnerabilities are remotely exploitables.
- 73 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 121 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 22 reported vulnerabilities.
- Codeigniter has the most reported critical vulnerabilities, with 12 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
46 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-07 | CVE-2022-3275 | Puppet Fedoraproject | Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. | 9.8 |
2022-10-07 | CVE-2022-42075 | Wedding Planner Project | Unspecified vulnerability in Wedding Planner Project Wedding Planner 1.0 Wedding Planner v1.0 is vulnerable to arbitrary code execution. | 9.8 |
2022-10-07 | CVE-2022-37885 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). | 9.8 |
2022-10-07 | CVE-2022-37886 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). | 9.8 |
2022-10-07 | CVE-2022-37887 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). | 9.8 |
2022-10-07 | CVE-2022-37889 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). | 9.8 |
2022-10-07 | CVE-2022-37890 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface. | 9.8 |
2022-10-07 | CVE-2022-37891 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface. | 9.8 |
2022-10-07 | CVE-2022-39862 | Samsung | Unspecified vulnerability in Samsung Dynamic Lockscreen Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api. | 9.8 |
2022-10-07 | CVE-2022-40824 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40825 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40826 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40827 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40828 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40829 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40830 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40831 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40832 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40833 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40834 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40835 | Codeigniter | SQL Injection vulnerability in Codeigniter B.C. | 9.8 |
2022-10-07 | CVE-2022-40872 | Simple E Learning System Project | SQL Injection vulnerability in Simple E-Learning System Project Simple E-Learning System 1.0 An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode. | 9.8 |
2022-10-07 | CVE-2022-3414 | WEB Based Student Clearance System Project | Improper Enforcement of Message or Data Structure vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System A vulnerability was found in SourceCodester Web-Based Student Clearance System. | 9.8 |
2022-10-06 | CVE-2022-40494 | NPS Project | Improper Authentication vulnerability in NPS Project NPS NPS before v0.26.10 was discovered to contain an authentication bypass vulnerability via constantly generating and sending the Auth key and Timestamp parameters. | 9.8 |
2022-10-06 | CVE-2022-41522 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an unauthenticated stack overflow via the "main" function. | 9.8 |
2022-10-06 | CVE-2022-41525 | Totolink | OS Command Injection vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi. | 9.8 |
2022-10-06 | CVE-2022-41853 | Hsqldb Debian | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. | 9.8 |
2022-10-06 | CVE-2022-37888 | Arubanetworks Siemens | Classic Buffer Overflow vulnerability in multiple products There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). | 9.8 |
2022-10-06 | CVE-2022-39237 | Sylabs | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Sylabs Singularity Image Format syslabs/sif is the Singularity Image Format (SIF) reference implementation. | 9.8 |
2022-10-06 | CVE-2022-39244 | Pjsip | Classic Buffer Overflow vulnerability in Pjsip PJSIP is a free and open source multimedia communication library written in C. | 9.8 |
2022-10-06 | CVE-2022-39274 | Semtech | Off-by-one Error vulnerability in Semtech Loramac-Node LoRaMac-node is a reference implementation and documentation of a LoRa network node. | 9.8 |
2022-10-06 | CVE-2022-3273 | Ikus Soft | Inadequate Encryption Strength vulnerability in Ikus-Soft Rdiffweb Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | 9.8 |
2022-10-06 | CVE-2022-3396 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | 9.8 |
2022-10-06 | CVE-2022-3397 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | 9.8 |
2022-10-06 | CVE-2022-3398 | Omron | Out-of-bounds Write vulnerability in Omron Cx-Programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. | 9.8 |
2022-10-06 | CVE-2022-41518 | Totolink | OS Command Injection vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi. | 9.8 |
2022-10-03 | CVE-2022-33882 | Autodesk | Unspecified vulnerability in Autodesk Desktop 7.0.16.29/8.4.0.50 Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). | 9.8 |
2022-10-03 | CVE-2022-41443 | Phpipam | Improper Encoding or Escaping of Output vulnerability in PHPipam 1.5.0 phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php. | 9.8 |
2022-10-03 | CVE-2022-40721 | Creativedream File Uploader Project | Unrestricted Upload of File with Dangerous Type vulnerability in Creativedream File Uploader Project Creativedream File Uploader 0.3 Arbitrary file upload vulnerability in php uploader | 9.8 |
2022-10-03 | CVE-2022-42302 | Veritas | SQL Injection vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. | 9.8 |
2022-10-03 | CVE-2022-42303 | Veritas | SQL Injection vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. | 9.8 |
2022-10-03 | CVE-2022-42304 | Veritas | SQL Injection vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. | 9.8 |
2022-10-03 | CVE-2022-42307 | Veritas | XXE vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. | 9.8 |
2022-10-07 | CVE-2022-31680 | Vmware | Deserialization of Untrusted Data vulnerability in VMWare Vcenter Server The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). | 9.1 |
2022-10-06 | CVE-2022-39269 | Pjsip | Unspecified vulnerability in Pjsip 2.11/2.11.1/2.12 PJSIP is a free and open source multimedia communication library written in C. | 9.1 |
2022-10-06 | CVE-2022-40895 | Nedi | Information Exposure Through Discrepancy vulnerability in Nedi 1.0.7 In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. | 9.1 |
92 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-07 | CVE-2022-36635 | Zkteco | SQL Injection vulnerability in Zkteco Zkbiosecurity V5000 4.1.3 ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do. | 8.8 |
2022-10-07 | CVE-2022-3276 | Puppet | Unspecified vulnerability in Puppet Puppetlabs-Mysql Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. | 8.8 |
2022-10-07 | CVE-2022-36634 | Zkteco | Incorrect Authorization vulnerability in Zkteco Zkbiosecurity V5000 3.0.5.0R An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request. | 8.8 |
2022-10-07 | CVE-2022-22493 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Automation for IBM Cloud PAK for Watson Aiops IBM WebSphere Automation for Cloud Pak for Watson AIOps 1.4.2 is vulnerable to cross-site request forgery, caused by improper cookie attribute setting. | 8.8 |
2022-10-06 | CVE-2022-41523 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the command parameter in the setTracerouteCfg function. | 8.8 |
2022-10-06 | CVE-2022-41524 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the week, sTime, and eTime parameters in the setParentalRules function. | 8.8 |
2022-10-06 | CVE-2022-41526 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the ip parameter in the setDiagnosisCfg function. | 8.8 |
2022-10-06 | CVE-2022-41527 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the pppoeUser parameter in the setOpModeCfg function. | 8.8 |
2022-10-06 | CVE-2022-41528 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the text parameter in the setSmsCfg function. | 8.8 |
2022-10-06 | CVE-2022-41520 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the File parameter in the UploadCustomModule function. | 8.8 |
2022-10-06 | CVE-2022-41521 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the sPort/ePort parameter in the setIpPortFilterRules function. | 8.8 |
2022-10-06 | CVE-2022-2986 | Moodle | Cross-Site Request Forgery (CSRF) vulnerability in Moodle Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | 8.8 |
2022-10-06 | CVE-2022-41517 | Totolink | Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910 TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a stack overflow in the lang parameter in the setLanguageCfg function | 8.8 |
2022-10-06 | CVE-2021-40556 | Asus | Out-of-bounds Write vulnerability in Asus Rt-Ax56U Firmware 3.0.0.4.386.44266 A stack overflow vulnerability exists in the httpd service in ASUS RT-AX56U Router Version 3.0.0.4.386.44266. | 8.8 |
2022-10-06 | CVE-2022-2637 | Hitachi | Improper Privilege Management vulnerability in Hitachi Storage Plug-In 04.8.0 Incorrect Privilege Assignment vulnerability in Hitachi Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation.This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.8.0 before 04.9.0. | 8.8 |
2022-10-03 | CVE-2022-42301 | Veritas | XXE vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. | 8.8 |
2022-10-03 | CVE-2022-3125 | Najeebmedia | Unrestricted Upload of File with Dangerous Type vulnerability in Najeebmedia Frontend File Manager The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE | 8.8 |
2022-10-03 | CVE-2022-41428 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBits function in mp4mux. | 8.8 |
2022-10-03 | CVE-2022-41429 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_Atom::TypeFromString function in mp4tag. | 8.8 |
2022-10-03 | CVE-2022-41430 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBit function in mp4mux. | 8.8 |
2022-10-03 | CVE-2022-41040 | Microsoft | Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Elevation of Privilege Vulnerability | 8.8 |
2022-10-07 | CVE-2022-41672 | Apache | Insufficient Session Expiration vulnerability in Apache Airflow In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API. | 8.1 |
2022-10-03 | CVE-2022-41082 | Microsoft | Deserialization of Untrusted Data vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.0 |
2022-10-07 | CVE-2022-39959 | Panini | Unquoted Search Path or Element vulnerability in Panini Everest Engine 2.0.4 Panini Everest Engine 2.0.4 allows unprivileged users to create a file named Everest.exe in the %PROGRAMDATA%\Panini folder. | 7.8 |
2022-10-07 | CVE-2022-26471 | Deserialization of Untrusted Data vulnerability in Google Android 12.0 In telephony, there is a possible escalation of privilege due to a parcel format mismatch. | 7.8 | |
2022-10-07 | CVE-2022-26472 | Deserialization of Untrusted Data vulnerability in Google Android 10.0/11.0/12.0 In ims, there is a possible escalation of privilege due to a parcel format mismatch. | 7.8 | |
2022-10-07 | CVE-2022-37893 | Arubanetworks Siemens | OS Command Injection vulnerability in multiple products An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. | 7.8 |
2022-10-07 | CVE-2021-40162 | Autodesk | Out-of-bounds Read vulnerability in Autodesk products A maliciously crafted TIF, PICT, TGA, or RLC files in Autodesk Image Processing component may be forced to read beyond allocated boundaries when parsing the TIFF, PICT, TGA, or RLC files. | 7.8 |
2022-10-07 | CVE-2021-40163 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through Autodesk Image Processing component. | 7.8 |
2022-10-07 | CVE-2021-40164 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A heap-based buffer overflow could occur while parsing TIFF, PICT, TGA, or RLC files. | 7.8 |
2022-10-07 | CVE-2021-40165 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A maliciously crafted TIFF, PICT, TGA, or RLC file in Autodesk Image Processing component may be used to write beyond the allocated buffer while parsing TIFF, PICT, TGA, or RLC files. | 7.8 |
2022-10-07 | CVE-2021-40166 | Autodesk | Use After Free vulnerability in Autodesk products A maliciously crafted PNG file in Autodesk Image Processing component may be used to attempt to free an object that has already been freed while parsing them. | 7.8 |
2022-10-07 | CVE-2022-33896 | Hancom | Buffer Underflow vulnerability in Hancom Office 2020 11.0.0.5357 A buffer underflow vulnerability exists in the way Hword of Hancom Office 2020 version 11.0.0.5357 parses XML-based office files. | 7.8 |
2022-10-07 | CVE-2022-39852 | Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0 A heap-based overflow vulnerability in makeContactAGIF in libagifencoder.quram.so library prior to SMR Oct-2022 Release 1 allows attacker to perform code execution. | 7.8 | |
2022-10-07 | CVE-2022-39853 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 A use after free vulnerability in perf-mgr driver prior to SMR Oct-2022 Release 1 allows attacker to cause memory access fault. | 7.8 | |
2022-10-07 | CVE-2022-39854 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper protection in IOMMU prior to SMR Oct-2022 Release 1 allows unauthorized access to secure memory. | 7.8 | |
2022-10-07 | CVE-2022-39858 | Samsung | Path Traversal vulnerability in Samsung Factorycamera 2.1.96 Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege. | 7.8 |
2022-10-06 | CVE-2022-26235 | Beckmancoulter | Incorrect Default Permissions vulnerability in Beckmancoulter Remisol Advance A vulnerability was discovered in the Remisol Advance v2.0.12.1 and below for the Normand Message Server. | 7.8 |
2022-10-03 | CVE-2022-33883 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted file consumed through Moldflow Synergy, Moldflow Adviser, Moldflow Communicator, and Advanced Material Exchange applications could lead to memory corruption vulnerability. | 7.8 |
2022-10-03 | CVE-2022-33885 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A maliciously crafted X_B, CATIA, and PDF file when parsed through Autodesk AutoCAD 2023 and 2022 can be used to write beyond the allocated buffer. | 7.8 |
2022-10-03 | CVE-2022-33886 | Autodesk | Improper Handling of Exceptional Conditions vulnerability in Autodesk products A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. | 7.8 |
2022-10-03 | CVE-2022-33887 | Autodesk | Improper Handling of Exceptional Conditions vulnerability in Autodesk products A maliciously crafted PDF file when parsed through Autodesk AutoCAD 2023 causes an unhandled exception. | 7.8 |
2022-10-03 | CVE-2022-33888 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted Dwg2Spd file when processed through Autodesk DWG application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-03 | CVE-2022-33889 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A maliciously crafted GIF or JPEG files when parsed through Autodesk Design Review 2018, and AutoCAD 2023 and 2022 could be used to write beyond the allocated heap buffer. | 7.8 |
2022-10-03 | CVE-2022-33890 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A maliciously crafted PCT or DWF file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-03 | CVE-2022-40764 | Snyk | OS Command Injection vulnerability in Snyk CLI and Golang CLI Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. | 7.8 |
2022-10-03 | CVE-2022-41301 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Subassembly Composer A maliciously crafted PKT file when consumed through SubassemblyComposer.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-09 | CVE-2022-3436 | WEB Based Student Clearance System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0 A vulnerability classified as critical was found in SourceCodester Web-Based Student Clearance System 1.0. | 7.5 |
2022-10-07 | CVE-2022-39289 | Zoneminder | Missing Authorization vulnerability in Zoneminder ZoneMinder is a free, open source Closed-circuit television software application. | 7.5 |
2022-10-07 | CVE-2022-41574 | Gradle | Incorrect Authorization vulnerability in Gradle Enterprise An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. | 7.5 |
2022-10-07 | CVE-2022-32589 | Google Linuxfoundation | Improper Resource Shutdown or Release vulnerability in multiple products In Wi-Fi driver, there is a possible way to disconnect Wi-Fi due to an improper resource release. | 7.5 |
2022-10-07 | CVE-2022-32591 | Improper Input Validation vulnerability in Google Android 11.0/12.0 In ril, there is a possible system crash due to an incorrect bounds check. | 7.5 | |
2022-10-07 | CVE-2022-22480 | IBM | Unspecified vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. | 7.5 |
2022-10-07 | CVE-2022-39864 | Samsung | Unspecified vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12 Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent. | 7.5 |
2022-10-07 | CVE-2022-39865 | Samsung | Unspecified vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | 7.5 |
2022-10-07 | CVE-2022-39866 | Samsung | Unspecified vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | 7.5 |
2022-10-07 | CVE-2022-39867 | Samsung | Unspecified vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast. | 7.5 |
2022-10-07 | CVE-2022-39868 | Samsung | Unspecified vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | 7.5 |
2022-10-07 | CVE-2022-39869 | Samsung | Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast. | 7.5 |
2022-10-07 | CVE-2022-39870 | Samsung | Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast. | 7.5 |
2022-10-07 | CVE-2022-39871 | Samsung | Exposure of Resource to Wrong Sphere vulnerability in Samsung Smartthings 1.7.73.22/1.7.85.12/1.7.85.25 Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts. | 7.5 |
2022-10-07 | CVE-2022-3422 | Tooljet | Improper Privilege Management vulnerability in Tooljet Account Takeover :: when see the info i can see the hash pass i can creaked it ............... | 7.5 |
2022-10-06 | CVE-2022-27810 | Uncontrolled Recursion vulnerability in Facebook Hermes It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. | 7.5 | |
2022-10-06 | CVE-2022-41556 | Lighttpd Fedoraproject | Memory Leak vulnerability in multiple products A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. | 7.5 |
2022-10-06 | CVE-2022-31008 | Vmware | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in VMWare Rabbitmq RabbitMQ is a multi-protocol messaging and streaming broker. | 7.5 |
2022-10-06 | CVE-2022-39273 | Flyte | Use of Hard-coded Credentials vulnerability in Flyte Flyteadmin FlyteAdmin is the control plane for the data processing platform Flyte. | 7.5 |
2022-10-06 | CVE-2022-39280 | Pyup | Unspecified vulnerability in Pyup Dependency Parser dparse is a parser for Python dependency files. | 7.5 |
2022-10-06 | CVE-2022-3389 | Ikus Soft | Path Traversal vulnerability in Ikus-Soft Rdiffweb Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10. | 7.5 |
2022-10-03 | CVE-2022-33884 | Autodesk | Out-of-bounds Read vulnerability in Autodesk products Parsing a maliciously crafted X_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. | 7.5 |
2022-10-03 | CVE-2022-42299 | Veritas | Unspecified vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. | 7.5 |
2022-10-03 | CVE-2022-42305 | Veritas | Path Traversal vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. | 7.5 |
2022-10-03 | CVE-2022-38817 | Linuxfoundation | Missing Authentication for Critical Function vulnerability in Linuxfoundation Dapr Dashboard Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. | 7.5 |
2022-10-07 | CVE-2022-41377 | Online PET Shop WE APP Project | SQL Injection vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0 Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=maintenance/manage_category. | 7.2 |
2022-10-07 | CVE-2022-41378 | Online PET Shop WE APP Project | SQL Injection vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0 Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=inventory/manage_inventory. | 7.2 |
2022-10-07 | CVE-2022-41379 | Online Leave Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Leave Management System Project Online Leave Management System 1.0 An arbitrary file upload vulnerability in the component /leave_system/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 7.2 |
2022-10-07 | CVE-2022-42073 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editclient.php?id=. | 7.2 |
2022-10-07 | CVE-2022-42074 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editcategory.php?id=. | 7.2 |
2022-10-07 | CVE-2022-41512 | Online Diagnostic LAB Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 7.2 |
2022-10-07 | CVE-2022-41513 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php. | 7.2 |
2022-10-07 | CVE-2022-41514 | Open Source Sacco Management System Project | SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0 Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan. | 7.2 |
2022-10-07 | CVE-2022-41515 | Open Source Sacco Management System Project | SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0 Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment. | 7.2 |
2022-10-07 | CVE-2022-42092 | Backdropcms | Unrestricted Upload of File with Dangerous Type vulnerability in Backdropcms Backdrop CMS 1.22.0 Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. | 7.2 |
2022-10-06 | CVE-2022-41355 | Online Leave Management System Project | SQL Injection vulnerability in Online Leave Management System Project Online Leave Management System 1.0 Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department. | 7.2 |
2022-10-06 | CVE-2022-42242 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_booking. | 7.2 |
2022-10-06 | CVE-2022-42243 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/manage_storage.php?id=. | 7.2 |
2022-10-06 | CVE-2022-42249 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/view_storage.php?id=. | 7.2 |
2022-10-06 | CVE-2022-42250 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/inquiries/view_details.php?id=. | 7.2 |
2022-10-06 | CVE-2022-42457 | Generex | Unspecified vulnerability in Generex Cs141 Firmware Generex CS141 through 2.10 allows remote command execution by administrators via a web interface that reaches run_update in /usr/bin/gxserve-update.sh (e.g., command execution can occur via a reverse shell installed by install.sh). | 7.2 |
2022-10-06 | CVE-2022-42241 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_message. | 7.2 |
2022-10-06 | CVE-2022-39265 | Mybb | Injection vulnerability in Mybb MyBB is a free and open source forum software. | 7.2 |
2022-10-03 | CVE-2022-40886 | Dedecms | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.98 DedeCMS 5.7.98 has a file upload vulnerability in the background. | 7.2 |
2022-10-03 | CVE-2022-42308 | Veritas | Path Traversal vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. | 7.1 |
84 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-07 | CVE-2022-26452 | Improper Locking vulnerability in Google Android In isp, there is a possible use after free due to improper locking. | 6.7 | |
2022-10-07 | CVE-2022-26473 | Improper Locking vulnerability in Google Android 12.0 In vdec fmt, there is a possible use after free due to improper locking. | 6.7 | |
2022-10-07 | CVE-2022-26474 | Incorrect Calculation of Buffer Size vulnerability in Google Android 12.0 In sensorhub, there is a possible out of bounds write due to an incorrect calculation of buffer size. | 6.7 | |
2022-10-07 | CVE-2022-26475 | Linuxfoundation | Out-of-bounds Write vulnerability in multiple products In wlan, there is a possible out of bounds write due to a missing bounds check. | 6.7 |
2022-10-07 | CVE-2022-32590 | Linuxfoundation | Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products In wlan, there is a possible use after free due to an incorrect status check. | 6.7 |
2022-10-07 | CVE-2022-32592 | Google Linuxfoundation | Out-of-bounds Write vulnerability in multiple products In cpu dvfs, there is a possible out of bounds write due to a missing bounds check. | 6.7 |
2022-10-07 | CVE-2022-32593 | Out-of-bounds Write vulnerability in Google Android 12.0 In vowe, there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-10-06 | CVE-2022-2975 | Avaya | Incorrect Permission Assignment for Critical Resource vulnerability in Avaya Aura Application Enablement Services A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. | 6.7 |
2022-10-08 | CVE-2022-39281 | Fatfreecrm | Unspecified vulnerability in Fatfreecrm fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). | 6.5 |
2022-10-07 | CVE-2022-31681 | Vmware | NULL Pointer Dereference vulnerability in VMWare Esxi VMware ESXi contains a null-pointer deference vulnerability. | 6.5 |
2022-10-07 | CVE-2022-39290 | Zoneminder | Improper Authentication vulnerability in Zoneminder ZoneMinder is a free, open source Closed-circuit television software application. | 6.5 |
2022-10-07 | CVE-2022-39287 | Tiny Csrf Project | Cleartext Transmission of Sensitive Information vulnerability in Tiny-Csrf Project Tiny-Csrf tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. | 6.5 |
2022-10-07 | CVE-2022-37894 | Arubanetworks Siemens | An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10. | 6.5 |
2022-10-07 | CVE-2022-21936 | Johnsoncontrols | Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0 On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | 6.5 |
2022-10-07 | CVE-2022-36772 | IBM | Unspecified vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that should only be available to a privileged user. | 6.5 |
2022-10-07 | CVE-2022-41291 | IBM | Insufficient Session Expiration vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 6.5 |
2022-10-07 | CVE-2022-3423 | Xgenecloud | Allocation of Resources Without Limits or Throttling vulnerability in Xgenecloud Nocodb Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0. | 6.5 |
2022-10-07 | CVE-2022-2928 | ISC Debian Fedoraproject | NULL Pointer Dereference vulnerability in multiple products In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. | 6.5 |
2022-10-07 | CVE-2022-2929 | ISC Debian Fedoraproject | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory. | 6.5 |
2022-10-06 | CVE-2022-39222 | Linuxfoundation | Missing Authorization vulnerability in Linuxfoundation DEX Dex is an identity service that uses OpenID Connect to drive authentication for other apps. | 6.5 |
2022-10-06 | CVE-2022-40159 | Apache | Out-of-bounds Write vulnerability in Apache Commons Jxpath ** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. | 6.5 |
2022-10-06 | CVE-2022-40160 | Apache | Out-of-bounds Write vulnerability in Apache Commons Jxpath ** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. | 6.5 |
2022-10-06 | CVE-2022-41294 | IBM | Origin Validation Error vulnerability in IBM Robotic Process Automation IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, 21.0.3, and 21.0.4 is vulnerable to cross origin resource sharing using the bot api. | 6.5 |
2022-10-06 | CVE-2022-26240 | Beckmancoulter | Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance The default privileges for the running service Normand Message Buffer in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. | 6.5 |
2022-10-03 | CVE-2022-42300 | Veritas | Unspecified vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. | 6.5 |
2022-10-03 | CVE-2022-41419 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_Processor::Process function in the mp4encrypt binary. | 6.5 |
2022-10-03 | CVE-2022-41423 | Axiosys | Unspecified vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a segmentation violation in the mp4fragment component. | 6.5 |
2022-10-03 | CVE-2022-41424 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_SttsAtom::Create function in mp42hls. | 6.5 |
2022-10-03 | CVE-2022-41425 | Axiosys | Unspecified vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a segmentation violation via the AP4_Processor::ProcessFragments function in mp4decrypt. | 6.5 |
2022-10-03 | CVE-2022-41426 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_AtomFactory::CreateAtomFromStream function in mp4split. | 6.5 |
2022-10-03 | CVE-2022-41427 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a memory leak in the AP4_AvcFrameParser::Feed function in mp4mux. | 6.5 |
2022-10-03 | CVE-2022-40123 | Mojoportal | Path Traversal vulnerability in Mojoportal 2.7.0.0 mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. | 6.5 |
2022-10-03 | CVE-2022-40922 | Lief Project | Unspecified vulnerability in Lief-Project Lief 0.12.1 A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. | 6.5 |
2022-10-03 | CVE-2022-36551 | Heartex | Server-Side Request Forgery (SSRF) vulnerability in Heartex Label Studio A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. | 6.5 |
2022-10-07 | CVE-2022-41442 | Picuploader Project | Cross-site Scripting vulnerability in Picuploader Project Picuploader 2.6.3 PicUploader v2.6.3 was discovered to contain cross-site scripting (XSS) vulnerability via the setStorageParams function in SettingController.php. | 6.1 |
2022-10-07 | CVE-2022-37896 | Arubanetworks Siemens | Cross-site Scripting vulnerability in multiple products A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. | 6.1 |
2022-10-07 | CVE-2020-15855 | Redhat | Cross-site Scripting vulnerability in Redhat Bodhi Two cross-site scripting vulnerabilities were fixed in Bodhi 5.6.1. | 6.1 |
2022-10-06 | CVE-2022-38709 | IBM | Cross-site Scripting vulnerability in IBM Robotic Process Automation for Cloud PAK IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 for Cloud Pak is vulnerable to cross-site scripting. | 6.1 |
2022-10-06 | CVE-2022-22503 | IBM | Improper Restriction of Rendered UI Layers or Frames vulnerability in IBM products IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim. | 6.1 |
2022-10-03 | CVE-2022-42247 | Pfsense | Cross-site Scripting vulnerability in Pfsense 2.5.2 pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. | 6.1 |
2022-10-09 | CVE-2022-42703 | Linux | Use After Free vulnerability in Linux Kernel mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. | 5.5 |
2022-10-07 | CVE-2022-30613 | IBM | Unspecified vulnerability in IBM Qradar Security Information and Event Manager IBM QRadar SIEM 7.4 and 7.5 could disclose sensitive information via a local service to a privileged user. | 5.5 |
2022-10-07 | CVE-2022-34308 | IBM | Allocation of Resources Without Limits or Throttling vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 could allow a local user to cause a denial of service due to improper load handling. | 5.5 |
2022-10-07 | CVE-2022-39857 | Samsung | Unspecified vulnerability in Samsung Factorycamerafb 3.4.74 Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege. | 5.5 |
2022-10-07 | CVE-2022-39874 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Account Sensitive log information leakage vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout. | 5.5 |
2022-10-07 | CVE-2022-39878 | Samsung | Unspecified vulnerability in Samsung Checkout 5.0.53.1 Improper access control vulnerability in Samsung Checkout prior to version 5.0.55.3 allows attackers to access sensitive information via implicit intent broadcast. | 5.5 |
2022-10-06 | CVE-2022-26236 | Beckmancoulter | Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance The default privileges for the running service Normand Remisol Advance Launcher in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. | 5.5 |
2022-10-06 | CVE-2022-26238 | Beckmancoulter | Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance The default privileges for the running service Normand Service Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. | 5.5 |
2022-10-06 | CVE-2022-26237 | Beckmancoulter | Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance The default privileges for the running service Normand Viewer Service in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privileged users to overwrite and manipulate executables and libraries. | 5.5 |
2022-10-06 | CVE-2022-26239 | Beckmancoulter | Incorrect Permission Assignment for Critical Resource vulnerability in Beckmancoulter Remisol Advance The default privileges for the running service Normand License Manager in Beckman Coulter Remisol Advance v2.0.12.1 and prior allows unprivileged users to overwrite and manipulate executables and libraries. | 5.5 |
2022-10-03 | CVE-2022-42306 | Veritas | NULL Pointer Dereference vulnerability in Veritas Netbackup An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. | 5.5 |
2022-10-03 | CVE-2022-41420 | Nasm | Out-of-bounds Write vulnerability in Nasm Netwide Assembler 2.16 nasm v2.16 was discovered to contain a stack overflow in the Ndisasm component | 5.5 |
2022-10-08 | CVE-2022-3434 | WEB Based Student Clearance System Project | Cross-site Scripting vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0 A vulnerability was found in SourceCodester Web-Based Student Clearance System. | 5.4 |
2022-10-07 | CVE-2022-39285 | Zoneminder | Cross-site Scripting vulnerability in Zoneminder ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. | 5.4 |
2022-10-07 | CVE-2022-39291 | Zoneminder | Improper Input Validation vulnerability in Zoneminder ZoneMinder is a free, open source Closed-circuit television software application. | 5.4 |
2022-10-07 | CVE-2022-41392 | Totaljs | Cross-site Scripting vulnerability in Totaljs Total.Js 20220820 A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings. | 5.4 |
2022-10-07 | CVE-2022-37892 | Arubanetworks Siemens | Cross-site Scripting vulnerability in multiple products A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. | 5.4 |
2022-10-06 | CVE-2022-39279 | Discourse | Cross-site Scripting vulnerability in Discourse Discourse-Chat 0.3/0.4 discourse-chat is a plugin for the Discourse message board which adds chat functionality. | 5.4 |
2022-10-06 | CVE-2022-39270 | Discourse | Cross-site Scripting vulnerability in Discourse Discotoc DiscoTOC is a Discourse theme component that generates a table of contents for topics. | 5.4 |
2022-10-06 | CVE-2022-39988 | Centreon | Cross-site Scripting vulnerability in Centreon 22.04.0 A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter. | 5.4 |
2022-10-06 | CVE-2022-3002 | Yetiforce | Cross-site Scripting vulnerability in Yetiforce Customer Relationship Management Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. | 5.4 |
2022-10-03 | CVE-2022-2839 | Zephyr ONE | Cross-site Scripting vulnerability in Zephyr-One Zephyr Project Manager The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. | 5.4 |
2022-10-03 | CVE-2022-32173 | Orchardcore | Cross-site Scripting vulnerability in Orchardcore In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users. | 5.4 |
2022-10-07 | CVE-2022-41414 | Liferay | Incorrect Default Permissions vulnerability in Liferay Portal An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate usernames, site names, and pages. | 5.3 |
2022-10-07 | CVE-2022-39847 | Use After Free vulnerability in Google Android 10.0/11.0/12.0 Use after free vulnerability in set_nft_pid and signal_handler function of NFC driver prior to SMR Oct-2022 Release 1 allows attackers to perform malicious actions. | 5.3 | |
2022-10-07 | CVE-2022-39877 | Samsung | Unspecified vulnerability in Samsung Group Sharing 10.8.03.2 Improper access control vulnerability in ProfileSharingAccount in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device. | 5.3 |
2022-10-06 | CVE-2022-36774 | IBM | Unspecified vulnerability in IBM products IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to man in the middle attacks through manipulation of the client proxy configuration. | 5.3 |
2022-10-06 | CVE-2022-3376 | Ikus Soft | Weak Password Requirements vulnerability in Ikus-Soft Rdiffweb Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | 5.3 |
2022-10-06 | CVE-2022-2781 | Octopus | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | 5.3 |
2022-10-06 | CVE-2022-2783 | Octopus | Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | 5.3 |
2022-10-03 | CVE-2022-3124 | Najeebmedia | Missing Authorization vulnerability in Najeebmedia Frontend File Manager The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. | 5.3 |
2022-10-07 | CVE-2022-37895 | Arubanetworks Siemens | An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10. | 4.9 |
2022-10-03 | CVE-2022-2628 | Dsgvo FOR WP | Cross-site Scripting vulnerability in Dsgvo-For-Wp Dsgvo ALL in ONE for WP The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-03 | CVE-2022-2763 | WP Socializer Project | Cross-site Scripting vulnerability in WP Socializer Project WP Socializer The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-03 | CVE-2022-3128 | Donation Thermometer Project | Cross-site Scripting vulnerability in Donation Thermometer Project Donation Thermometer The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-03 | CVE-2022-3132 | Goolytics Project | Cross-site Scripting vulnerability in Goolytics Project Goolytics The Goolytics WordPress plugin before 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-10-07 | CVE-2022-39863 | Samsung | Unspecified vulnerability in Samsung Account Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3 allows attackers to access content providers without permission. | 4.7 |
2022-10-07 | CVE-2022-39873 | Samsung | Unspecified vulnerability in Samsung Internet Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication. | 4.6 |
2022-10-07 | CVE-2022-39875 | Samsung | Unspecified vulnerability in Samsung Account Improper component protection vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout. | 4.4 |
2022-10-06 | CVE-2022-31252 | Suse Opensuse | Incorrect Authorization vulnerability in multiple products A Incorrect Authorization vulnerability in chkstat of SUSE Linux Enterprise Server 12-SP5; openSUSE Leap 15.3, openSUSE Leap 15.4, openSUSE Leap Micro 5.2 did not consider group writable path components, allowing local attackers with access to a group what can write to a location included in the path to a privileged binary to influence path resolution. | 4.4 |
2022-10-08 | CVE-2022-3435 | Linux Fedoraproject Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A vulnerability classified as problematic has been found in Linux Kernel. | 4.3 |
2022-10-07 | CVE-2022-39855 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper access control vulnerability in FACM application prior to SMR Oct-2022 Release 1 allows a local attacker to connect arbitrary AP and Bluetooth devices. | 4.3 | |
2022-10-06 | CVE-2022-39284 | Codeigniter | Incorrect Permission Assignment for Critical Resource vulnerability in Codeigniter CodeIgniter is a PHP full-stack web framework. | 4.3 |
2022-10-06 | CVE-2022-39275 | Saleor | Incorrect Authorization vulnerability in Saleor Saleor is a headless, GraphQL commerce platform. | 4.3 |
11 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-07 | CVE-2022-39860 | Samsung | Unspecified vulnerability in Samsung Quick Share 13.1.2.4/3.5.14.18/3.5.16.20 Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast. | 3.5 |
2022-10-07 | CVE-2022-36868 | Unspecified vulnerability in Google Android 11.0/12.0 Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device. | 3.3 | |
2022-10-07 | CVE-2022-39848 | Information Exposure vulnerability in Google Android 10.0/11.0/12.0 Exposure of sensitive information in AT_Distributor prior to SMR Oct-2022 Release 1 allows local attacker to access SerialNo via log. | 3.3 | |
2022-10-07 | CVE-2022-39849 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper access control in knox_vpn_policy service prior to SMR Oct-2022 Release 1 allows allows unauthorized read of configuration data. | 3.3 | |
2022-10-07 | CVE-2022-39850 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper access control in mum_container_policy service prior to SMR Oct-2022 Release 1 allows allows unauthorized read of configuration data. | 3.3 | |
2022-10-07 | CVE-2022-39851 | Unspecified vulnerability in Google Android 10.0/11.0/12.0 Improper access control vulnerability in CocktailBarService prior to SMR Oct-2022 Release 1 allows local attacker to bind service that require BIND_REMOTEVIEWS permission. | 3.3 | |
2022-10-07 | CVE-2022-39856 | Unspecified vulnerability in Google Android 12.0 Improper access control vulnerability in imsservice application prior to SMR Oct-2022 Release 1 allows local attackers to access call information. | 3.3 | |
2022-10-07 | CVE-2022-39859 | Samsung | Unspecified vulnerability in Samsung Uphelper Library Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12 allows attackers to access sensitive information via implicit intent. | 3.3 |
2022-10-07 | CVE-2022-39861 | Samsung | Missing Authorization vulnerability in Samsung Factorycamera 2.1.96 Unprotected Receiver in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege. | 3.3 |
2022-10-07 | CVE-2022-39872 | Samsung | Improper Handling of Exceptional Conditions vulnerability in Samsung Sharelive Improper restriction of broadcasting Intent in ShareLive prior to version 13.2.03.5 leaks MAC address of the connected Bluetooth device. | 3.3 |
2022-10-07 | CVE-2022-39876 | Samsung | Information Exposure Through Log Files vulnerability in Samsung Reminder Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI. | 3.3 |