Weekly Vulnerabilities Reports > October 17 to 23, 2022
Overview
404 new vulnerabilities reported during this period, including 69 critical vulnerabilities and 152 high severity vulnerabilities. This weekly summary report vulnerabilities in 601 products from 141 vendors including Jenkins, Debian, Linux, Gitlab, and Qualcomm. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "SQL Injection", "Unrestricted Upload of File with Dangerous Type", and "Missing Authorization".
- 311 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 106 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 218 reported vulnerabilities are exploitable by an anonymous user.
- Jenkins has the most reported vulnerabilities, with 35 reported vulnerabilities.
- Tenda has the most reported critical vulnerabilities, with 17 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
69 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-19 | CVE-2022-43401 | Jenkins | Unspecified vulnerability in Jenkins Script Security A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-19 | CVE-2022-43402 | Jenkins | Unspecified vulnerability in Jenkins Pipeline: Groovy A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-19 | CVE-2022-43403 | Jenkins | Unspecified vulnerability in Jenkins Script Security A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-19 | CVE-2022-43404 | Jenkins | Unspecified vulnerability in Jenkins Script Security A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-19 | CVE-2022-43405 | Jenkins | Unspecified vulnerability in Jenkins Groovy Libraries A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-19 | CVE-2022-43406 | Jenkins | Unspecified vulnerability in Jenkins Groovy Libraries A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. | 9.9 |
2022-10-17 | CVE-2022-2884 | Gitlab | OS Command Injection vulnerability in Gitlab A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint | 9.9 |
2022-10-17 | CVE-2022-2992 | Gitlab | Injection vulnerability in Gitlab A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. | 9.9 |
2022-10-21 | CVE-2022-26870 | Dell | Improper Authentication vulnerability in Dell Powerstoreos 2.1.0.0/2.1.0.1 Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. | 9.8 |
2022-10-21 | CVE-2022-43400 | Siemens | Improper Authentication vulnerability in Siemens Siveillance Video Mobile Server A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 (All versions < V22.2a (80)). | 9.8 |
2022-10-21 | CVE-2021-42553 | ST | Classic Buffer Overflow vulnerability in ST Stm32 MW USB Host A buffer overflow vulnerability in stm32_mw_usb_host of STMicroelectronics in versions before 3.5.1 allows an attacker to execute arbitrary code when the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS. | 9.8 |
2022-10-21 | CVE-2022-37454 | Extended Keccak Code Package Project Debian Fedoraproject PHP Python Sha3 Project Pysha3 Project Pypy | Integer Overflow or Wraparound vulnerability in multiple products The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. | 9.8 |
2022-10-20 | CVE-2022-3620 | Exim Fedoraproject | A vulnerability was found in Exim and classified as problematic. | 9.8 |
2022-10-20 | CVE-2022-42233 | Tenda | Improper Authentication vulnerability in Tenda 11N Firmware 5.07.33Cn Tenda 11N with firmware version V5.07.33_cn suffers from an Authentication Bypass vulnerability. | 9.8 |
2022-10-20 | CVE-2022-42021 | Best Student Result Management System Project | SQL Injection vulnerability in Best Student Result Management System Project Best Student Result Management System 1.0 Best Student Result Management System v1.0 is vulnerable to SQL Injection via /upresult/upresult/notice-details.php?nid=. | 9.8 |
2022-10-20 | CVE-2022-37298 | Shinken Monitoring | Improper Authentication vulnerability in Shinken-Monitoring Shinken Monitoring 2.4.3 Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. | 9.8 |
2022-10-20 | CVE-2022-37598 | Uglifyjs Project | Unspecified vulnerability in Uglifyjs Project Uglifyjs 3.13.2 Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. | 9.8 |
2022-10-20 | CVE-2022-27624 | Synology | Unspecified vulnerability in Synology Diskstation Manager A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. | 9.8 |
2022-10-20 | CVE-2022-27625 | Synology | Unspecified vulnerability in Synology Diskstation Manager A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. | 9.8 |
2022-10-20 | CVE-2022-3327 | Ikus Soft | Missing Authentication for Critical Function vulnerability in Ikus-Soft Rdiffweb Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | 9.8 |
2022-10-19 | CVE-2022-43024 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the list parameter at /goform/SetVirtualServerCfg. | 9.8 |
2022-10-19 | CVE-2022-43025 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the startIp parameter at /goform/SetPptpServerCfg. | 9.8 |
2022-10-19 | CVE-2022-43026 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the endIp parameter at /goform/SetPptpServerCfg. | 9.8 |
2022-10-19 | CVE-2022-43027 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the firewallEn parameter at /goform/SetFirewallCfg. | 9.8 |
2022-10-19 | CVE-2022-43028 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the timeZone parameter at /goform/SetSysTimeCfg. | 9.8 |
2022-10-19 | CVE-2022-43029 | Tenda | Out-of-bounds Write vulnerability in Tenda TX3 Firmware 16.03.13.11 Tenda TX3 US_TX3V1.0br_V16.03.13.11_multi_TDE01 was discovered to contain a stack overflow via the time parameter at /goform/SetSysTimeCfg. | 9.8 |
2022-10-19 | CVE-2022-43019 | Opencats | Deserialization of Untrusted Data vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. | 9.8 |
2022-10-19 | CVE-2022-43184 | Dlink | OS Command Injection vulnerability in Dlink Dir-878 Firmware 1.30B08 D-Link DIR878 1.30B08 Hotfix_04 was discovered to contain a command injection vulnerability via the component /bin/proc.cgi. | 9.8 |
2022-10-19 | CVE-2022-41415 | Acer | Out-of-bounds Write vulnerability in Acer Altos W2000H-W570H F4 Firmware R01.03.0018 Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. | 9.8 |
2022-10-19 | CVE-2022-25687 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products memory corruption in video due to buffer overflow while parsing asf clips in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
2022-10-19 | CVE-2022-25718 | Qualcomm | Unchecked Return Value vulnerability in Qualcomm products Cryptographic issue in WLAN due to improper check on return value while authentication handshake in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 9.8 |
2022-10-19 | CVE-2022-25720 | Qualcomm | Improper Validation of Array Index vulnerability in Qualcomm products Memory corruption in WLAN due to out of bound array access during connect/roaming in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 9.8 |
2022-10-19 | CVE-2022-25748 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Memory corruption in WLAN due to integer overflow to buffer overflow while parsing GTK frames. | 9.8 |
2022-10-19 | CVE-2016-20016 | Mvpower | Unspecified vulnerability in Mvpower Tv-7104He Firmware and Tv7108He Firmware MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. | 9.8 |
2022-10-19 | CVE-2016-20017 | Dlink | Command Injection vulnerability in Dlink Dsl-2750B Firmware D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022. | 9.8 |
2022-10-18 | CVE-2022-39198 | Apache | Unspecified vulnerability in Apache Dubbo A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. | 9.8 |
2022-10-18 | CVE-2022-33872 | Fortinet | OS Command Injection vulnerability in Fortinet Fortitester An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Telnet login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell. | 9.8 |
2022-10-18 | CVE-2022-33873 | Fortinet | OS Command Injection vulnerability in Fortinet Fortitester An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Console login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to execute arbitrary command in the underlying shell. | 9.8 |
2022-10-18 | CVE-2022-33874 | Fortinet | OS Command Injection vulnerability in Fortinet Fortitester An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell. | 9.8 |
2022-10-18 | CVE-2022-41544 | GET Simple | Unspecified vulnerability in Get-Simple Getsimple CMS 3.3.16 GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php. | 9.8 |
2022-10-18 | CVE-2022-43260 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac18 Firmware 15.03.05.19 Tenda AC18 V15.03.05.19(6318) was discovered to contain a stack overflow via the time parameter in the fromSetSysTime function. | 9.8 |
2022-10-18 | CVE-2022-35846 | Fortinet | Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortitester An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiTester Telnet port 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to guess the credentials of an admin user via a brute force attack. | 9.8 |
2022-10-18 | CVE-2022-40684 | Fortinet | Improper Authentication vulnerability in Fortinet Fortios, Fortiproxy and Fortiswitchmanager An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. | 9.8 |
2022-10-18 | CVE-2022-3579 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Cashier Queuing System 1.0 A vulnerability classified as critical was found in SourceCodester Cashier Queuing System 1.0. | 9.8 |
2022-10-18 | CVE-2022-3583 | Canteen Management System Project | SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0 A vulnerability was found in SourceCodester Canteen Management System 1.0. | 9.8 |
2022-10-18 | CVE-2022-40889 | Phpok | Deserialization of Untrusted Data vulnerability in PHPok 6.1 Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php. | 9.8 |
2022-10-18 | CVE-2022-22241 | Juniper | Deserialization of Untrusted Data vulnerability in Juniper Junos An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. | 9.8 |
2022-10-17 | CVE-2022-42149 | Keking | Server-Side Request Forgery (SSRF) vulnerability in Keking Kkfileview 4.0.0 kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java. | 9.8 |
2022-10-17 | CVE-2022-40055 | Gxgroup | Improper Restriction of Excessive Authentication Attempts vulnerability in Gxgroup Gpon ONT Titanium 2122A Firmware T2122V1.26Exl An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate privileges via a brute force attack at the login page. | 9.8 |
2022-10-17 | CVE-2022-0699 | Osgeo | Double Free vulnerability in Osgeo Shapelib 1.5.0 A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. | 9.8 |
2022-10-17 | CVE-2022-22128 | Tableau | Path Traversal vulnerability in Tableau Server Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution.Tableau only supports product versions for 24 months after release. | 9.8 |
2022-10-17 | CVE-2022-23769 | Megazone | Improper Authentication vulnerability in Megazone Reversewall-Mds 3.8A007 Remote code execution vulnerability due to insufficient user privilege verification in reverseWall-MDS. | 9.8 |
2022-10-17 | CVE-2022-23770 | Wisa | Path Traversal vulnerability in Wisa Smart Wing CMS 1905 This vulnerability could allow a remote attacker to execute remote commands with improper validation of parameters of certain API constructors. | 9.8 |
2022-10-17 | CVE-2022-42154 | 74Cms | Unrestricted Upload of File with Dangerous Type vulnerability in 74Cms 74Cmsse 3.13.0 An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file. | 9.8 |
2022-10-17 | CVE-2022-42166 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetSpeedWan. | 9.8 |
2022-10-17 | CVE-2022-42167 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg. | 9.8 |
2022-10-17 | CVE-2022-42168 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromSetIpMacBind. | 9.8 |
2022-10-17 | CVE-2022-42169 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/addWifiMacFilter. | 9.8 |
2022-10-17 | CVE-2022-42170 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart. | 9.8 |
2022-10-17 | CVE-2022-42171 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo. | 9.8 |
2022-10-17 | CVE-2022-42237 | Merchandise Online Store Project | SQL Injection vulnerability in Merchandise Online Store Project Merchandise Online Store 1.0 A SQL Injection issue in Merchandise Online Store v.1.0 allows an attacker to log in to the admin account. | 9.8 |
2022-10-17 | CVE-2022-42163 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromNatStaticSetting. | 9.8 |
2022-10-17 | CVE-2022-42164 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetClientState. | 9.8 |
2022-10-17 | CVE-2022-42165 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac10 Firmware 15.03.06.23 Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetDeviceName. | 9.8 |
2022-10-17 | CVE-2022-42980 | GO Admin | Use of Hard-coded Credentials vulnerability in Go-Admin 2.0.12 go-admin (aka GO Admin) 2.0.12 uses the string go-admin as a production JWT key. | 9.8 |
2022-10-19 | CVE-2022-1523 | Fujielectric | Out-of-bounds Write vulnerability in Fujielectric D300Win Fuji Electric D300win prior to version 3.7.1.17 is vulnerable to a write-what-where condition, which could allow an attacker to overwrite program memory to manipulate the flow of information. | 9.1 |
2022-10-19 | CVE-2022-25719 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Information disclosure in WLAN due to improper length check while processing authentication handshake in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 9.1 |
2022-10-17 | CVE-2020-8974 | Zigor | Unrestricted Upload of File with Dangerous Type vulnerability in Zigor ZGR Tps200 NG Firmware 2.00 In ZGR TPS200 NG 2.00 firmware version and 1.01 hardware version, the firmware upload process does not perform any type of restriction. | 9.1 |
2022-10-17 | CVE-2022-32176 | GIN VUE Admin Project | Unspecified vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. | 9.0 |
152 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-21 | CVE-2022-3640 | Linux Fedoraproject Debian | A vulnerability, which was classified as critical, was found in Linux Kernel. | 8.8 |
2022-10-20 | CVE-2022-36958 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. | 8.8 |
2022-10-20 | CVE-2022-42198 | Simple Exam Reviewer Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple Exam Reviewer Management System Project Simple Exam Reviewer Management System 1.0 In Simple Exam Reviewer Management System v1.0 the User List function suffers from insecure file upload. | 8.8 |
2022-10-20 | CVE-2022-42199 | Simple Exam Reviewer Management System Project | Cross-Site Request Forgery (CSRF) vulnerability in Simple Exam Reviewer Management System Project Simple Exam Reviewer Management System 1.0 Simple Exam Reviewer Management System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Exam List. | 8.8 |
2022-10-19 | CVE-2022-41835 | F5 | Unspecified vulnerability in F5 F5Os-A and F5Os-C In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller. | 8.8 |
2022-10-19 | CVE-2022-1414 | Redhat | Improper Input Validation vulnerability in Redhat 3Scale API Management 2.0 3scale API Management 2 does not perform adequate sanitation for user input in multiple fields. | 8.8 |
2022-10-19 | CVE-2022-43407 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline: Input Step Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. | 8.8 |
2022-10-19 | CVE-2022-43416 | Jenkins | Unspecified vulnerability in Jenkins Katalon Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands. | 8.8 |
2022-10-19 | CVE-2022-23734 | Github | Deserialization of Untrusted Data vulnerability in Github Enterprise Server A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. | 8.8 |
2022-10-19 | CVE-2022-39267 | Xbifrost | Improper Authentication vulnerability in Xbifrost Bifrost Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. | 8.8 |
2022-10-19 | CVE-2022-39260 | GIT SCM Fedoraproject Apple Debian | Git is an open source, scalable, distributed revision control system. | 8.8 |
2022-10-19 | CVE-2022-25750 | Qualcomm | Double Free vulnerability in Qualcomm products Memory corruption in BTHOST due to double free while music playback and calls over bluetooth headset in Snapdragon Mobile | 8.8 |
2022-10-18 | CVE-2022-41500 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.5.9 EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components. | 8.8 |
2022-10-18 | CVE-2022-3584 | Canteen Management System Project | Unspecified vulnerability in Canteen Management System Project Canteen Management System 1.0 A vulnerability was found in SourceCodester Canteen Management System 1.0. | 8.8 |
2022-10-18 | CVE-2022-22239 | Juniper | Improper Privilege Management vulnerability in Juniper Junos OS Evolved An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems. | 8.8 |
2022-10-18 | CVE-2022-22246 | Juniper | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Juniper Junos A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. | 8.8 |
2022-10-17 | CVE-2020-8976 | Zigor | Cross-Site Request Forgery (CSRF) vulnerability in Zigor ZGR Tps200 NG Firmware 2.00 The integrated server of the ZGR TPS200 NG on its 2.00 firmware version and 1.01 hardware version, allows a remote attacker to perform actions with the permissions of a victim user. | 8.8 |
2022-10-17 | CVE-2022-3158 | Rockwellautomation | SQL Injection vulnerability in Rockwellautomation Factorytalk Vantagepoint Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. | 8.8 |
2022-10-17 | CVE-2022-38743 | Rockwellautomation | Unspecified vulnerability in Rockwellautomation Factorytalk Vantagepoint Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. | 8.8 |
2022-10-17 | CVE-2022-3368 | Avira | Unspecified vulnerability in Avira Security 1.1.71.30554 A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. | 8.8 |
2022-10-17 | CVE-2022-42029 | Chamilo | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo 1.11.16 Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory. | 8.8 |
2022-10-17 | CVE-2019-14841 | Redhat | Improper Preservation of Permissions vulnerability in Redhat Decision Manager and Process Automation A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header. | 8.8 |
2022-10-17 | CVE-2022-23771 | Iptime | Cross-Site Request Forgery (CSRF) vulnerability in Iptime products This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. | 8.8 |
2022-10-17 | CVE-2022-42221 | Netgear | Unspecified vulnerability in Netgear R6220 Firmware 1.1.0.1141.0.1 Netgear R6220 v1.1.0.114_1.0.1 suffers from Incorrect Access Control, resulting in a command injection vulnerability. | 8.8 |
2022-10-17 | CVE-2022-3550 | X ORG Debian Fedoraproject | A vulnerability classified as critical was found in X.org Server. | 8.8 |
2022-10-17 | CVE-2022-42983 | Anji Plus | Authentication Bypass by Spoofing vulnerability in Anji-Plus Aj-Report 0.9.8.6 anji-plus AJ-Report 0.9.8.6 allows remote attackers to bypass login authentication by spoofing JWT Tokens. | 8.8 |
2022-10-19 | CVE-2022-3608 | Phpmyfaq | Cross-site Scripting vulnerability in PHPmyfaq Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha. | 8.4 |
2022-10-21 | CVE-2022-1066 | Aethon | Missing Authorization vulnerability in Aethon TUG Home Base Server Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | 8.2 |
2022-10-21 | CVE-2022-1070 | Aethon | Missing Authorization vulnerability in Aethon TUG Home Base Server Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | 8.1 |
2022-10-20 | CVE-2022-27626 | Synology | Unspecified vulnerability in Synology Diskstation Manager A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. | 8.1 |
2022-10-19 | CVE-2022-23241 | Netapp | Unspecified vulnerability in Netapp Clustered Data Ontap 9.11.1 Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period. | 8.1 |
2022-10-18 | CVE-2022-41541 | TP Link | Authentication Bypass by Capture-replay vulnerability in Tp-Link Ax10 Firmware V1211117 TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. | 8.1 |
2022-10-18 | CVE-2022-31122 | Wire | Improper Authentication vulnerability in Wire Server Wire is an encrypted communication and collaboration platform. | 8.1 |
2022-10-17 | CVE-2020-8973 | Zigor | Unspecified vulnerability in Zigor ZGR Tps200 NG Firmware 2.00 ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, does not properly accept specially constructed requests. | 8.1 |
2022-10-17 | CVE-2022-2527 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. | 8.0 |
2022-10-17 | CVE-2022-3534 | Linux | Use After Free vulnerability in Linux Kernel A vulnerability classified as critical has been found in Linux Kernel. | 8.0 |
2022-10-21 | CVE-2022-41309 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-41310 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42933 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42934 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42935 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42936 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42937 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted .dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by write access violation. | 7.8 |
2022-10-21 | CVE-2022-42938 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. | 7.8 |
2022-10-21 | CVE-2022-42939 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. | 7.8 |
2022-10-21 | CVE-2022-42940 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted TGA file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. | 7.8 |
2022-10-21 | CVE-2022-42941 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-21 | CVE-2022-42942 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-21 | CVE-2022-42943 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-21 | CVE-2022-42944 | Autodesk | Out-of-bounds Write vulnerability in Autodesk products A malicious crafted dwf or .pct file when consumed through DesignReview.exe application could lead to memory corruption vulnerability by read access violation. | 7.8 |
2022-10-21 | CVE-2022-36122 | Automox | Incorrect Permission Assignment for Critical Resource vulnerability in Automox The Automox Agent before 40 on Windows incorrectly sets permissions on key files. | 7.8 |
2022-10-21 | CVE-2022-3636 | Linux Debian | A vulnerability, which was classified as critical, was found in Linux Kernel. | 7.8 |
2022-10-21 | CVE-2022-3625 | Linux Debian | A vulnerability was found in Linux Kernel. | 7.8 |
2022-10-20 | CVE-2022-2069 | Siemens | Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization The APDFL.dll in Siemens JT2Go prior to V13.3.0.5 and Siemens Teamcenter Visualization prior to V14.0.0.2 contains an out of bounds write past the fixed-length heap-based buffer while parsing specially crafted PDF files. | 7.8 |
2022-10-20 | CVE-2022-3577 | Linux | Out-of-bounds Write vulnerability in Linux Kernel An out-of-bounds memory write flaw was found in the Linux kernel’s Kid-friendly Wired Controller driver. | 7.8 |
2022-10-20 | CVE-2022-42176 | Pctechsoft | Use of Hard-coded Credentials vulnerability in Pctechsoft Pcsecure 5.0.8.Xw In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in configuration files leads to admin panel access. | 7.8 |
2022-10-20 | CVE-2020-12744 | Verint | Improper Preservation of Permissions vulnerability in Verint Desktop and Process Analytics 15.2 The MSI installer in Verint Desktop Resources 15.2 allows an unprivileged local user to elevate their privileges during install or repair. | 7.8 |
2022-10-19 | CVE-2022-41741 | F5 Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. | 7.8 |
2022-10-19 | CVE-2022-41709 | Markdownify Project | Unspecified vulnerability in Markdownify Project Markdownify 1.4.1 Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. | 7.8 |
2022-10-19 | CVE-2022-43040 | Gpac | Out-of-bounds Write vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c. | 7.8 |
2022-10-19 | CVE-2022-43042 | Gpac | Out-of-bounds Write vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c. | 7.8 |
2022-10-19 | CVE-2022-22077 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption in graphics due to use-after-free in graphics dispatcher logic in Snapdragon Mobile | 7.8 |
2022-10-19 | CVE-2022-25660 | Qualcomm | Double Free vulnerability in Qualcomm products Memory corruption due to double free issue in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-10-19 | CVE-2022-25661 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Memory corruption due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | 7.8 |
2022-10-19 | CVE-2022-25723 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption in multimedia due to use after free during callback registration failure in Snapdragon Mobile | 7.8 |
2022-10-19 | CVE-2022-33210 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Memory corruption in automotive multimedia due to use of out-of-range pointer offset while parsing command request packet with a very large type value. | 7.8 |
2022-10-19 | CVE-2022-33217 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Memory corruption in Qualcomm IPC due to buffer copy without checking the size of input while starting communication with a compromised kernel. | 7.8 |
2022-10-18 | CVE-2022-36438 | Asus | Incorrect Default Permissions vulnerability in Asus Asusswitch and System Control Interface AsusSwitch.exe on ASUS personal computers (running Windows) sets weak file permissions, leading to local privilege escalation (this also can be used to delete files within the system arbitrarily). | 7.8 |
2022-10-18 | CVE-2021-3305 | Feishu | Untrusted Search Path vulnerability in Feishu 3.40.3/3.41.3 Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability. | 7.8 |
2022-10-17 | CVE-2022-3569 | Synacor | Unspecified vulnerability in Synacor Zimbra Collaboration Suite Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'. | 7.8 |
2022-10-17 | CVE-2022-3565 | Linux | Improper Synchronization vulnerability in Linux Kernel A vulnerability, which was classified as critical, has been found in Linux Kernel. | 7.8 |
2022-10-17 | CVE-2022-41751 | Jhead Project Fedoraproject Debian | OS Command Injection vulnerability in multiple products Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option. | 7.8 |
2022-10-17 | CVE-2022-3541 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability classified as critical has been found in Linux Kernel. | 7.8 |
2022-10-17 | CVE-2022-3545 | Linux Netapp Debian | A vulnerability has been found in Linux Kernel and classified as critical. | 7.8 |
2022-10-21 | CVE-2022-23462 | Softmotions | Out-of-bounds Write vulnerability in Softmotions Iowow IOWOW is a C utility library and persistent key/value storage engine. | 7.5 |
2022-10-21 | CVE-2022-34439 | Dell | Allocation of Resources Without Limits or Throttling vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. | 7.5 |
2022-10-21 | CVE-2022-26423 | Aethon | Missing Authorization vulnerability in Aethon TUG Home Base Server Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | 7.5 |
2022-10-21 | CVE-2022-3639 | Gitlab | Resource Exhaustion vulnerability in Gitlab A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. | 7.5 |
2022-10-21 | CVE-2022-41575 | Gradle | Insufficiently Protected Credentials vulnerability in Gradle Enterprise 2022.3.1/2022.3.2 A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). | 7.5 |
2022-10-20 | CVE-2022-37453 | Softing | Out-of-bounds Write vulnerability in Softing products An issue was discovered in Softing OPC UA C++ SDK before 6.10. | 7.5 |
2022-10-20 | CVE-2022-39823 | Softing | Use After Free vulnerability in Softing OPC and OPC UA C++ Software Development KIT An issue was discovered in Softing OPC UA C++ SDK 5.66 through 6.x before 6.10. | 7.5 |
2022-10-20 | CVE-2022-3623 | Linux Debian | A vulnerability was found in Linux Kernel. | 7.5 |
2022-10-20 | CVE-2022-3576 | Synology | Unspecified vulnerability in Synology Diskstation Manager A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. | 7.5 |
2022-10-19 | CVE-2022-36795 | F5 | Unspecified vulnerability in F5 products In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x before 14.1.5.1, when an LTM TCP profile with Auto Receive Window Enabled is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. | 7.5 |
2022-10-19 | CVE-2022-41624 | F5 | Unspecified vulnerability in F5 products In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. | 7.5 |
2022-10-19 | CVE-2022-41691 | F5 | Unspecified vulnerability in F5 Big-Ip Application Security Manager When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. | 7.5 |
2022-10-19 | CVE-2022-41787 | F5 | Unspecified vulnerability in F5 Big-Ip Local Traffic Manager In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when DNS profile is configured on a virtual server with DNS Express enabled, undisclosed DNS queries with DNSSEC can cause TMM to terminate. | 7.5 |
2022-10-19 | CVE-2022-41806 | F5 | Resource Exhaustion vulnerability in F5 Big-Ip Advanced Firewall Manager In versions 16.1.x before 16.1.3.2 and 15.1.x before 15.1.5.1, when BIG-IP AFM Network Address Translation policy with IPv6/IPv4 translation rules is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. | 7.5 |
2022-10-19 | CVE-2022-41832 | F5 | Unspecified vulnerability in F5 products In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when a SIP profile is configured on a virtual server, undisclosed messages can cause an increase in memory resource utilization. | 7.5 |
2022-10-19 | CVE-2022-41833 | F5 | Unspecified vulnerability in F5 products In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a virtual server, undisclosed requests can cause Traffic Management Microkernel (TMM) to terminate. | 7.5 |
2022-10-19 | CVE-2022-41836 | F5 | Unspecified vulnerability in F5 products When an 'Attack Signature False Positive Mode' enabled security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. | 7.5 |
2022-10-19 | CVE-2013-4253 | Redhat | Exposure of Resource to Wrong Sphere vulnerability in Redhat Openshift 1.0 The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file. | 7.5 |
2022-10-19 | CVE-2022-1738 | Fujielectric | Out-of-bounds Read vulnerability in Fujielectric D300Win Fuji Electric D300win prior to version 3.7.1.17 is vulnerable to an out-of-bounds read, which could allow an attacker to leak sensitive data from the process memory. | 7.5 |
2022-10-19 | CVE-2022-42227 | Jsonlint Project | Out-of-bounds Write vulnerability in Jsonlint Project Jsonlint C++ 1.0 jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/jsonlint/src/lexer. | 7.5 |
2022-10-19 | CVE-2022-43415 | Jenkins | XXE vulnerability in Jenkins Repo 1.14.0/1.15.0 Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.5 |
2022-10-19 | CVE-2022-43429 | Jenkins | Unspecified vulnerability in Jenkins Compuware Topaz for Total Test Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. | 7.5 |
2022-10-19 | CVE-2022-43430 | Jenkins | XXE vulnerability in Jenkins Compuware Topaz for Total Test Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 7.5 |
2022-10-19 | CVE-2020-23648 | Asus | Missing Authentication for Critical Function vulnerability in Asus Rt-N12E Firmware 2.0.0.39 Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. | 7.5 |
2022-10-19 | CVE-2022-25662 | Qualcomm | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 7.5 |
2022-10-19 | CVE-2022-25736 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Denial of service in WLAN due to out-of-bound read happens while processing VHT action frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 7.5 |
2022-10-19 | CVE-2022-25749 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Transient Denial-of-Service in WLAN due to buffer over-read while parsing MDNS frames. | 7.5 |
2022-10-19 | CVE-2022-33077 | Nopcommerce | Authorization Bypass Through User-Controlled Key vulnerability in Nopcommerce An access control issue in nopcommerce v4.50.2 allows attackers to arbitrarily modify any customer's address via the addressedit endpoint. | 7.5 |
2022-10-19 | CVE-2022-40798 | Ocomon Project | Unspecified vulnerability in Ocomon Project Ocomon 3.3/4.0 OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. | 7.5 |
2022-10-18 | CVE-2022-42188 | Lavalite | Path Traversal vulnerability in Lavalite 9.0.0 In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. | 7.5 |
2022-10-18 | CVE-2022-29055 | Fortinet | Access of Uninitialized Pointer vulnerability in Fortinet Fortios and Fortiproxy A access of uninitialized pointer in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.x, FortiProxy version 7.0.0 through 7.0.4, 2.0.0 through 2.0.9, 1.2.x allows a remote unauthenticated or authenticated attacker to crash the sslvpn daemon via an HTTP GET request. | 7.5 |
2022-10-18 | CVE-2022-41547 | Opensecurity | Unspecified vulnerability in Opensecurity Mobile Security Framework Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. | 7.5 |
2022-10-18 | CVE-2022-43259 | Tenda | Out-of-bounds Write vulnerability in Tenda Ac15 Firmware 15.03.05.18/15.03.05.19 Tenda AC15 V15.03.05.18 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function. | 7.5 |
2022-10-18 | CVE-2022-41479 | Devexpress | Authorization Bypass Through User-Controlled Key vulnerability in Devexpress Asp.Net web Forms Controls 19.2.3 The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. | 7.5 |
2022-10-18 | CVE-2022-39058 | Changingtec | Path Traversal vulnerability in Changingtec Rava Certificate Validation System 3 RAVA certification validation system has a path traversal vulnerability. | 7.5 |
2022-10-18 | CVE-2022-22223 | Juniper | Improper Input Validation vulnerability in Juniper Junos On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (PHP) nodes with link aggregation group (LAG) interfaces, an Improper Validation of Specified Index, Position, or Offset in Input weakness allows an attacker sending certain IP packets to cause multiple interfaces in the LAG to detach causing a Denial of Service (DoS) condition. | 7.5 |
2022-10-18 | CVE-2022-22235 | Juniper | Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based, attacker to cause Denial of Service (DoS). | 7.5 |
2022-10-17 | CVE-2020-8975 | Zigor | Information Exposure vulnerability in Zigor ZGR Tps200 NG Firmware 2.00 ZGR TPS200 NG in its 2.00 firmware version and 1.01 hardware version, allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system. | 7.5 |
2022-10-17 | CVE-2022-3382 | Hiwin | Unspecified vulnerability in Hiwin Robot System Software 3.3.21.9869 HIWIN Robot System Software version 3.3.21.9869 does not properly address the terminated command source. | 7.5 |
2022-10-17 | CVE-2022-3517 | Minimatch Project Debian Fedoraproject | A vulnerability was found in the minimatch package. | 7.5 |
2022-10-17 | CVE-2022-3559 | Exim Fedoraproject | A vulnerability was found in Exim and classified as problematic. | 7.5 |
2022-10-17 | CVE-2019-14840 | Redhat | Unspecified vulnerability in Redhat Decision Manager 7.0 A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials. | 7.5 |
2022-10-17 | CVE-2022-2931 | Gitlab | Resource Exhaustion vulnerability in Gitlab A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. | 7.5 |
2022-10-17 | CVE-2022-3031 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. | 7.5 |
2022-10-17 | CVE-2022-3283 | Gitlab | Resource Exhaustion vulnerability in Gitlab A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage. | 7.5 |
2022-10-17 | CVE-2022-3501 | Otrs | Missing Authorization vulnerability in Otrs Article template contents with sensitive data could be accessed from agents without permissions. | 7.5 |
2022-10-17 | CVE-2022-42975 | Phoenixframework | Unspecified vulnerability in Phoenixframework Phoenix socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. | 7.5 |
2022-10-17 | CVE-2022-2533 | Gitlab | Improper Authentication vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. | 7.4 |
2022-10-17 | CVE-2022-3421 | Improper Privilege Management vulnerability in Google Drive An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. | 7.3 | |
2022-10-17 | CVE-2022-2428 | Gitlab | Cross-site Scripting vulnerability in Gitlab A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests | 7.3 |
2022-10-17 | CVE-2022-3060 | Gitlab | Path Traversal vulnerability in Gitlab Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests | 7.3 |
2022-10-21 | CVE-2022-38104 | Oxilab | Unspecified vulnerability in Oxilab Accordions Auth. | 7.2 |
2022-10-21 | CVE-2022-42189 | Emlog | Unrestricted Upload of File with Dangerous Type vulnerability in Emlog 1.6.0 Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (RCE) vulnerability. | 7.2 |
2022-10-20 | CVE-2022-36957 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. | 7.2 |
2022-10-20 | CVE-2022-38108 | Solarwinds | Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. | 7.2 |
2022-10-20 | CVE-2022-42201 | Simple Exam Reviewer Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Simple Exam Reviewer Management System Project Simple Exam Reviewer Management System 1.0 Simple Exam Reviewer Management System v1.0 is vulnerable to Insecure file upload. | 7.2 |
2022-10-20 | CVE-2022-31366 | EVE NG | Unrestricted Upload of File with Dangerous Type vulnerability in Eve-Ng 2.0.3112 An arbitrary file upload vulnerability in the apiImportLabs function in api_labs.php of EVE-NG 2.0.3-112 Community allows attackers to execute arbitrary code via a crafted UNL file. | 7.2 |
2022-10-19 | CVE-2022-41617 | F5 | Unspecified vulnerability in F5 Big-Ip Application Security Manager In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface. | 7.2 |
2022-10-18 | CVE-2022-42218 | Open Source Sacco Management System Project | SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0 Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php. | 7.2 |
2022-10-18 | CVE-2022-41537 | Online Tours Travels Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Tours & Travels Management System Project Online Tours & Travels Management System 1.0 Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /user_operations/profile.php. | 7.2 |
2022-10-18 | CVE-2022-35844 | Fortinet | OS Command Injection vulnerability in Fortinet Fortitester An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to commands of the certificate import feature. | 7.2 |
2022-10-18 | CVE-2022-41504 | Billing System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Billing System Project Billing System 1.0 An arbitrary file upload vulnerability in the component /php_action/editProductImage.php of Billing System Project v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 7.2 |
2022-10-17 | CVE-2022-3552 | Boxbilling | Unspecified vulnerability in Boxbilling Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1. | 7.2 |
2022-10-17 | CVE-2022-42142 | Online Tours AND Travels Management System Project | Unspecified vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0 Online Tours & Travels Management System v1.0 is vulnerable to Arbitrary code execution via ip/tour/admin/operations/update_settings.php. | 7.2 |
2022-10-17 | CVE-2022-42143 | Open Source Sacco Management System Project | SQL Injection vulnerability in Open Source Sacco Management System Project Open Source Sacco Management System 1.0 Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php. | 7.2 |
2022-10-17 | CVE-2022-41498 | Billing System Project | SQL Injection vulnerability in Billing System Project Billing System 1.0 Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editbrand.php. | 7.2 |
2022-10-17 | CVE-2022-3131 | Codexpert | Unspecified vulnerability in Codexpert Search Logger The Search Logger WordPress plugin through 0.9 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users | 7.2 |
2022-10-17 | CVE-2022-3150 | WP Custom Cursors Project | Unspecified vulnerability in WP Custom Cursors Project WP Custom Cursors The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin | 7.2 |
2022-10-17 | CVE-2022-3243 | Smackcoders | Unspecified vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin | 7.2 |
2022-10-17 | CVE-2022-3549 | Oretnom23 | Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. | 7.2 |
2022-10-19 | CVE-2022-41742 | F5 Fedoraproject Debian | Out-of-bounds Write vulnerability in multiple products NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. | 7.1 |
2022-10-19 | CVE-2022-25665 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Information disclosure due to buffer over read in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Mobile | 7.1 |
2022-10-17 | CVE-2022-3564 | Linux Debian Netapp | Race Condition vulnerability in multiple products A vulnerability classified as critical was found in Linux Kernel. | 7.1 |
2022-10-17 | CVE-2022-3566 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability, which was classified as problematic, was found in Linux Kernel. | 7.1 |
2022-10-21 | CVE-2022-3649 | Linux Debian Netapp | A vulnerability was found in Linux Kernel. | 7.0 |
2022-10-21 | CVE-2022-3635 | Linux Debian | Race Condition vulnerability in multiple products A vulnerability, which was classified as critical, has been found in Linux Kernel. | 7.0 |
2022-10-19 | CVE-2022-41743 | F5 | Unspecified vulnerability in F5 Nginx Ingress Controller and Nginx Plus NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. | 7.0 |
2022-10-19 | CVE-2022-33214 | Qualcomm | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Qualcomm products Memory corruption in display due to time-of-check time-of-use of metadata reserved size in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 7.0 |
176 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-20 | CVE-2020-9285 | Sonos | Unspecified vulnerability in Sonos ONE Firmware Some versions of Sonos One (1st and 2nd generation) allow partial or full memory access via attacker controlled hardware that can be attached to the Mini-PCI Express slot on the motherboard that hosts the WiFi card on the device. | 6.8 |
2022-10-19 | CVE-2022-35860 | Corsair | Missing Encryption of Sensitive Data vulnerability in Corsair K63 Firmware 3.1.3 Missing AES encryption in Corsair K63 Wireless 3.1.3 allows physically proximate attackers to inject and sniff keystrokes via 2.4 GHz radio transmissions. | 6.8 |
2022-10-21 | CVE-2022-34437 | Dell | OS Command Injection vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an OS command injection vulnerability. | 6.7 |
2022-10-21 | CVE-2022-34438 | Dell | Improper Privilege Management vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. | 6.7 |
2022-10-19 | CVE-2022-25666 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption due to use after free in service while trying to access maps by different threads in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | 6.7 |
2022-10-21 | CVE-2022-3597 | Libtiff Netapp Debian | Out-of-bounds Write vulnerability in multiple products LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-10-21 | CVE-2022-3598 | Libtiff Netapp Debian | Out-of-bounds Write vulnerability in multiple products LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-10-21 | CVE-2022-3599 | Libtiff Netapp Debian | Out-of-bounds Read vulnerability in multiple products LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-10-21 | CVE-2022-3626 | Libtiff Netapp Debian | Out-of-bounds Write vulnerability in multiple products LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-10-21 | CVE-2022-3627 | Libtiff Netapp Debian | Out-of-bounds Write vulnerability in multiple products LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. | 6.5 |
2022-10-20 | CVE-2022-3621 | Linux Debian | A vulnerability was found in Linux Kernel. | 6.5 |
2022-10-20 | CVE-2022-42197 | Simple Exam Reviewer Management System Project | Forced Browsing vulnerability in Simple Exam Reviewer Management System Project Simple Exam Reviewer Management System 1.0 In Simple Exam Reviewer Management System v1.0 the User List function has improper access control that allows low privileged users to modify user permissions to higher privileges. | 6.5 |
2022-10-19 | CVE-2022-41770 | F5 | Resource Exhaustion vulnerability in F5 products In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests. | 6.5 |
2022-10-19 | CVE-2022-41813 | F5 | Unspecified vulnerability in F5 products In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when BIG-IP is provisioned with PEM or AFM module, an undisclosed input can cause Traffic Management Microkernel (TMM) to terminate. | 6.5 |
2022-10-19 | CVE-2022-2805 | Redhat | Unspecified vulnerability in Redhat Virtualization 4.0 A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. | 6.5 |
2022-10-19 | CVE-2022-43020 | Opencats | SQL Injection vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function. | 6.5 |
2022-10-19 | CVE-2022-43021 | Opencats | SQL Injection vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. | 6.5 |
2022-10-19 | CVE-2022-43022 | Opencats | SQL Injection vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion function. | 6.5 |
2022-10-19 | CVE-2022-43023 | Opencats | SQL Injection vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function. | 6.5 |
2022-10-19 | CVE-2022-41707 | Relatedcode | Unspecified vulnerability in Relatedcode Messenger Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. | 6.5 |
2022-10-19 | CVE-2022-43408 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Pipeline:Stage View Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins. | 6.5 |
2022-10-19 | CVE-2022-43419 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Katalon Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |
2022-10-19 | CVE-2022-43032 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 An issue was discovered in Bento4 v1.6.0-639. | 6.5 |
2022-10-19 | CVE-2022-43033 | Axiosys | Use After Free vulnerability in Axiosys Bento4 1.6.0639 An issue was discovered in Bento4 1.6.0-639. | 6.5 |
2022-10-19 | CVE-2022-43034 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 An issue was discovered in Bento4 v1.6.0-639. | 6.5 |
2022-10-19 | CVE-2022-43035 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 An issue was discovered in Bento4 v1.6.0-639. | 6.5 |
2022-10-19 | CVE-2022-43037 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 An issue was discovered in Bento4 1.6.0-639. | 6.5 |
2022-10-19 | CVE-2022-43038 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadCache() function in mp42ts. | 6.5 |
2022-10-18 | CVE-2022-22237 | Juniper | Improper Authentication vulnerability in Juniper Junos An Improper Authentication vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause an impact on confidentiality or integrity. | 6.5 |
2022-10-18 | CVE-2022-22238 | Juniper | Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS). | 6.5 |
2022-10-18 | CVE-2022-22250 | Juniper | Unspecified vulnerability in Juniper Junos An Improper Control of a Resource Through its Lifetime vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows unauthenticated adjacent attacker to cause a Denial of Service (DoS). | 6.5 |
2022-10-17 | CVE-2022-28291 | Tenable | Insufficiently Protected Credentials vulnerability in Tenable Nessus Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. | 6.5 |
2022-10-17 | CVE-2022-2455 | Gitlab | Resource Exhaustion vulnerability in Gitlab A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project. | 6.5 |
2022-10-17 | CVE-2022-2592 | Gitlab | Improper Validation of Specified Quantity in Input vulnerability in Gitlab A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions prior to 15.1.6, 15.2 prior to 15.2.4 and 15.3 prior to 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potential leading to Denial of Service. | 6.5 |
2022-10-17 | CVE-2022-3067 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. | 6.5 |
2022-10-17 | CVE-2022-3165 | Qemu Fedoraproject | An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. | 6.5 |
2022-10-17 | CVE-2022-3279 | Gitlab | Improper Handling of Exceptional Conditions vulnerability in Gitlab An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs | 6.5 |
2022-10-17 | CVE-2022-3291 | Gitlab | Deserialization of Untrusted Data vulnerability in Gitlab Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache | 6.5 |
2022-10-17 | CVE-2022-3540 | Hunter2 Project | Cleartext Storage of Sensitive Information vulnerability in Hunter2 Project Hunter2 An issue has been discovered in hunter2 affecting all versions before 2.1.0. | 6.5 |
2022-10-17 | CVE-2022-41471 | 74Cms | Unspecified vulnerability in 74Cms 74Cmsse 3.12.0 74cmsSE v3.12.0 allows authenticated attackers with low-level privileges to arbitrarily change the rights and credentials of the Super Administrator account. | 6.5 |
2022-10-17 | CVE-2022-3551 | X ORG Debian Fedoraproject | A vulnerability, which was classified as problematic, has been found in X.org Server. | 6.5 |
2022-10-17 | CVE-2022-3553 | X ORG | Unspecified vulnerability in X.Org X Server A vulnerability, which was classified as problematic, was found in X.org Server. | 6.5 |
2022-10-17 | CVE-2022-3082 | Miniorange | Missing Authorization vulnerability in Miniorange Discord Integration The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example | 6.5 |
2022-10-17 | CVE-2022-39052 | Otrs | Infinite Loop vulnerability in Otrs An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system | 6.5 |
2022-10-17 | CVE-2022-3567 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability has been found in Linux Kernel and classified as problematic. | 6.4 |
2022-10-21 | CVE-2022-1059 | Aethon | Cross-site Scripting vulnerability in Aethon TUG Home Base Server Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | 6.1 |
2022-10-20 | CVE-2022-26954 | Nopcommerce | Open Redirect vulnerability in Nopcommerce Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class. | 6.1 |
2022-10-19 | CVE-2022-43014 | Opencats | Cross-site Scripting vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter. | 6.1 |
2022-10-19 | CVE-2022-43015 | Opencats | Cross-site Scripting vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. | 6.1 |
2022-10-19 | CVE-2022-43016 | Opencats | Cross-site Scripting vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. | 6.1 |
2022-10-19 | CVE-2022-43017 | Opencats | Cross-site Scripting vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. | 6.1 |
2022-10-19 | CVE-2022-43018 | Opencats | Cross-site Scripting vulnerability in Opencats 0.9.6 OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. | 6.1 |
2022-10-19 | CVE-2022-42466 | Apache | Unspecified vulnerability in Apache Isis Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. | 6.1 |
2022-10-18 | CVE-2022-42113 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal A Cross-site scripting (XSS) vulnerability in Document Library module in Liferay Portal 7.4.3.30 through 7.4.3.36, and Liferay DXP 7.4 update 30 through update 36 allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter. | 6.1 |
2022-10-18 | CVE-2022-42116 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0 A Cross-site scripting (XSS) vulnerability in the Frontend Editor module's integration with CKEditor in Liferay Portal 7.3.2 through 7.4.3.14, and Liferay DXP 7.3 before update 6, and 7.4 before update 15 allows remote attackers to inject arbitrary web script or HTML via the (1) name, or (2) namespace parameter. | 6.1 |
2022-10-18 | CVE-2022-42117 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0 A Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.3.2 through 7.4.3.16, and Liferay DXP 7.3 before update 6, and 7.4 before update 17 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
2022-10-18 | CVE-2022-42202 | TP Link | Cross-site Scripting vulnerability in Tp-Link Tl-Wr841N Firmware 4.17.16Build120201Rel.54750N TP-Link TL-WR841N 8.0 4.17.16 Build 120201 Rel.54750n is vulnerable to Cross Site Scripting (XSS). | 6.1 |
2022-10-18 | CVE-2022-3580 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Cashier Queuing System 1.0 A vulnerability, which was classified as problematic, has been found in SourceCodester Cashier Queuing System 1.0.1. | 6.1 |
2022-10-18 | CVE-2022-3581 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Cashier Queuing System 1.0 A vulnerability, which was classified as problematic, was found in SourceCodester Cashier Queuing System 1.0. | 6.1 |
2022-10-18 | CVE-2022-3339 | Mcafee | Cross-site Scripting vulnerability in Mcafee Epolicy Orchestrator A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5.10 Update 14 allows a remote unauthenticated attacker to potentially obtain access to an ePO administrator's session by convincing the authenticated ePO administrator to click on a carefully crafted link. | 6.1 |
2022-10-17 | CVE-2022-40606 | Mitre | Cross-site Scripting vulnerability in Mitre Caldera MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605. | 6.1 |
2022-10-17 | CVE-2022-42147 | Keking | Cross-site Scripting vulnerability in Keking Kkfileview 4.0.0 kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java. | 6.1 |
2022-10-17 | CVE-2022-40605 | Mitre | Cross-site Scripting vulnerability in Mitre Caldera MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606. | 6.1 |
2022-10-17 | CVE-2022-3149 | WP Custom Cursors Project | Unspecified vulnerability in WP Custom Cursors Project WP Custom Cursors The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. | 6.1 |
2022-10-19 | CVE-2022-3607 | Octoprint | Injection vulnerability in Octoprint Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3. | 6.0 |
2022-10-18 | CVE-2022-36439 | Asus | Unspecified vulnerability in Asus products AsusSoftwareManager.exe in ASUS System Control Interface on ASUS personal computers (running Windows) allows a local user to write into the Temp directory and delete another more privileged file via SYSTEM privileges. | 6.0 |
2022-10-18 | CVE-2022-41540 | TP Link | Use of Hard-coded Credentials vulnerability in Tp-Link Ax10 Firmware V1211117 The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. | 5.9 |
2022-10-18 | CVE-2022-22220 | Juniper | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Juniper Junos A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS, Junos OS Evolved allows a network-based unauthenticated attacker to cause a Denial of Service (DoS). | 5.9 |
2022-10-17 | CVE-2022-3206 | Passster Project | Insufficiently Protected Credentials vulnerability in Passster Project Passster The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. | 5.9 |
2022-10-17 | CVE-2022-3563 | Bluez | Unspecified vulnerability in Bluez A vulnerability classified as problematic has been found in Linux Kernel. | 5.7 |
2022-10-17 | CVE-2022-3533 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability was found in Linux Kernel. | 5.7 |
2022-10-21 | CVE-2022-39259 | Jadx Project | Unspecified vulnerability in Jadx Project Jadx jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. | 5.5 |
2022-10-21 | CVE-2022-3570 | Libtiff Debian | Out-of-bounds Write vulnerability in multiple products Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact | 5.5 |
2022-10-21 | CVE-2022-3637 | Bluez | Unspecified vulnerability in Bluez A vulnerability has been found in Linux Kernel and classified as problematic. | 5.5 |
2022-10-21 | CVE-2022-3630 | Linux | Memory Leak vulnerability in Linux Kernel A vulnerability was found in Linux Kernel. | 5.5 |
2022-10-19 | CVE-2022-41780 | F5 | Unspecified vulnerability in F5 F5Os-A and F5Os-C In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.4.0, a directory traversal vulnerability exists in an undisclosed location of the F5OS CLI that allows an attacker to read arbitrary files. | 5.5 |
2022-10-19 | CVE-2013-4281 | Redhat | Unspecified vulnerability in Redhat Openshift 1.0 In Red Hat Openshift 1, weak default permissions are applied to the /etc/openshift/server_priv.pem file on the broker server, which could allow users with local access to the broker to read this file. | 5.5 |
2022-10-19 | CVE-2022-3586 | Linux Debian | A flaw was found in the Linux kernel’s networking code. | 5.5 |
2022-10-19 | CVE-2022-40884 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0 Bento4 1.6.0 has memory leaks via the mp4fragment. | 5.5 |
2022-10-19 | CVE-2022-40885 | Axiosys | Allocation of Resources Without Limits or Throttling vulnerability in Axiosys Bento4 1.6.0639 Bento4 v1.6.0-639 has a memory allocation issue that can cause denial of service. | 5.5 |
2022-10-19 | CVE-2022-43039 | Gpac | Unspecified vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c. | 5.5 |
2022-10-19 | CVE-2022-43043 | Gpac | Unspecified vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c. | 5.5 |
2022-10-19 | CVE-2022-43044 | Gpac | Unspecified vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c. | 5.5 |
2022-10-19 | CVE-2022-43045 | Gpac | Unspecified vulnerability in Gpac GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c. | 5.5 |
2022-10-19 | CVE-2022-25663 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Possible buffer overflow due to lack of buffer length check during management frame Rx handling lead to denial of service in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity | 5.5 |
2022-10-19 | CVE-2022-25664 | Qualcomm | Incomplete Cleanup vulnerability in Qualcomm products Information disclosure due to exposure of information while GPU reads the data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 5.5 |
2022-10-19 | CVE-2022-39253 | GIT SCM Fedoraproject Apple Debian | Link Following vulnerability in multiple products Git is an open source, scalable, distributed revision control system. | 5.5 |
2022-10-19 | CVE-2022-3606 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability was found in Linux Kernel. | 5.5 |
2022-10-18 | CVE-2022-3595 | Linux | Double Free vulnerability in Linux Kernel A vulnerability was found in Linux Kernel. | 5.5 |
2022-10-18 | CVE-2022-22233 | Juniper | Unchecked Return Value vulnerability in Juniper Junos and Junos OS Evolved An Unchecked Return Value to NULL Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause a Denial of Service (DoS). | 5.5 |
2022-10-17 | CVE-2022-3543 | Linux | Memory Leak vulnerability in Linux Kernel A vulnerability, which was classified as problematic, has been found in Linux Kernel. | 5.5 |
2022-10-17 | CVE-2022-3544 | Linux | Unspecified vulnerability in Linux Kernel A vulnerability, which was classified as problematic, was found in Linux Kernel. | 5.5 |
2022-10-21 | CVE-2022-27494 | Aethon | Cross-site Scripting vulnerability in Aethon TUG Home Base Server Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials. | 5.4 |
2022-10-21 | CVE-2022-41638 | Chop Chop | Cross-site Scripting vulnerability in Chop-Chop Pop-Up Chop Auth. | 5.4 |
2022-10-21 | CVE-2022-42205 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 4.0 PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php. | 5.4 |
2022-10-21 | CVE-2022-42206 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 4.0 PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php. | 5.4 |
2022-10-20 | CVE-2022-36966 | Solarwinds | Authorization Bypass Through User-Controlled Key vulnerability in Solarwinds Orion Platform Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. | 5.4 |
2022-10-20 | CVE-2022-42200 | Simple Exam Reviewer Management System Project | Cross-site Scripting vulnerability in Simple Exam Reviewer Management System Project Simple Exam Reviewer Management System 1.0 Simple Exam Reviewer Management System v1.0 is vulnerable to Stored Cross Site Scripting (XSS) via the Exam List. | 5.4 |
2022-10-20 | CVE-2021-33231 | Easyvista | Cross-site Scripting vulnerability in Easyvista Service Manager 2018.1.181.1 Cross Site Scripting (XSS) vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field. | 5.4 |
2022-10-20 | CVE-2022-41358 | Garage Management System Project | Cross-site Scripting vulnerability in Garage Management System Project Garage Management System 1.0 A stored cross-site scripting (XSS) vulnerability in Garage Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the categoriesName parameter in createCategories.php. | 5.4 |
2022-10-19 | CVE-2022-43409 | Jenkins | Cross-site Scripting vulnerability in Jenkins Pipeline: Supporting Apis 838.Va3A087B4055B Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines. | 5.4 |
2022-10-19 | CVE-2022-43420 | Jenkins | Cross-site Scripting vulnerability in Jenkins Contrast Continuous Application Security Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses. | 5.4 |
2022-10-19 | CVE-2022-43425 | Jenkins | Cross-site Scripting vulnerability in Jenkins Custom Checkbox Parameter Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-10-19 | CVE-2022-39301 | SRA Admin Project | Unrestricted Upload of File with Dangerous Type vulnerability in Sra-Admin Project Sra-Admin 1.1.1 sra-admin is a background rights management system that separates the front and back end. | 5.4 |
2022-10-19 | CVE-2022-43185 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter. | 5.4 |
2022-10-19 | CVE-2022-39233 | Enalean | Missing Authorization vulnerability in Enalean Tuleap Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. | 5.4 |
2022-10-19 | CVE-2022-38901 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal A Cross-site scripting (XSS) vulnerability in the Document and Media module - file upload functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the description field of uploaded svg file. | 5.4 |
2022-10-18 | CVE-2022-42112 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.2/7.3/7.4 A Cross-site scripting (XSS) vulnerability in the Portal Search module's Sort widget in Liferay Portal 7.2.0 through 7.4.3.24, and Liferay DXP 7.2 before fix pack 19, 7.3 before update 5, and DXP 7.4 before update 25 allows remote attackers to inject arbitrary web script or HTML via a crafted payload. | 5.4 |
2022-10-18 | CVE-2022-42114 | Liferay | Cross-site Scripting vulnerability in Liferay DXP 7.0/7.4 A Cross-site scripting (XSS) vulnerability in the Role module's edit role assignees page in Liferay Portal 7.4.0 through 7.4.3.36, and Liferay DXP 7.4 before update 37 allows remote attackers to inject arbitrary web script or HTML. | 5.4 |
2022-10-18 | CVE-2022-42115 | Liferay | Cross-site Scripting vulnerability in Liferay Portal Cross-site scripting (XSS) vulnerability in the Object module's edit object details page in Liferay Portal 7.4.3.4 through 7.4.3.36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the object field's `Label` text field. | 5.4 |
2022-10-18 | CVE-2022-3587 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. | 5.4 |
2022-10-18 | CVE-2022-31037 | Oroinc | Cross-site Scripting vulnerability in Oroinc Orocommerce OroCommerce is an open-source Business to Business Commerce application. | 5.4 |
2022-10-18 | CVE-2022-3338 | Mcafee | XXE vulnerability in Mcafee Epolicy Orchestrator An External XML entity (XXE) vulnerability in ePO prior to 5.10 Update 14 can lead to an unauthenticated remote attacker to potentially trigger a Server Side Request Forgery attack. | 5.4 |
2022-10-17 | CVE-2022-41431 | Mindskip | Cross-site Scripting vulnerability in Mindskip XZS 3.8.0 xzs v3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /admin/question/edit. | 5.4 |
2022-10-17 | CVE-2022-41139 | Mitre | Cross-site Scripting vulnerability in Mitre Caldera MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents. | 5.4 |
2022-10-17 | CVE-2022-3066 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. | 5.4 |
2022-10-17 | CVE-2022-41472 | 74Cms | Cross-site Scripting vulnerability in 74Cms 74Cmsse 3.12.0 74cmsSE v3.12.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /apiadmin/notice/add. | 5.4 |
2022-10-17 | CVE-2022-41542 | Devhubapp | Insufficient Session Expiration vulnerability in Devhubapp Devhub 0.102.0 devhub 0.102.0 was discovered to contain a broken session control. | 5.4 |
2022-10-20 | CVE-2022-40084 | Opencrx | Information Exposure Through Discrepancy vulnerability in Opencrx OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid. | 5.3 |
2022-10-19 | CVE-2022-38107 | Solarwinds | Information Exposure Through an Error Message vulnerability in Solarwinds SQL Sentry 2021.18.10 Sensitive information could be displayed when a detailed technical error message is posted. | 5.3 |
2022-10-19 | CVE-2022-43410 | Jenkins | Unspecified vulnerability in Jenkins Mercurial Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access. | 5.3 |
2022-10-19 | CVE-2022-43411 | Jenkins | Information Exposure Through Discrepancy vulnerability in Jenkins Gitlab Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | 5.3 |
2022-10-19 | CVE-2022-43412 | Jenkins | Information Exposure Through Discrepancy vulnerability in Jenkins Generic Webhook Trigger Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | 5.3 |
2022-10-19 | CVE-2022-43414 | Jenkins | Unspecified vulnerability in Jenkins Nunit Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. | 5.3 |
2022-10-19 | CVE-2022-43421 | Jenkins | Missing Authorization vulnerability in Jenkins Tuleap GIT Branch Source A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value. | 5.3 |
2022-10-19 | CVE-2022-43422 | Jenkins | Unspecified vulnerability in Jenkins Compuware Topaz Utilities Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | 5.3 |
2022-10-19 | CVE-2022-43423 | Jenkins | Unspecified vulnerability in Jenkins Compuware Source Code Download for Endevor, Pds, and Ispw 2.0.12 Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | 5.3 |
2022-10-19 | CVE-2022-43424 | Jenkins | Unspecified vulnerability in Jenkins Compuware Xpediter Code Coverage Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | 5.3 |
2022-10-19 | CVE-2022-43426 | Jenkins | Unspecified vulnerability in Jenkins S3 Explorer 1.0.7/1.0.8 Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it. | 5.3 |
2022-10-19 | CVE-2022-43428 | Jenkins | Unspecified vulnerability in Jenkins Compuware Topaz for Total Test Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. | 5.3 |
2022-10-19 | CVE-2022-43434 | Jenkins | Unspecified vulnerability in Jenkins Neuvector vulnerability Scanner Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. | 5.3 |
2022-10-19 | CVE-2022-43435 | Jenkins | Unspecified vulnerability in Jenkins 360 Fireline Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. | 5.3 |
2022-10-19 | CVE-2022-42467 | Apache | Insecure Default Initialization of Resource vulnerability in Apache Isis When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. | 5.3 |
2022-10-18 | CVE-2022-3594 | Linux Debian | A vulnerability was found in Linux Kernel. | 5.3 |
2022-10-18 | CVE-2020-15853 | Fedoraproject | Unspecified vulnerability in Fedoraproject Supybot-Fedora supybot-fedora implements the command 'refresh', that refreshes the cache of all users from FAS. | 5.3 |
2022-10-17 | CVE-2022-3286 | Gitlab | Unspecified vulnerability in Gitlab Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token | 5.3 |
2022-10-17 | CVE-2022-2834 | Helpful Project | Files or Directories Accessible to External Parties vulnerability in Helpful Project Helpful The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings | 5.3 |
2022-10-19 | CVE-2022-41694 | F5 | Unspecified vulnerability in F5 products In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, and BIG-IQ versions 8.x before 8.2.0.1 and all versions of 7.x, when an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to terminate. | 4.9 |
2022-10-21 | CVE-2022-40311 | Fatcatapps | Cross-site Scripting vulnerability in Fatcatapps Analytics CAT Auth. | 4.8 |
2022-10-17 | CVE-2022-26375 | Abpressoptimizer | Cross-site Scripting vulnerability in Abpressoptimizer AB Press Optimizer 1.0.0/1.1.0/1.1.1 Auth. | 4.8 |
2022-10-17 | CVE-2022-2865 | Gitlab | Cross-site Scripting vulnerability in Gitlab A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. | 4.8 |
2022-10-17 | CVE-2022-2563 | Themeum | Unspecified vulnerability in Themeum Tutor LMS The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-17 | CVE-2022-2574 | Mekshq | Unspecified vulnerability in Mekshq Meks Easy Social Share The Meks Easy Social Share WordPress plugin before 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-17 | CVE-2022-3139 | Designextreme | Unspecified vulnerability in Designextreme We'Re Open The We’re Open! WordPress plugin before 1.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-17 | CVE-2022-3546 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. | 4.8 |
2022-10-17 | CVE-2022-3547 | Simple Cold Storage Management System Project | Cross-site Scripting vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Management System 1.0 A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. | 4.8 |
2022-10-17 | CVE-2022-3548 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability was found in SourceCodester Simple Cold Storage Management System 1.0. | 4.8 |
2022-10-19 | CVE-2022-22078 | Qualcomm | Integer Overflow or Wraparound vulnerability in Qualcomm products Denial of service in BOOT when partition size for a particular partition is requested due to integer overflow when blocks are calculated in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 4.6 |
2022-10-21 | CVE-2022-31239 | Dell | Information Exposure Through Log Files vulnerability in Dell EMC Powerscale Onefs Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. | 4.4 |
2022-10-22 | CVE-2022-39272 | Fluxcd | Improper Validation of Specified Quantity in Input vulnerability in Fluxcd products Flux is an open and extensible continuous delivery solution for Kubernetes. | 4.3 |
2022-10-21 | CVE-2020-5355 | Dell | Incorrect Default Permissions vulnerability in Dell EMC Isilon Onefs The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. | 4.3 |
2022-10-21 | CVE-2022-3646 | Linux Debian | A vulnerability, which was classified as problematic, has been found in Linux Kernel. | 4.3 |
2022-10-20 | CVE-2022-3619 | Linux | Memory Leak vulnerability in Linux Kernel A vulnerability has been found in Linux Kernel and classified as problematic. | 4.3 |
2022-10-19 | CVE-2022-31684 | Pivotal | Unspecified vulnerability in Pivotal Reactor Netty Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. | 4.3 |
2022-10-19 | CVE-2022-41708 | Relatedcode | Improper Preservation of Permissions vulnerability in Relatedcode Messenger Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. | 4.3 |
2022-10-19 | CVE-2022-43413 | Jenkins | Missing Authorization vulnerability in Jenkins JOB Import Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-10-19 | CVE-2022-43417 | Jenkins | Missing Authorization vulnerability in Jenkins Katalon Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 4.3 |
2022-10-19 | CVE-2022-43418 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Katalon A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 4.3 |
2022-10-19 | CVE-2022-43427 | Jenkins | Missing Authorization vulnerability in Jenkins Compuware Topaz for Total Test Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-10-19 | CVE-2022-43431 | Jenkins | Missing Authorization vulnerability in Jenkins Compuware Strobe Measurement Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-10-19 | CVE-2022-43432 | Jenkins | Unspecified vulnerability in Jenkins Xframium Builder Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. | 4.3 |
2022-10-19 | CVE-2022-43433 | Jenkins | Unspecified vulnerability in Jenkins Screenrecorder Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. | 4.3 |
2022-10-18 | CVE-2022-3585 | Oretnom23 | Unspecified vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. | 4.3 |
2022-10-17 | CVE-2022-2630 | Gitlab | Unspecified vulnerability in Gitlab An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events. | 4.3 |
2022-10-17 | CVE-2022-2908 | Gitlab | Unspecified vulnerability in Gitlab A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field. | 4.3 |
2022-10-17 | CVE-2022-3030 | Gitlab | Unspecified vulnerability in Gitlab An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of pipeline status to unauthorized users. | 4.3 |
2022-10-17 | CVE-2022-3288 | Gitlab | Unspecified vulnerability in Gitlab A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. | 4.3 |
2022-10-17 | CVE-2022-3293 | Gitlab | Information Exposure Through Log Files vulnerability in Gitlab Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 | 4.3 |
2022-10-17 | CVE-2022-3325 | Gitlab | Unspecified vulnerability in Gitlab Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. | 4.3 |
2022-10-17 | CVE-2022-3330 | Gitlab | Unspecified vulnerability in Gitlab It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. | 4.3 |
2022-10-17 | CVE-2022-3331 | Gitlab | Authorization Bypass Through User-Controlled Key vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. | 4.3 |
2022-10-17 | CVE-2022-3351 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. | 4.3 |
2022-10-17 | CVE-2022-3126 | Najeebmedia | Unspecified vulnerability in Najeebmedia Frontend File Manager Plugin The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf | 4.3 |
2022-10-17 | CVE-2022-3151 | WP Custom Cursors Project | Unspecified vulnerability in WP Custom Cursors Project WP Custom Cursors The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack. | 4.3 |
2022-10-17 | CVE-2022-3282 | Codedropz | Authorization Bypass Through User-Controlled Key vulnerability in Codedropz Drag and Drop multiple File Upload - Contact Form 7 The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. | 4.3 |
2022-10-17 | CVE-2022-3244 | Smackcoders | Unspecified vulnerability in Smackcoders Import ALL Pages, Post Types, Products, Orders, and Users AS XML & CSV The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce | 4.2 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-19 | CVE-2022-41983 | F5 | Unspecified vulnerability in F5 products On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied. | 3.7 |
2022-10-18 | CVE-2022-3582 | Oretnom23 | Cross-Site Request Forgery (CSRF) vulnerability in Oretnom23 Simple Cold Storage Management System 1.0 A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. | 3.5 |
2022-10-17 | CVE-2017-7517 | Redhat | Unspecified vulnerability in Redhat Openshift 3.0 An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. | 3.5 |
2022-10-21 | CVE-2022-3647 | Redis | Unspecified vulnerability in Redis ** DISPUTED ** A vulnerability, which was classified as problematic, was found in Redis up to 6.2.7/7.0.5. | 3.3 |
2022-10-21 | CVE-2022-3633 | Linux Debian | A vulnerability classified as problematic has been found in Linux Kernel. | 3.3 |
2022-10-21 | CVE-2022-3624 | Linux | Memory Leak vulnerability in Linux Kernel A vulnerability was found in Linux Kernel and classified as problematic. | 3.3 |
2022-10-21 | CVE-2022-3629 | Linux Debian | Memory Leak vulnerability in multiple products A vulnerability was found in Linux Kernel. | 3.3 |