Weekly Vulnerabilities Reports > October 24 to 30, 2022
Overview
364 new vulnerabilities reported during this period, including 109 critical vulnerabilities and 138 high severity vulnerabilities. This weekly summary report vulnerabilities in 220 products from 151 vendors including Goabode, Robustel, Lannerinc, Debian, and Fedoraproject. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "OS Command Injection", and "Path Traversal".
- 313 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 123 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 224 reported vulnerabilities are exploitable by an anonymous user.
- Goabode has the most reported vulnerabilities, with 38 reported vulnerabilities.
- Goabode has the most reported critical vulnerabilities, with 24 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
109 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-28 | CVE-2021-38397 | Honeywell | Unrestricted Upload of File with Dangerous Type vulnerability in Honeywell products Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. | 10.0 |
2022-10-25 | CVE-2022-33192 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 10.0 |
2022-10-25 | CVE-2022-33193 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 10.0 |
2022-10-25 | CVE-2022-33194 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 10.0 |
2022-10-25 | CVE-2022-33195 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 10.0 |
2022-10-25 | CVE-2022-33204 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 9.9 |
2022-10-25 | CVE-2022-33205 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 9.9 |
2022-10-25 | CVE-2022-33206 | Goabode | OS Command Injection vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 9.9 |
2022-10-25 | CVE-2022-33207 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 9.9 |
2022-10-25 | CVE-2022-39321 | Github | OS Command Injection vulnerability in Github Runner GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. | 9.9 |
2022-10-29 | CVE-2021-42777 | Stimulsoft | Information Exposure Through an Error Message vulnerability in Stimulsoft Reports 2013.1.1600.0 Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user's local machine, as demonstrated by System.Diagnostics.Process.Start. | 9.8 |
2022-10-29 | CVE-2022-3754 | Phpmyfaq | Weak Password Requirements vulnerability in PHPmyfaq Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. | 9.8 |
2022-10-28 | CVE-2022-2826 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. | 9.8 |
2022-10-28 | CVE-2022-43286 | F5 | Use After Free vulnerability in F5 NJS 0.7.2 Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c. | 9.8 |
2022-10-28 | CVE-2022-37621 | Browserify Shim Project | Unspecified vulnerability in Browserify-Shim Project Browserify-Shim 3.8.15 Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js. | 9.8 |
2022-10-28 | CVE-2022-41648 | Heidenhain | Improper Authentication vulnerability in Heidenhain Heros and TNC 640 Programming Station The HEIDENHAIN Controller TNC 640, version 340590 07 SP5, running HEROS 5.08.3 controlling the HARTFORD 5A-65E CNC machine is vulnerable to improper authentication, which may allow an attacker to deny service to the production line, steal sensitive data from the production line, and alter any products created by the production line. | 9.8 |
2022-10-28 | CVE-2022-39366 | Datahub Project | Improper Verification of Cryptographic Signature vulnerability in Datahub Project Datahub DataHub is an open-source metadata platform. | 9.8 |
2022-10-28 | CVE-2022-43168 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 3.2.1 Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. | 9.8 |
2022-10-28 | CVE-2021-38217 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.2 SEMCMS v 1.2 is vulnerable to SQL Injection via SEMCMS_User.php. | 9.8 |
2022-10-28 | CVE-2021-38729 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Plist.php. | 9.8 |
2022-10-28 | CVE-2021-38730 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Info.php. | 9.8 |
2022-10-28 | CVE-2021-38731 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Zekou.php. | 9.8 |
2022-10-28 | CVE-2021-38732 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL via Ant_Message.php. | 9.8 |
2022-10-28 | CVE-2021-38733 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_BlogCat.php. | 9.8 |
2022-10-28 | CVE-2022-37425 | Opennebula | Command Injection vulnerability in Opennebula Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in OpenNebula OpenNebula core on Linux allows Remote Code Inclusion. | 9.8 |
2022-10-28 | CVE-2021-37782 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Employee Record Management System 1.2 Employee Record Management System v 1.2 is vulnerable to SQL Injection via editempprofile.php. | 9.8 |
2022-10-28 | CVE-2021-38734 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to SQL Injection via Ant_Menu.php. | 9.8 |
2022-10-28 | CVE-2021-38736 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS Shop V 1.1 is vulnerable to SQL Injection via Ant_Global.php. | 9.8 |
2022-10-28 | CVE-2021-38737 | SEM CMS | SQL Injection vulnerability in Sem-Cms Semcms 1.1 SEMCMS v 1.1 is vulnerable to SQL Injection via Ant_Pro.php. | 9.8 |
2022-10-28 | CVE-2022-3741 | Chatwoot | Improper Restriction of Excessive Authentication Attempts vulnerability in Chatwoot Impact varies for each individual vulnerability in the application. | 9.8 |
2022-10-28 | CVE-2022-3320 | Cloudflare | Missing Authorization vulnerability in Cloudflare Warp It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. | 9.8 |
2022-10-28 | CVE-2022-3729 | Ehoney Project | SQL Injection vulnerability in Ehoney Project Ehoney A vulnerability, which was classified as critical, has been found in seccome Ehoney. | 9.8 |
2022-10-28 | CVE-2022-3730 | Ehoney Project | Unspecified vulnerability in Ehoney Project Ehoney A vulnerability, which was classified as critical, was found in seccome Ehoney. | 9.8 |
2022-10-28 | CVE-2022-3731 | Ehoney Project | Unspecified vulnerability in Ehoney Project Ehoney A vulnerability has been found in seccome Ehoney and classified as critical. | 9.8 |
2022-10-28 | CVE-2022-3732 | Ehoney Project | SQL Injection vulnerability in Ehoney Project Ehoney A vulnerability was found in seccome Ehoney and classified as critical. | 9.8 |
2022-10-28 | CVE-2022-3734 | Redis | Unspecified vulnerability in Redis A vulnerability was found in a port or fork of Redis. | 9.8 |
2022-10-28 | CVE-2022-3735 | Ehoney Project | Unspecified vulnerability in Ehoney Project Ehoney A vulnerability was found in seccome Ehoney. | 9.8 |
2022-10-28 | CVE-2021-38395 | Honeywell | Injection vulnerability in Honeywell products Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. | 9.8 |
2022-10-28 | CVE-2022-33859 | Eaton | Unrestricted Upload of File with Dangerous Type vulnerability in Eaton Foreseer Electrical Power Monitoring System 4.0/7.0/7.5 A security vulnerability was discovered in the Eaton Foreseer EPMS software. | 9.8 |
2022-10-28 | CVE-2022-37913 | Arubanetworks | Unspecified vulnerability in Arubanetworks Aruba Edgeconnect Enterprise Orchestrator Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. | 9.8 |
2022-10-28 | CVE-2022-37914 | Arubanetworks | Unspecified vulnerability in Arubanetworks Aruba Edgeconnect Enterprise Orchestrator Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. | 9.8 |
2022-10-28 | CVE-2022-37915 | Arubanetworks | Unspecified vulnerability in Arubanetworks Aruba Edgeconnect Enterprise Orchestrator A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. | 9.8 |
2022-10-27 | CVE-2022-3385 | Advantech | Out-of-bounds Write vulnerability in Advantech R-Seenet Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. | 9.8 |
2022-10-27 | CVE-2022-3386 | Advantech | Out-of-bounds Write vulnerability in Advantech R-Seenet Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. | 9.8 |
2022-10-27 | CVE-2022-40876 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1 In Tenda ax1803 v1.0.0.1, the http requests handled by the fromAdvSetMacMtuWan functions, wanSpeed, cloneType, mac, can cause a stack overflow and enable remote code execution (RCE). | 9.8 |
2022-10-27 | CVE-2022-39976 | School Activity Updates With SMS Notification Project | SQL Injection vulnerability in School Activity Updates With SMS Notification Project School Activity Updates With SMS Notification 1.0 School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /modules/announcement/index.php?view=edit&id=. | 9.8 |
2022-10-27 | CVE-2022-43367 | IP COM | Command Injection vulnerability in Ip-Com EW9 Firmware 15.11.0.14 IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injection vulnerability in the formSetDebugCfg function. | 9.8 |
2022-10-27 | CVE-2022-3095 | Dart Flutter | The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. | 9.8 |
2022-10-27 | CVE-2022-39365 | Pimcore | Code Injection vulnerability in Pimcore Pimcore is an open source data and experience management platform. | 9.8 |
2022-10-27 | CVE-2022-3714 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Online Medicine Ordering System 1.0 A vulnerability classified as critical has been found in SourceCodester Online Medicine Ordering System 1.0. | 9.8 |
2022-10-26 | CVE-2022-3363 | Ikus Soft | Unspecified vulnerability in Ikus-Soft Rdiffweb Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7. | 9.8 |
2022-10-26 | CVE-2022-39355 | Discourse | Improper Authentication vulnerability in Discourse Patreon Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. | 9.8 |
2022-10-26 | CVE-2022-42998 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain a stack overflow via the srcip parameter at /goform/form2IPQoSTcAdd. | 9.8 |
2022-10-26 | CVE-2022-43000 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain a stack overflow via the wizardstep4_pskpwd parameter at /goform/form2WizardStep4. | 9.8 |
2022-10-26 | CVE-2022-43001 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain a stack overflow via the pskValue parameter in the setSecurity function. | 9.8 |
2022-10-26 | CVE-2022-43002 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain a stack overflow via the wizardstep54_pskpwd parameter at /goform/form2WizardStep54. | 9.8 |
2022-10-26 | CVE-2022-43003 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain a stack overflow via the pskValue parameter in the setRepeaterSecurity function. | 9.8 |
2022-10-26 | CVE-2022-43774 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.9.0 The HandlerPageP_KID class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an attacker to gain code execution on a remote system. | 9.8 |
2022-10-26 | CVE-2022-43775 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie 1.9.0 The HICT_Loop class in Delta Electronics DIAEnergy v1.9 contains a SQL Injection flaw that could allow an attacker to gain code execution on a remote system. | 9.8 |
2022-10-26 | CVE-2022-3671 | Elearning System Project | SQL Injection vulnerability in Elearning System Project Elearning System 1.0 A vulnerability classified as critical was found in SourceCodester eLearning System 1.0. | 9.8 |
2022-10-26 | CVE-2022-3674 | Sanitization Management System Project | Missing Authentication for Critical Function vulnerability in Sanitization Management System Project Sanitization Management System 1.0 A vulnerability has been found in SourceCodester Sanitization Management System 1.0 and classified as critical. | 9.8 |
2022-10-26 | CVE-2022-42468 | Apache | Unspecified vulnerability in Apache Flume 1.10.0/1.4.0/1.9.0 Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. | 9.8 |
2022-10-26 | CVE-2022-39357 | Wintercms | Unspecified vulnerability in Wintercms Winter 1.1.8/1.1.9/1.2.0 Winter is a free, open-source content management system based on the Laravel PHP framework. | 9.8 |
2022-10-26 | CVE-2022-29822 | Feathersjs | SQL Injection vulnerability in Feathersjs Feathers-Sequelize Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection | 9.8 |
2022-10-26 | CVE-2022-29823 | Feathersjs | Unspecified vulnerability in Feathersjs Feathers-Sequelize Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. | 9.8 |
2022-10-26 | CVE-2022-2421 | Socket | Unspecified vulnerability in Socket Socket.Io-Parser Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. | 9.8 |
2022-10-26 | CVE-2022-2422 | Feathersjs | SQL Injection vulnerability in Feathersjs Feathers-Sequelize Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used. | 9.8 |
2022-10-26 | CVE-2022-43747 | Baramundi | Unspecified vulnerability in Baramundi Management Suite 2021/2022 baramundi Management Agent (bMA) in baramundi Management Suite (bMS) 2021 R1 and R2 and 2022 R1 allows remote code execution. | 9.8 |
2022-10-25 | CVE-2022-41711 | Uatech | Unrestricted Upload of File with Dangerous Type vulnerability in Uatech Badaso 2.6.0 Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. | 9.8 |
2022-10-25 | CVE-2022-36452 | Mitel | Unrestricted Upload of File with Dangerous Type vulnerability in Mitel Micollab A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. | 9.8 |
2022-10-25 | CVE-2022-27804 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An os command injection vulnerability exists in the web interface util_set_abode_code functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-27805 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An authentication bypass vulnerability exists in the GHOME control functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-29472 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An OS command injection vulnerability exists in the web interface util_set_serial_mac functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-29477 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An authentication bypass vulnerability exists in the web interface /action/factory* functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-29520 | Goabode | OS Command Injection vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9Z An OS command injection vulnerability exists in the console_main_loop :sys functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-29851 | Open Xchange | OS Command Injection vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6 documentconverter in OX App Suite through 7.10.6, in a non-default configuration with ghostscript, allows OS Command Injection because file conversion may occur for an EPS document that is disguised as a PDF document. | 9.8 |
2022-10-25 | CVE-2022-29889 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9Z A hard-coded password vulnerability exists in the telnet functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-30541 | Goabode | OS Command Injection vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An OS command injection vulnerability exists in the XCMD setUPnP functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-32454 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z A stack-based buffer overflow vulnerability exists in the XCMD setIPCam functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-32765 | Robustel | OS Command Injection vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 An OS command injection vulnerability exists in the sysupgrade command injection functionality of Robustel R1510 3.1.16 and 3.3.0. | 9.8 |
2022-10-25 | CVE-2022-32773 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An OS command injection vulnerability exists in the XCMD doDebug functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-33150 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 An OS command injection vulnerability exists in the js_package install functionality of Robustel R1510 3.1.16. | 9.8 |
2022-10-25 | CVE-2022-33189 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9Z An OS command injection vulnerability exists in the XCMD setAlexa functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-33938 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z A format string injection vulnerability exists in the ghome_process_control_packet functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-35244 | Goabode | Use of Externally-Controlled Format String vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z A format string injection vulnerability exists in the XCMD getVarHA functionality of abode systems, inc. | 9.8 |
2022-10-25 | CVE-2022-35874 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-35875 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-35876 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-35877 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. | 9.8 |
2022-10-25 | CVE-2022-38580 | Zalando | Server-Side Request Forgery (SSRF) vulnerability in Zalando Skipper Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF). | 9.8 |
2022-10-25 | CVE-2022-39312 | Dataease | Deserialization of Untrusted Data vulnerability in Dataease Dataease is an open source data visualization analysis tool. | 9.8 |
2022-10-25 | CVE-2022-39322 | Keystonejs | Incorrect Authorization vulnerability in Keystonejs Keystone 2.2.0/2.3.0 @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. | 9.8 |
2022-10-25 | CVE-2022-39327 | Microsoft | OS Command Injection vulnerability in Microsoft Azure Command-Line Interface Azure CLI is the command-line interface for Microsoft Azure. | 9.8 |
2022-10-25 | CVE-2022-39341 | Openfga | Unspecified vulnerability in Openfga OpenFGA is an authorization/permission engine. | 9.8 |
2022-10-25 | CVE-2022-39342 | Openfga | Unspecified vulnerability in Openfga OpenFGA is an authorization/permission engine. | 9.8 |
2022-10-25 | CVE-2022-3393 | Bestwebsoft | Unspecified vulnerability in Bestwebsoft Post to CSV The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | 9.8 |
2022-10-24 | CVE-2021-26727 | Lannerinc | Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Multiple command injections and stack-based buffer overflows vulnerabilities in the SubNet_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). | 9.8 |
2022-10-24 | CVE-2021-26728 | Lannerinc | Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). | 9.8 |
2022-10-24 | CVE-2021-26729 | Lannerinc | Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). | 9.8 |
2022-10-24 | CVE-2021-26730 | Lannerinc | Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 A stack-based buffer overflow vulnerability in a subfunction of the Login_handler_func function of spx_restservice allows an attacker to execute arbitrary code with the same privileges as the server user (root). | 9.8 |
2022-10-24 | CVE-2021-26731 | Lannerinc | Out-of-bounds Write vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Command injection and multiple stack-based buffer overflows vulnerabilities in the modifyUserb_func function of spx_restservice allow an authenticated attacker to execute arbitrary code with the same privileges as the server user (root). | 9.8 |
2022-10-24 | CVE-2021-42010 | Apache | Improper Encoding or Escaping of Output vulnerability in Apache Heron Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. | 9.8 |
2022-10-24 | CVE-2022-39305 | GIN VUE Admin Project | Unrestricted Upload of File with Dangerous Type vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. | 9.8 |
2022-10-24 | CVE-2022-40984 | Yokogawa | Out-of-bounds Write vulnerability in Yokogawa Wtviewere 761941 and Wtviewerefree Stack-based buffer overflow in WTViewerE series WTViewerE 761941 from 1.31 to 1.61 and WTViewerEfree from 1.01 to 1.52 allows an attacker to cause the product to crash by processing a long file name. | 9.8 |
2022-10-28 | CVE-2022-31678 | Vmware | XXE vulnerability in VMWare Cloud Foundation and NSX Data Center VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. | 9.1 |
2022-10-27 | CVE-2022-2782 | Octopus | Insufficient Session Expiration vulnerability in Octopus Server In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | 9.1 |
2022-10-25 | CVE-2022-27623 | Synology | Missing Authentication for Critical Function vulnerability in Synology Diskstation Manager Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors. | 9.1 |
2022-10-25 | CVE-2022-33897 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16 A directory traversal vulnerability exists in the web_server /ajax/remove/ functionality of Robustel R1510 3.1.16. | 9.1 |
2022-10-24 | CVE-2021-46848 | GNU Fedoraproject Debian | Off-by-one Error vulnerability in multiple products GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. | 9.1 |
138 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-30 | CVE-2022-44019 | Totaljs | OS Command Injection vulnerability in Totaljs Total.Js In Total.js 4 before 0e5ace7, /api/common/ping can achieve remote command execution via shell metacharacters in the host parameter. | 8.8 |
2022-10-28 | CVE-2022-3401 | Bricksbuilder | Unspecified vulnerability in Bricksbuilder Bricks The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. | 8.8 |
2022-10-28 | CVE-2022-2475 | Haascnc | Unspecified vulnerability in Haascnc Haas Controller Firmware 100.20.000.1110 Haas Controller version 100.20.000.1110 has insufficient granularity of access control when using the "Ethernet Q Commands" service. | 8.8 |
2022-10-28 | CVE-2022-2864 | Superwhite | Unspecified vulnerability in Superwhite Demon Image Annotation The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. | 8.8 |
2022-10-28 | CVE-2021-35387 | Phpgurukul | SQL Injection vulnerability in PHPgurukul Hospital Management System 4.0 Hospital Management System v 4.0 is vulnerable to SQL Injection via file:hospital/hms/admin/view-patient.php. | 8.8 |
2022-10-28 | CVE-2022-3512 | Cloudflare | Unspecified vulnerability in Cloudflare Warp Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint. | 8.8 |
2022-10-28 | CVE-2022-3733 | WEB Based Student Clearance System Project | Unspecified vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System A vulnerability was found in SourceCodester Web-Based Student Clearance System. | 8.8 |
2022-10-27 | CVE-2022-40967 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckIoTHubNameExisted. | 8.8 |
2022-10-27 | CVE-2022-41133 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in GetDIAE_line_message_settingsListParameters. | 8.8 |
2022-10-27 | CVE-2022-41773 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckDIACloud. | 8.8 |
2022-10-27 | CVE-2022-0073 | Litespeedtech | Improper Input Validation vulnerability in Litespeedtech Openlitespeed Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. | 8.8 |
2022-10-27 | CVE-2022-0074 | Litespeedtech | Untrusted Search Path vulnerability in Litespeedtech Openlitespeed Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. | 8.8 |
2022-10-27 | CVE-2022-43340 | Dzzoffice | Cross-Site Request Forgery (CSRF) vulnerability in Dzzoffice 2.02.1 A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. | 8.8 |
2022-10-27 | CVE-2022-41996 | Theme Fusion | Cross-Site Request Forgery (CSRF) vulnerability in Theme-Fusion Avada Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. | 8.8 |
2022-10-26 | CVE-2022-39286 | Jupyter Debian Fedoraproject | Uncontrolled Search Path Element vulnerability in multiple products Jupyter Core is a package for the core common functionality of Jupyter projects. | 8.8 |
2022-10-26 | CVE-2022-39361 | Metabase | Unspecified vulnerability in Metabase Metabase is data visualization software. | 8.8 |
2022-10-26 | CVE-2022-39362 | Metabase | Unspecified vulnerability in Metabase Metabase is data visualization software. | 8.8 |
2022-10-26 | CVE-2022-37202 | Jflyfox | SQL Injection vulnerability in Jflyfox Jfinal CMS 5.1.0 JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list | 8.8 |
2022-10-26 | CVE-2022-39944 | Apache | Deserialization of Untrusted Data vulnerability in Apache Linkis In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. | 8.8 |
2022-10-26 | CVE-2022-40238 | Cert | Deserialization of Untrusted Data vulnerability in Cert Vince A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. | 8.8 |
2022-10-26 | CVE-2022-43749 | Synology | Unspecified vulnerability in Synology Presto File Server Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors. | 8.8 |
2022-10-25 | CVE-2022-28169 | Broadcom | Improper Privilege Management vulnerability in Broadcom Fabric Operating System Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. | 8.8 |
2022-10-25 | CVE-2022-33179 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, and 7.4.2j could allow a local authenticated user to break out of restricted shells with “set context” and escalate privileges. | 8.8 |
2022-10-25 | CVE-2022-33183 | Broadcom | Out-of-bounds Write vulnerability in Broadcom Fabric Operating System A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a remote authenticated attacker to perform stack buffer overflow using in “firmwaredownload” and “diagshow” commands. | 8.8 |
2022-10-25 | CVE-2022-38181 | ARM | Use After Free vulnerability in ARM products The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. | 8.8 |
2022-10-25 | CVE-2022-36451 | Mitel | Server-Side Request Forgery (SSRF) vulnerability in Mitel Micollab A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. | 8.8 |
2022-10-25 | CVE-2022-36453 | Mitel | Unspecified vulnerability in Mitel Micollab A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. | 8.8 |
2022-10-25 | CVE-2022-30603 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An OS command injection vulnerability exists in the web interface /action/iperf functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-32586 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An OS command injection vulnerability exists in the web interface /action/ipcamRecordPost functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-32775 | Goabode | Integer Overflow or Wraparound vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An integer overflow vulnerability exists in the web interface /action/ipcamRecordPost functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35132 | Webmin | OS Command Injection vulnerability in Webmin Usermin Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module. | 8.8 |
2022-10-25 | CVE-2022-35878 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35879 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35880 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35881 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35884 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35885 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35886 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-35887 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. | 8.8 |
2022-10-25 | CVE-2022-39326 | Kartverket | Code Injection vulnerability in Kartverket Github-Workflows kartverket/github-workflows are shared reusable workflows for GitHub Actions. | 8.8 |
2022-10-25 | CVE-2022-3246 | Adenion | Unspecified vulnerability in Adenion Blog2Social The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers | 8.8 |
2022-10-25 | CVE-2022-3395 | Soflyy | Unspecified vulnerability in Soflyy WP ALL Export The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. | 8.8 |
2022-10-24 | CVE-2021-46279 | Lannerinc | Session Fixation vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. | 8.8 |
2022-10-26 | CVE-2022-20933 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. | 8.6 |
2022-10-28 | CVE-2022-3337 | Cloudflare | Missing Authorization vulnerability in Cloudflare Warp Mobile Client It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. | 8.5 |
2022-10-28 | CVE-2022-3321 | Cloudflare | Missing Authorization vulnerability in Cloudflare Warp Mobile Client It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch on the WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. | 8.2 |
2022-10-29 | CVE-2022-42915 | Haxx Fedoraproject Netapp Apple Splunk | Double Free vulnerability in multiple products curl before 7.86.0 has a double free. | 8.1 |
2022-10-28 | CVE-2022-3708 | Server-Side Request Forgery (SSRF) vulnerability in Google web Stories The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. | 8.1 | |
2022-10-26 | CVE-2022-20822 | Cisco | Improper Input Validation vulnerability in Cisco Identity Services Engine 3.1/3.2 A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to read and delete files on an affected device. | 8.1 |
2022-10-25 | CVE-2022-29475 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z An information disclosure vulnerability exists in the XFINDER functionality of Abode Systems, Inc. | 8.1 |
2022-10-25 | CVE-2022-38196 | Esri | Path Traversal vulnerability in Esri Arcgis Server Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. | 8.1 |
2022-10-28 | CVE-2022-2474 | Haascnc | Missing Authentication for Critical Function vulnerability in Haascnc Haas Controller Firmware 100.20.000.1110 Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device. | 8.0 |
2022-10-29 | CVE-2022-41974 | Opensvc Fedoraproject Debian | Improper Privilege Management vulnerability in multiple products multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. | 7.8 |
2022-10-29 | CVE-2022-41973 | Opensvc Fedoraproject Debian | Link Following vulnerability in multiple products multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. | 7.8 |
2022-10-28 | CVE-2022-43281 | Webassembly | Out-of-bounds Write vulnerability in Webassembly Wasm 1.0.29 wasm-interp v1.0.29 was discovered to contain a heap overflow via the component std::vector<wabt::Type, std::allocator<wabt::Type>>::size() at /bits/stl_vector.h. | 7.8 |
2022-10-27 | CVE-2022-3378 | Hornerautomation | Access of Uninitialized Pointer vulnerability in Hornerautomation Cscape Horner Automation's Cscape version 9.90 SP 7 and prior does not properly validate user-supplied data. | 7.8 |
2022-10-27 | CVE-2022-3379 | Hornerautomation | Out-of-bounds Write vulnerability in Hornerautomation Cscape Horner Automation's Cscape version 9.90 SP7 and prior does not properly validate user-supplied data. | 7.8 |
2022-10-26 | CVE-2022-3662 | Axiosys | Use After Free vulnerability in Axiosys Bento4 1.6.0639 A vulnerability was found in Axiomatic Bento4. | 7.8 |
2022-10-26 | CVE-2022-3664 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 A vulnerability classified as critical has been found in Axiomatic Bento4. | 7.8 |
2022-10-26 | CVE-2022-3665 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 A vulnerability classified as critical was found in Axiomatic Bento4. | 7.8 |
2022-10-26 | CVE-2022-3666 | Axiosys | Use After Free vulnerability in Axiosys Bento4 1.6.0639 A vulnerability, which was classified as critical, has been found in Axiomatic Bento4. | 7.8 |
2022-10-26 | CVE-2022-3670 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 A vulnerability was found in Axiomatic Bento4. | 7.8 |
2022-10-26 | CVE-2022-31256 | Opensuse | Unspecified vulnerability in Opensuse Factory A Improper Link Resolution Before File Access ('Link Following') vulnerability in a script called by the sendmail systemd service of openSUSE Factory allows local attackers to escalate from user mail to root. | 7.8 |
2022-10-25 | CVE-2022-33182 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System A privilege escalation vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, could allow a local authenticated user to escalate its privilege to root using switch commands “supportlink”, “firmwaredownload”, “portcfgupload, license, and “fosexec”. | 7.8 |
2022-10-25 | CVE-2022-33184 | Broadcom | Out-of-bounds Write vulnerability in Broadcom Fabric Operating System A vulnerability in fab_seg.c.h libraries of all Brocade Fabric OS versions before Brocade Fabric OS v9.1.1, v9.0.1e, v8.2.3c, v8.2.0_cbn5, 7.4.2j could allow local authenticated attackers to exploit stack-based buffer overflows and execute arbitrary code as the root user account. | 7.8 |
2022-10-25 | CVE-2022-33185 | Broadcom | Out-of-bounds Write vulnerability in Broadcom Fabric Operating System Several commands in Brocade Fabric OS before Brocade Fabric OS v.9.0.1e, and v9.1.0 use unsafe string functions to process user input. | 7.8 |
2022-10-24 | CVE-2022-41796 | Sony | Uncontrolled Search Path Element vulnerability in Sony Content Transfer 1.3 Untrusted search path vulnerability in the installer of Content Transfer (for Windows) Ver.1.3 and prior allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | 7.8 |
2022-10-27 | CVE-2022-41627 | Alivecor | Cleartext Transmission of Sensitive Information vulnerability in Alivecor products The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. | 7.6 |
2022-10-29 | CVE-2022-42916 | Haxx Fedoraproject Apple Splunk | Cleartext Transmission of Sensitive Information vulnerability in multiple products In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. | 7.5 |
2022-10-28 | CVE-2022-43284 | F5 | Unspecified vulnerability in F5 NJS 0.7.2/0.7.3/0.7.4 Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h. | 7.5 |
2022-10-28 | CVE-2022-43285 | F5 | Unspecified vulnerability in F5 NJS 0.7.4 Nginx NJS v0.7.4 was discovered to contain a segmentation violation in njs_promise_reaction_job. | 7.5 |
2022-10-28 | CVE-2022-41636 | Haascnc | Cleartext Transmission of Sensitive Information vulnerability in Haascnc Haas Controller 100.20.000.1110 Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. | 7.5 |
2022-10-28 | CVE-2022-37426 | Opennebula | Unrestricted Upload of File with Dangerous Type vulnerability in Opennebula Unrestricted Upload of File with Dangerous Type vulnerability in OpenNebula OpenNebula core on Linux allows File Content Injection. | 7.5 |
2022-10-28 | CVE-2022-3697 | Redhat | Unspecified vulnerability in Redhat Ansible and Ansible Collection A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. | 7.5 |
2022-10-28 | CVE-2022-3322 | Cloudflare | Improper Verification of Cryptographic Signature vulnerability in Cloudflare Warp Mobile Client Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action. | 7.5 |
2022-10-28 | CVE-2022-3616 | Cloudflare | Excessive Iteration vulnerability in Cloudflare Octorpki Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. | 7.5 |
2022-10-28 | CVE-2021-38399 | Honeywell | Path Traversal vulnerability in Honeywell products Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories. | 7.5 |
2022-10-27 | CVE-2022-40874 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1 Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow vulnerability in the GetParentControlInfo function, which can cause a denial of service attack through a carefully constructed http request. | 7.5 |
2022-10-27 | CVE-2022-40875 | Tenda | Out-of-bounds Write vulnerability in Tenda Ax1803 Firmware 1.0.0.1 Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow in the function GetParentControlInfo. | 7.5 |
2022-10-27 | CVE-2022-43364 | IP COM | Unspecified vulnerability in Ip-Com EW9 Firmware 15.11.0.14 An access control issue in the password reset page of IP-COM EW9 V15.11.0.14(9732) allows unauthenticated attackers to arbitrarily change the admin password. | 7.5 |
2022-10-27 | CVE-2022-43365 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com EW9 Firmware 15.11.0.14 IP-COM EW9 V15.11.0.14(9732) was discovered to contain a buffer overflow in the formSetDebugCfg function. | 7.5 |
2022-10-27 | CVE-2022-43366 | IP COM | Unspecified vulnerability in Ip-Com EW9 Firmware 15.11.0.14 IP-COM EW9 V15.11.0.14(9732) allows unauthenticated attackers to access sensitive information via the checkLoginUser, ate, telnet, version, setDebugCfg, and boot interfaces. | 7.5 |
2022-10-27 | CVE-2022-3725 | Wireshark Fedoraproject | Out-of-bounds Write vulnerability in multiple products Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file | 7.5 |
2022-10-27 | CVE-2022-38744 | Rockwellautomation | Improper Authentication vulnerability in Rockwellautomation Factorytalk Alarms and Events An unauthenticated attacker with network access to a victim's Rockwell Automation FactoryTalk Alarm and Events service could open a connection, causing the service to fault and become unavailable. | 7.5 |
2022-10-27 | CVE-2022-2809 | Openbmc Project | Out-of-bounds Write vulnerability in Openbmc-Project Openbmc 2.10.0/2.11.0 A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. | 7.5 |
2022-10-27 | CVE-2022-3409 | Openbmc Project | Out-of-bounds Write vulnerability in Openbmc-Project Openbmc 2.10.0/2.11.0 A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. | 7.5 |
2022-10-27 | CVE-2022-25918 | Shescape Project | Unspecified vulnerability in Shescape Project Shescape 1.5.10/1.6.0 The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. | 7.5 |
2022-10-26 | CVE-2022-3705 | VIM Fedoraproject Debian Netapp | A vulnerability was found in vim and classified as problematic. | 7.5 |
2022-10-26 | CVE-2022-3667 | Axiosys | Out-of-bounds Write vulnerability in Axiosys Bento4 1.6.0639 A vulnerability, which was classified as critical, was found in Axiomatic Bento4. | 7.5 |
2022-10-26 | CVE-2022-42999 | Dlink | OS Command Injection vulnerability in Dlink Dir-816 Firmware 1.10B05 D-Link DIR-816 A2 1.10 B05 was discovered to contain multiple command injection vulnerabilities via the admuser and admpass parameters at /goform/setSysAdm. | 7.5 |
2022-10-26 | CVE-2022-43766 | Apache | Unspecified vulnerability in Apache Iotdb Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. | 7.5 |
2022-10-26 | CVE-2022-43748 | Synology | Unspecified vulnerability in Synology Presto File Server Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file operation management in Synology Presto File Server before 2.1.2-1601 allows remote attackers to write arbitrary files via unspecified vectors. | 7.5 |
2022-10-25 | CVE-2022-39354 | EVM Project | Always-Incorrect Control Flow Implementation vulnerability in EVM Project EVM SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. | 7.5 |
2022-10-25 | CVE-2022-32760 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z A denial of service vulnerability exists in the XCMD doDebug functionality of Abode Systems, Inc. | 7.5 |
2022-10-25 | CVE-2022-35261 | Robustel | Out-of-bounds Read vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35262 | Robustel | Out-of-bounds Read vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35263 | Robustel | Out-of-bounds Read vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35264 | Robustel | Out-of-bounds Read vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35265 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35266 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35267 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35268 | Robustel | Improper Handling of Exceptional Conditions vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35269 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35270 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-35271 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.5 |
2022-10-25 | CVE-2022-38870 | Free5Gc | Missing Authentication for Critical Function vulnerability in Free5Gc 3.2.1 Free5gc v3.2.1 is vulnerable to Information disclosure. | 7.5 |
2022-10-25 | CVE-2022-39345 | GIN VUE Admin Project | Path Traversal vulnerability in Gin-Vue-Admin Project Gin-Vue-Admin Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. | 7.5 |
2022-10-25 | CVE-2022-41704 | Apache Debian | Server-Side Request Forgery (SSRF) vulnerability in multiple products A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. | 7.5 |
2022-10-25 | CVE-2022-42890 | Apache Debian | Server-Side Request Forgery (SSRF) vulnerability in multiple products A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. | 7.5 |
2022-10-24 | CVE-2021-26733 | Lannerinc | Unspecified vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 A broken access control vulnerability in the FirstReset_handler_func function of spx_restservice allows an attacker to arbitrarily send reboot commands to the BMC, causing a Denial-of-Service (DoS) condition. | 7.5 |
2022-10-24 | CVE-2021-44467 | Lannerinc | Unspecified vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 A broken access control vulnerability in the KillDupUsr_func function of spx_restservice allows an attacker to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition, if an input parameter is correctly guessed. | 7.5 |
2022-10-24 | CVE-2022-39313 | Parseplatform | Improper Validation of Specified Quantity in Input vulnerability in Parseplatform Parse-Server Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. | 7.5 |
2022-10-24 | CVE-2022-41986 | IIJ | Unspecified vulnerability in IIJ Smartkey Information disclosure vulnerability in Android App 'IIJ SmartKey' versions prior to 2.1.4 allows an attacker to obtain a one-time password issued by the product under certain conditions. | 7.5 |
2022-10-24 | CVE-2022-43680 | Libexpat Project Debian Fedoraproject Netapp | Use After Free vulnerability in multiple products In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. | 7.5 |
2022-10-24 | CVE-2021-4228 | Lannerinc | Use of Hard-coded Credentials vulnerability in Lannerinc Iac-Ast2500 Firmware 1.00.0 Use of hard-coded TLS certificate by default allows an attacker to perform Man-in-the-Middle (MitM) attacks even in the presence of the HTTPS connection. | 7.4 |
2022-10-28 | CVE-2021-36898 | Expresstech | SQL Injection vulnerability in Expresstech Quiz and Survey Master Auth. | 7.2 |
2022-10-28 | CVE-2022-43228 | Barangay Management System Project | SQL Injection vulnerability in Barangay Management System Project Barangay Management System 1.0 Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /clearance/clearance.php. | 7.2 |
2022-10-28 | CVE-2022-43229 | Simple Cold Storage Management System Project | SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Managment System 1.0 Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /bookings/update_status.php. | 7.2 |
2022-10-28 | CVE-2022-43230 | Simple Cold Storage Management System Project | SQL Injection vulnerability in Simple Cold Storage Management System Project Simple Cold Storage Managment System 1.0 Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=bookings/view_details. | 7.2 |
2022-10-28 | CVE-2022-43231 | Canteen Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Canteen Management System Project Canteen Management System 1.0 Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/manage_website.php. | 7.2 |
2022-10-28 | CVE-2022-43232 | Canteen Management System Project | SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0 Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchOrderData.php. | 7.2 |
2022-10-28 | CVE-2022-43233 | Canteen Management System Project | SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0 Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchSelectedUser.php. | 7.2 |
2022-10-28 | CVE-2022-43275 | Canteen Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Canteen Management System Project Canteen Management System 1.0 Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/php_action/editProductImage.php. | 7.2 |
2022-10-28 | CVE-2022-43276 | Canteen Management System Project | SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0 Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the productId parameter at /php_action/fetchSelectedfood.php. | 7.2 |
2022-10-27 | CVE-2022-39977 | Online PET Shop WE APP Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0 Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the User module. | 7.2 |
2022-10-27 | CVE-2022-39978 | Online PET Shop WE APP Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online PET Shop WE APP Project Online PET Shop WE APP 1.0 Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. | 7.2 |
2022-10-26 | CVE-2022-20811 | Cisco | Path Traversal vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. | 7.2 |
2022-10-25 | CVE-2022-33178 | Broadcom | Improper Input Validation vulnerability in Broadcom Fabric Operating System A vulnerability in the radius authentication system of Brocade Fabric OS before Brocade Fabric OS 9.0 could allow a remote attacker to execute arbitrary code on the Brocade switch. | 7.2 |
2022-10-25 | CVE-2022-34850 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 An OS command injection vulnerability exists in the web_server /action/import_authorized_keys/ functionality of Robustel R1510 3.1.16 and 3.3.0. | 7.2 |
2022-10-25 | CVE-2022-3300 | 10Web | Unspecified vulnerability in 10Web Form Maker The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | 7.2 |
2022-10-25 | CVE-2022-3302 | Cleantalk | Unspecified vulnerability in Cleantalk Spam Protection, Antispam, Firewall The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin | 7.2 |
2022-10-25 | CVE-2022-3335 | Kadencewp | Unspecified vulnerability in Kadencewp Kadence Woocommerce Email Designer The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | 7.2 |
2022-10-25 | CVE-2022-3394 | Soflyy | Unspecified vulnerability in Soflyy WP ALL Export The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. | 7.2 |
2022-10-24 | CVE-2021-46850 | Vestacp | Argument Injection or Modification vulnerability in Vestacp Control Panel and Vesta Control Panel myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. | 7.2 |
2022-10-28 | CVE-2022-43280 | Webassembly | Out-of-bounds Read vulnerability in Webassembly Wabt 1.0.29 wasm-interp v1.0.29 was discovered to contain an out-of-bounds read via the component OnReturnCallExpr->GetReturnCallDropKeepCount. | 7.1 |
2022-10-28 | CVE-2022-43282 | Webassembly | Out-of-bounds Read vulnerability in Webassembly Wabt 1.0.29 wasm-interp v1.0.29 was discovered to contain an out-of-bounds read via the component OnReturnCallIndirectExpr->GetReturnCallDropKeepCount. | 7.1 |
2022-10-26 | CVE-2022-20954 | Cisco | Path Traversal vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. | 7.1 |
2022-10-26 | CVE-2022-20955 | Cisco | Path Traversal vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. | 7.1 |
115 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-27 | CVE-2022-31898 | GL Inet | OS Command Injection vulnerability in Gl-Inet Gl-Ax1800 Firmware and Gl-Mt300N-V2 Firmware gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters. | 6.8 |
2022-10-26 | CVE-2022-20776 | Cisco | Path Traversal vulnerability in Cisco Telepresence Collaboration Endpoint Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. | 6.7 |
2022-10-26 | CVE-2022-43750 | Linux Debian | Out-of-bounds Write vulnerability in multiple products drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory. | 6.7 |
2022-10-28 | CVE-2022-3228 | Hosteng | Out-of-bounds Write vulnerability in Hosteng H0-Ecom100 Firmware Using custom code, an attacker can write into name or description fields larger than the appropriate buffer size causing a stack-based buffer overflow on Host Engineering H0-ECOM100 Communications Module Firmware versions v5.0.155 and prior. | 6.5 |
2022-10-28 | CVE-2022-3400 | Bricksbuilder | Missing Authorization vulnerability in Bricksbuilder Bricks The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. | 6.5 |
2022-10-28 | CVE-2022-37424 | Opennebula | Files or Directories Accessible to External Parties vulnerability in Opennebula Files or Directories Accessible to External Parties vulnerability in OpenNebula on Linux allows File Discovery. | 6.5 |
2022-10-28 | CVE-2022-39367 | Qtiworks Project | Path Traversal vulnerability in Qtiworks Project Qtiworks 1.0 QTIWorks is a software suite for standards-based assessment delivery. | 6.5 |
2022-10-28 | CVE-2022-26884 | Apache | Path Traversal vulnerability in Apache Dolphinscheduler Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher. | 6.5 |
2022-10-27 | CVE-2022-42055 | GL Inet | OS Command Injection vulnerability in Gl-Inet Goodcloud 1.00.220412.00 Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system. | 6.5 |
2022-10-27 | CVE-2022-24669 | Forgerock | Missing Authorization vulnerability in Forgerock Access Management It may be possible to gain some details of the deployment through a well-crafted attack. | 6.5 |
2022-10-27 | CVE-2022-24670 | Forgerock | Unspecified vulnerability in Forgerock Access Management An attacker can use the unrestricted LDAP queries to determine configuration entries | 6.5 |
2022-10-27 | CVE-2022-39364 | Nextcloud | Cleartext Storage of Sensitive Information vulnerability in Nextcloud Enterprise Server and Nextcloud Server Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. | 6.5 |
2022-10-26 | CVE-2022-39358 | Metabase | Improper Locking vulnerability in Metabase Metabase is data visualization software. | 6.5 |
2022-10-26 | CVE-2022-39359 | Metabase | Open Redirect vulnerability in Metabase Metabase is data visualization software. | 6.5 |
2022-10-26 | CVE-2022-39360 | Metabase | Improper Authentication vulnerability in Metabase Metabase is data visualization software. | 6.5 |
2022-10-26 | CVE-2022-43776 | Metabase | Server-Side Request Forgery (SSRF) vulnerability in Metabase The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. | 6.5 |
2022-10-25 | CVE-2022-28170 | Broadcom | Insecure Storage of Sensitive Information vulnerability in Broadcom Fabric Operating System Brocade Fabric OS Web Application services before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j store server and user passwords in the debug statements. | 6.5 |
2022-10-25 | CVE-2022-36454 | Mitel | Unspecified vulnerability in Mitel Micollab A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. | 6.5 |
2022-10-25 | CVE-2022-2762 | Adminpad Project | Unspecified vulnerability in Adminpad Project Adminpad The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack | 6.5 |
2022-10-25 | CVE-2022-32574 | Goabode | Unspecified vulnerability in Goabode Iota All-In-One Security KIT Firmware 6.9X/6.9Z A double-free vulnerability exists in the web interface /action/ipcamSetParamPost functionality of Abode Systems, Inc. | 6.5 |
2022-10-25 | CVE-2022-33757 | Tenable | Unspecified vulnerability in Tenable Nessus An authenticated attacker could read Nessus Debug Log file attachments from the web UI without having the correct privileges to do so. | 6.5 |
2022-10-25 | CVE-2022-3097 | Laubrotel | Unspecified vulnerability in Laubrotel Lbstopattack 1.1.1/1.1.2 The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. | 6.5 |
2022-10-25 | CVE-2022-3247 | Adenion | Unspecified vulnerability in Adenion Blog2Social The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. | 6.5 |
2022-10-24 | CVE-2021-44769 | Lannerinc | Improper Input Validation vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 An improper input validation vulnerability in the TLS certificate generation function allows an attacker to cause a Denial-of-Service (DoS) condition which can only be reverted via a factory reset. | 6.5 |
2022-10-24 | CVE-2022-3676 | Eclipse | Type Confusion vulnerability in Eclipse Openj9 In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. | 6.5 |
2022-10-24 | CVE-2022-41797 | Lemon8 Project | Missing Authorization vulnerability in Lemon8 Project Lemon8 Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | 6.5 |
2022-10-24 | CVE-2022-41799 | Weseek | Unspecified vulnerability in Weseek Growi Improper access control vulnerability in GROWI prior to v5.1.4 (v5 series) and versions prior to v4.5.25 (v4 series) allows a remote authenticated attacker to bypass access restriction and download the markdown data from the pages set to private by the other users. | 6.5 |
2022-10-30 | CVE-2022-44032 | Linux | Race Condition vulnerability in Linux Kernel An issue was discovered in the Linux kernel through 6.0.6. | 6.4 |
2022-10-30 | CVE-2022-44033 | Linux | Race Condition vulnerability in Linux Kernel An issue was discovered in the Linux kernel through 6.0.6. | 6.4 |
2022-10-30 | CVE-2022-44034 | Linux | Race Condition vulnerability in Linux Kernel An issue was discovered in the Linux kernel through 6.0.6. | 6.4 |
2022-10-28 | CVE-2022-3402 | Facetwp | Unspecified vulnerability in Facetwp LOG Http Requests The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. | 6.1 |
2022-10-28 | CVE-2021-38728 | SEM CMS | Cross-site Scripting vulnerability in Sem-Cms Semcms 1.1 SEMCMS SHOP v 1.1 is vulnerable to Cross Site Scripting (XSS) via Ant_M_Coup.php. | 6.1 |
2022-10-28 | CVE-2021-36206 | Johnsoncontrols | Cross-site Scripting vulnerability in Johnsoncontrols Cevas All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. | 6.1 |
2022-10-27 | CVE-2022-32407 | Softr | Cross-site Scripting vulnerability in Softr 2.0 Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. | 6.1 |
2022-10-27 | CVE-2022-36182 | Hashicorp | Improper Restriction of Rendered UI Layers or Frames vulnerability in Hashicorp Boundary Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | 6.1 |
2022-10-26 | CVE-2022-40703 | Alivecor | Improper Authentication vulnerability in Alivecor Kardia 5.17.1754993421 CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Kardia App version 5.17.1-754993421 and prior on Android allows an unauthenticated attacker with physical access to the Android device containing the app to bypass application authentication and alter information in the app. | 6.1 |
2022-10-26 | CVE-2022-3672 | Sanitization Management System Project | Cross-site Scripting vulnerability in Sanitization Management System Project Sanitization Management System 1.0 A vulnerability, which was classified as problematic, has been found in SourceCodester Sanitization Management System 1.0. | 6.1 |
2022-10-26 | CVE-2022-3673 | Sanitization Management System Project | Cross-site Scripting vulnerability in Sanitization Management System Project Sanitization Management System 1.0 A vulnerability, which was classified as problematic, was found in SourceCodester Sanitization Management System 1.0. | 6.1 |
2022-10-26 | CVE-2022-25849 | Hyperdown Project | Cross-site Scripting vulnerability in Hyperdown Project Hyperdown The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well. | 6.1 |
2022-10-25 | CVE-2022-27913 | Joomla | Cross-site Scripting vulnerability in Joomla Joomla! An issue was discovered in Joomla! 4.2.0 through 4.2.3. | 6.1 |
2022-10-25 | CVE-2022-31468 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange OX APP Suite 7.10.5/7.10.6 OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter. | 6.1 |
2022-10-25 | CVE-2022-38162 | Withsecure | Cross-site Scripting vulnerability in Withsecure F-Secure Policy Manager Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input. | 6.1 |
2022-10-25 | CVE-2022-38195 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | 6.1 |
2022-10-25 | CVE-2022-38197 | Esri | Open Redirect vulnerability in Esri Arcgis Server Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. | 6.1 |
2022-10-25 | CVE-2022-38198 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser. | 6.1 |
2022-10-25 | CVE-2022-38199 | Esri | Download of Code Without Integrity Check vulnerability in Esri Arcgis Server 10.7.1/10.8.1/10.9.1 A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. | 6.1 |
2022-10-25 | CVE-2022-38200 | Esri | Cross-site Scripting vulnerability in Esri Arcgis Server 10.7.1/10.8.1 A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. | 6.1 |
2022-10-24 | CVE-2022-38117 | Juiker | Use of Hard-coded Credentials vulnerability in Juiker 4.6.0311.1 Juiker app hard-coded its AES key in the source code. | 6.1 |
2022-10-27 | CVE-2022-0072 | Litespeedtech | Path Traversal vulnerability in Litespeedtech Openlitespeed Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Path Traversal. | 5.8 |
2022-10-30 | CVE-2022-44020 | Opendev Fedoraproject | Improper Preservation of Permissions vulnerability in multiple products An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. | 5.5 |
2022-10-28 | CVE-2022-43283 | Webassembly | Unrestricted Upload of File with Dangerous Type vulnerability in Webassembly Wabt 1.0.29 wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write. | 5.5 |
2022-10-26 | CVE-2022-3663 | Axiosys | NULL Pointer Dereference vulnerability in Axiosys Bento4 1.6.0639 A vulnerability was found in Axiomatic Bento4. | 5.5 |
2022-10-26 | CVE-2022-3668 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 A vulnerability has been found in Axiomatic Bento4 and classified as problematic. | 5.5 |
2022-10-26 | CVE-2022-3669 | Axiosys | Memory Leak vulnerability in Axiosys Bento4 1.6.0639 A vulnerability was found in Axiomatic Bento4 and classified as problematic. | 5.5 |
2022-10-26 | CVE-2022-20953 | Cisco | Path Traversal vulnerability in Cisco Roomos and Telepresence Collaboration Endpoint Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. | 5.5 |
2022-10-25 | CVE-2022-33180 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5 could allow a local authenticated attacker to export out sensitive files with “seccryptocfg”, “configupload”. | 5.5 |
2022-10-25 | CVE-2022-33181 | Broadcom | Unspecified vulnerability in Broadcom Fabric Operating System An information disclosure vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a local authenticated attacker to read sensitive files using switch commands “configshow” and “supportlink”. | 5.5 |
2022-10-25 | CVE-2022-3644 | Pulpproject Redhat | Insufficiently Protected Credentials vulnerability in multiple products The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only. | 5.5 |
2022-10-25 | CVE-2022-39349 | Tasks | Exposure of Resource to Wrong Sphere vulnerability in Tasks The Tasks.org Android app is an open-source app for to-do lists and reminders. | 5.5 |
2022-10-25 | CVE-2022-39836 | Genivi | Out-of-bounds Read vulnerability in Genivi Diagnostic LOG and Trace An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. | 5.5 |
2022-10-25 | CVE-2022-39837 | Genivi | NULL Pointer Dereference vulnerability in Genivi Diagnostic LOG and Trace An issue was discovered in Connected Vehicle Systems Alliance (COVESA) dlt-daemon through 2.18.8. | 5.5 |
2022-10-25 | CVE-2022-3344 | Linux | Unspecified vulnerability in Linux Kernel A flaw was found in the KVM's AMD nested virtualization (SVM). | 5.5 |
2022-10-24 | CVE-2022-43677 | Free5Gc | Unspecified vulnerability in Free5Gc 3.2.1 In free5GC 3.2.1, a malformed NGAP message can crash the AMF and NGAP decoders via an index-out-of-range panic in aper.GetBitString. | 5.5 |
2022-10-28 | CVE-2021-36864 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Auth. | 5.4 |
2022-10-28 | CVE-2022-43164 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". | 5.4 |
2022-10-28 | CVE-2022-43165 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". | 5.4 |
2022-10-28 | CVE-2022-43166 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". | 5.4 |
2022-10-28 | CVE-2022-43167 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". | 5.4 |
2022-10-28 | CVE-2022-43169 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group". | 5.4 |
2022-10-28 | CVE-2022-43170 | Rukovoditel | Cross-site Scripting vulnerability in Rukovoditel 3.2.1 A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". | 5.4 |
2022-10-28 | CVE-2021-36863 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Auth. | 5.4 |
2022-10-28 | CVE-2021-35388 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 4.0 Hospital Management System v 4.0 is vulnerable to Cross Site Scripting (XSS) via /hospital/hms/admin/patient-search.php. | 5.4 |
2022-10-28 | CVE-2021-37781 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Employee Record Management System 1.2 Employee Record Management System v 1.2 is vulnerable to Cross Site Scripting (XSS) via editempprofile.php. | 5.4 |
2022-10-27 | CVE-2022-40965 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PostEnergyType API. | 5.4 |
2022-10-27 | CVE-2022-41555 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutLineMessageSetting API. | 5.4 |
2022-10-27 | CVE-2022-41651 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the SetPF API. | 5.4 |
2022-10-27 | CVE-2022-41701 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutShift API. | 5.4 |
2022-10-27 | CVE-2022-41702 | Deltaww | Cross-site Scripting vulnerability in Deltaww Diaenergie The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the InsertReg API. | 5.4 |
2022-10-27 | CVE-2022-42054 | GL Inet | Cross-site Scripting vulnerability in Gl-Inet Goodcloud 1.00.220412.00 Multiple stored cross-site scripting (XSS) vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Company Name and Description text fields. | 5.4 |
2022-10-27 | CVE-2022-42991 | Simple Online Public Access Catalog Project | Cross-site Scripting vulnerability in Simple Online Public Access Catalog Project Simple Online Public Access Catalog 1.0 A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field. | 5.4 |
2022-10-27 | CVE-2022-42993 | Password Storage Application Project | Cross-site Scripting vulnerability in Password Storage Application Project Password Storage Application 1.0 Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page. | 5.4 |
2022-10-27 | CVE-2022-42992 | Train Scheduler APP Project | Cross-site Scripting vulnerability in Train Scheduler APP Project Train Scheduler APP 1.0 Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields. | 5.4 |
2022-10-27 | CVE-2022-3716 | Oretnom23 | Cross-site Scripting vulnerability in Oretnom23 Online Medicine Ordering System 1.0 A vulnerability classified as problematic was found in SourceCodester Online Medicine Ordering System 1.0. | 5.4 |
2022-10-26 | CVE-2022-39348 | Twisted Debian | Twisted is an event-based framework for internet applications. | 5.4 |
2022-10-26 | CVE-2022-3704 | Rubyonrails | Unspecified vulnerability in Rubyonrails Rails A vulnerability classified as problematic has been found in Ruby on Rails. | 5.4 |
2022-10-26 | CVE-2022-20959 | Cisco | Cross-site Scripting vulnerability in Cisco Identity Services Engine A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. | 5.4 |
2022-10-25 | CVE-2022-34870 | Apache | Cross-site Scripting vulnerability in Apache Geode Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries. | 5.4 |
2022-10-25 | CVE-2022-36783 | Algosec | Cross-site Scripting vulnerability in Algosec Fireflow A32.20 AlgoSec – FireFlow Reflected Cross-Site-Scripting (RXSS) A malicious user injects JavaScript code into a parameter called IntersectudRule on the search/result.html page. | 5.4 |
2022-10-25 | CVE-2022-39350 | Owasp | Cross-site Scripting vulnerability in Owasp Dependency-Track Frontend @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. | 5.4 |
2022-10-24 | CVE-2022-40690 | Bookstackapp | Cross-site Scripting vulnerability in Bookstackapp Bookstack Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. | 5.4 |
2022-10-30 | CVE-2022-44022 | Pwndoc Project | Improper Restriction of Excessive Authentication Attempts vulnerability in Pwndoc Project Pwndoc PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts. | 5.3 |
2022-10-30 | CVE-2022-44023 | Pwndoc Project | Improper Restriction of Excessive Authentication Attempts vulnerability in Pwndoc Project Pwndoc PwnDoc through 0.5.3 might allow remote attackers to identify disabled user account names by leveraging response messages for authentication attempts. | 5.3 |
2022-10-27 | CVE-2022-3387 | Advantech | Path Traversal vulnerability in Advantech R-Seenet Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. | 5.3 |
2022-10-27 | CVE-2022-39329 | Nextcloud | Missing Authorization vulnerability in Nextcloud Enterprise Server and Nextcloud Server Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. | 5.3 |
2022-10-27 | CVE-2022-2508 | Octopus | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |
2022-10-25 | CVE-2022-27912 | Joomla | Information Exposure vulnerability in Joomla Joomla! An issue was discovered in Joomla! 4.0.0 through 4.2.3. | 5.3 |
2022-10-25 | CVE-2022-35739 | Paessler | Cross-site Scripting vulnerability in Paessler Prtg Network Monitor PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. | 5.3 |
2022-10-25 | CVE-2022-39315 | Getkirby | Information Exposure Through an Error Message vulnerability in Getkirby Kirby Kirby is a Content Management System. | 5.3 |
2022-10-25 | CVE-2022-39340 | Openfga | Missing Authorization vulnerability in Openfga OpenFGA is an authorization/permission engine. | 5.3 |
2022-10-24 | CVE-2021-26732 | Lannerinc | Unspecified vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 A broken access control vulnerability in the First_network_func function of spx_restservice allows an attacker to arbitrarily change the network configuration of the BMC. | 5.3 |
2022-10-24 | CVE-2021-44776 | Lannerinc | Unspecified vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 A broken access control vulnerability in the SubNet_handler_func function of spx_restservice allows an attacker to arbitrarily change the security access rights to KVM and Virtual Media functionalities. | 5.3 |
2022-10-24 | CVE-2021-45925 | Lannerinc | Information Exposure Through Discrepancy vulnerability in Lannerinc Iac-Ast2500A Firmware 1.10.0 Observable discrepancies in the login process allow an attacker to guess legitimate user names registered in the BMC. | 5.3 |
2022-10-28 | CVE-2022-3018 | Gitlab | Information Exposure Through Log Files vulnerability in Gitlab An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. | 4.9 |
2022-10-28 | CVE-2021-36858 | Themepoints | Cross-site Scripting vulnerability in Themepoints Testimonials Auth. | 4.8 |
2022-10-27 | CVE-2022-40184 | Bosch | Cross-site Scripting vulnerability in Bosch Videojet Multi 4000 Firmware Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option. | 4.8 |
2022-10-25 | CVE-2022-3350 | Tech Banker | Unspecified vulnerability in Tech-Banker Contact Bank The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-25 | CVE-2022-3391 | Retain | Cross-site Scripting vulnerability in Retain Live Chat The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-25 | CVE-2022-3392 | WP Humans TXT Project | Unspecified vulnerability in WP Humans.Txt Project WP Humans.Txt 1.06 The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-10-24 | CVE-2022-36368 | Ipfire | Cross-site Scripting vulnerability in Ipfire Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. | 4.8 |
2022-10-27 | CVE-2022-40183 | Bosch | Cross-site Scripting vulnerability in Bosch Videojet Multi 4000 Firmware An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. | 4.7 |
2022-10-25 | CVE-2022-39351 | Owasp | Cleartext Storage of Sensitive Information vulnerability in Owasp Dependency-Track Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. | 4.4 |
2022-10-28 | CVE-2022-2882 | Gitlab | Exposure of Resource to Wrong Sphere vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. | 4.3 |
2022-10-27 | CVE-2022-39330 | Nextcloud | Resource Exhaustion vulnerability in Nextcloud Server Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. | 4.3 |
2022-10-26 | CVE-2022-3474 | Insufficiently Protected Credentials vulnerability in Google Bazel 5.0.0 A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. | 4.3 | |
2022-10-25 | CVE-2022-27622 | Synology | Unspecified vulnerability in Synology Diskstation Manager Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors. | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-10-24 | CVE-2022-39314 | Getkirby | Improper Restriction of Excessive Authentication Attempts vulnerability in Getkirby Kirby Kirby is a flat-file CMS. | 3.7 |
2022-10-25 | CVE-2022-34845 | Robustel | Unspecified vulnerability in Robustel R1510 Firmware 3.1.16/3.3.0 A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. | 2.7 |