Weekly Vulnerabilities Reports > November 7 to 13, 2022

Overview

524 new vulnerabilities reported during this period, including 90 critical vulnerabilities and 224 high severity vulnerabilities. This weekly summary report vulnerabilities in 1710 products from 181 vendors including Microsoft, Intel, Google, Huawei, and Siemens. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Improper Input Validation", and "Unrestricted Upload of File with Dangerous Type".

  • 337 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 126 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 295 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 63 reported vulnerabilities.
  • Democritus has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

90 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-12 CVE-2022-38650 Vmware Deserialization of Untrusted Data vulnerability in VMWare Hyperic Server 5.8.6

** UNSUPPORTED WHEN ASSIGNED ** A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6.

10.0
2022-11-10 CVE-2022-3703 Etictelecom Insufficient Verification of Data Authenticity vulnerability in Etictelecom Remote Access Server

All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s web portal is vulnerable to accepting malicious firmware packages that could provide a backdoor to an attacker and provide privilege escalation to the device.

10.0
2022-11-10 CVE-2022-40981 Etictelecom Unrestricted Upload of File with Dangerous Type vulnerability in Etictelecom Remote Access Server

All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior is vulnerable to malicious file upload.

10.0
2022-11-12 CVE-2022-38652 Vmware Deserialization of Untrusted Data vulnerability in VMWare Hyperic Agent 5.8.6

** UNSUPPORTED WHEN ASSIGNED ** A remote insecure deserialization vulnerability exixsts in VMWare Hyperic Agent 5.8.6.

9.9
2022-11-10 CVE-2022-39395 GO Vela Improper Privilege Management vulnerability in Go-Vela UI

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang.

9.9
2022-11-13 CVE-2022-3979 Nagvis Incorrect Type Conversion or Cast vulnerability in Nagvis

A vulnerability was found in NagVis up to 1.9.33 and classified as problematic.

9.8
2022-11-13 CVE-2022-3972 HMS PHP Project Improper Enforcement of Message or Data Structure vulnerability in Hms-PHP Project Hms-PHP

A vulnerability was found in Pingkon HMS-PHP.

9.8
2022-11-13 CVE-2022-3973 HMS PHP Project Improper Enforcement of Message or Data Structure vulnerability in Hms-PHP Project Hms-PHP

A vulnerability classified as critical has been found in Pingkon HMS-PHP.

9.8
2022-11-13 CVE-2022-3970 Libtiff Integer Overflow or Wraparound vulnerability in Libtiff

A vulnerability was found in LibTIFF.

9.8
2022-11-12 CVE-2022-38651 Vmware Unspecified vulnerability in VMWare Hyperic Server 5.8.6

** UNSUPPORTED WHEN ASSIGNED ** A security filter misconfiguration exists in VMware Hyperic Server 5.8.6.

9.8
2022-11-12 CVE-2022-43671 Zohocorp SQL Injection vulnerability in Zohocorp products

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

9.8
2022-11-12 CVE-2022-43672 Zohocorp SQL Injection vulnerability in Zohocorp products

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

9.8
2022-11-11 CVE-2022-45182 Pistar Unspecified vulnerability in Pistar Pi-Star Digital Voice Dashboard

Pi-Star_DV_Dash (for Pi-Star DV) before 5aa194d mishandles the module parameter.

9.8
2022-11-11 CVE-2022-34331 IBM Improper Authentication vulnerability in IBM Powervm Hypervisor Fw1010/Fw950

After performing a sequence of Power FW950, FW1010 maintenance operations a SRIOV network adapter can be improperly configured leading to desired VEPA configuration being disabled.

9.8
2022-11-11 CVE-2022-26845 Intel Improper Authentication vulnerability in Intel Active Management Technology

Improper authentication in firmware for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

9.8
2022-11-11 CVE-2022-29486 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel Hyperscan

Improper buffer restrictions in the Hyperscan library maintained by Intel(R) all versions downloaded before 04/29/2022 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

9.8
2022-11-11 CVE-2022-3955 Crm42 Project SQL Injection vulnerability in Crm42 Project Crm42

A vulnerability was found in tholum crm42.

9.8
2022-11-11 CVE-2022-3956 Hhims Project SQL Injection vulnerability in Hhims Project Hhims 2.1

A vulnerability classified as critical has been found in tsruban HHIMS 2.1.

9.8
2022-11-11 CVE-2022-3947 Eolink SQL Injection vulnerability in Eolink Goku Lite

A vulnerability classified as critical has been found in eolinker goku_lite.

9.8
2022-11-11 CVE-2022-3948 Eolink SQL Injection vulnerability in Eolink Goku Lite

A vulnerability classified as critical was found in eolinker goku_lite.

9.8
2022-11-11 CVE-2022-3939 Ferry Project Path Traversal vulnerability in Ferry Project Ferry

A vulnerability, which was classified as critical, has been found in lanyulei ferry.

9.8
2022-11-11 CVE-2022-3940 Ferry Project Path Traversal vulnerability in Ferry Project Ferry

A vulnerability, which was classified as problematic, was found in lanyulei ferry.

9.8
2022-11-11 CVE-2022-41892 Archesproject SQL Injection vulnerability in Archesproject Arches

Arches is a web platform for creating, managing, & visualizing geospatial data.

9.8
2022-11-11 CVE-2022-36938 Facebook Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Facebook Redex

DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.

9.8
2022-11-10 CVE-2022-41878 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

9.8
2022-11-10 CVE-2022-41879 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

9.8
2022-11-10 CVE-2022-39394 Bytecodealliance Out-of-bounds Write vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

9.8
2022-11-10 CVE-2022-43074 Ayacms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ayacms Project Ayacms 3.1.2

AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php.

9.8
2022-11-10 CVE-2022-45063 Invisible Island
Fedoraproject
Command Injection vulnerability in multiple products

xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh.

9.8
2022-11-10 CVE-2022-38119 Upspowercom Improper Authentication vulnerability in Upspowercom Upsmon PRO 2.57

UPSMON Pro login function has insufficient authentication.

9.8
2022-11-10 CVE-2022-39036 Flowring Unrestricted Upload of File with Dangerous Type vulnerability in Flowring Agentflow 4.0.0.1183.552

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs.

9.8
2022-11-10 CVE-2022-44087 Ecisp Unspecified vulnerability in Ecisp Espcms P8.21120101

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.

9.8
2022-11-10 CVE-2022-44088 Ecisp Unspecified vulnerability in Ecisp Espcms P8.21120101

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.

9.8
2022-11-10 CVE-2022-44089 Ecisp Unspecified vulnerability in Ecisp Espcms P8.21120101

ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.

9.8
2022-11-10 CVE-2022-39396 Parseplatform Unspecified vulnerability in Parseplatform Parse-Server

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

9.8
2022-11-09 CVE-2022-39892 Samsung Unspecified vulnerability in Samsung Pass

Improper access control in Samsung Pass prior to version 4.0.05.1 allows attackers to unauthenticated access via keep open feature.

9.8
2022-11-09 CVE-2022-41080 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Elevation of Privilege Vulnerability.

9.8
2022-11-09 CVE-2021-46851 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The DRM module has a vulnerability in verifying the secure memory attributes.

9.8
2022-11-09 CVE-2022-31685 Vmware Missing Authentication for Critical Function vulnerability in VMWare Workspace ONE Assist

VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability.

9.8
2022-11-09 CVE-2022-31686 Vmware Improper Authentication vulnerability in VMWare Workspace ONE Assist

VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability.

9.8
2022-11-09 CVE-2022-31687 Vmware Unspecified vulnerability in VMWare Workspace ONE Assist

VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability.

9.8
2022-11-09 CVE-2022-31689 Vmware Session Fixation vulnerability in VMWare Workspace ONE Assist

VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability.

9.8
2022-11-09 CVE-2022-43058 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms//classes/Master.php?f=delete_activity.

9.8
2022-11-09 CVE-2022-44551 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The iaware module has a vulnerability in thread security.

9.8
2022-11-09 CVE-2022-44558 Huawei Deserialization of Untrusted Data vulnerability in Huawei Emui and Harmonyos

The AMS module has a vulnerability of serialization/deserialization mismatch.

9.8
2022-11-09 CVE-2022-44559 Huawei Deserialization of Untrusted Data vulnerability in Huawei Emui and Harmonyos

The AMS module has a vulnerability of serialization/deserialization mismatch.

9.8
2022-11-09 CVE-2022-44562 Huawei Improper Privilege Management vulnerability in Huawei Emui and Harmonyos

The system framework layer has a vulnerability of serialization/deserialization mismatch.

9.8
2022-11-09 CVE-2022-25932 Inhandnetworks Unspecified vulnerability in Inhandnetworks Inrouter302 Firmware 3.5.37/3.5.4

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474.

9.8
2022-11-09 CVE-2021-34569 Wago Out-of-bounds Write vulnerability in Wago products

In WAGO I/O-Check Service in multiple products an attacker can send a specially crafted packet containing OS commands to crash the diagnostic tool and write memory.

9.8
2022-11-09 CVE-2022-40797 Roxyfileman Unrestricted Upload of File with Dangerous Type vulnerability in Roxyfileman Roxy Fileman 1.4.6

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files.

9.8
2022-11-09 CVE-2022-45062 Xfce Argument Injection or Modification vulnerability in Xfce Xfce4-Settings 4.17.0

In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.

9.8
2022-11-08 CVE-2022-27510 Citrix Improper Authentication vulnerability in Citrix Application Delivery Controller Firmware and Gateway

Unauthorized access to Gateway user capabilities

9.8
2022-11-08 CVE-2022-27516 Citrix Improper Restriction of Excessive Authentication Attempts vulnerability in Citrix Application Delivery Controller Firmware and Gateway

User login brute force protection functionality bypass

9.8
2022-11-08 CVE-2022-34822 NEC Path Traversal vulnerability in NEC products

Path traversal vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.

9.8
2022-11-08 CVE-2022-34823 NEC Classic Buffer Overflow vulnerability in NEC products

Buffer overflow vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.

9.8
2022-11-08 CVE-2022-34824 NEC Incorrect Default Permissions vulnerability in NEC products

Weak File and Folder Permissions vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.

9.8
2022-11-08 CVE-2022-34825 NEC Uncontrolled Search Path Element vulnerability in NEC products

Uncontrolled Search Path Element in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.

9.8
2022-11-08 CVE-2022-37015 Symantec Unspecified vulnerability in Symantec Endpoint Detection and Response

Symantec Endpoint Detection and Response (SEDR) Appliance, prior to 4.7.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

9.8
2022-11-08 CVE-2022-33321 Mitsubishielectric
Mitshubishielectric
Cleartext Transmission of Sensitive Information vulnerability in multiple products

Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password).

9.8
2022-11-08 CVE-2022-39377 Sysstat Project
Debian
Fedoraproject
Incorrect Calculation of Buffer Size vulnerability in multiple products

sysstat is a set of system performance tools for the Linux operating system.

9.8
2022-11-08 CVE-2022-27858 Activity LOG Project Injection vulnerability in Activity LOG Project Activity LOG

CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.

9.8
2022-11-08 CVE-2022-44457 Mendix Authentication Bypass by Capture-replay vulnerability in Mendix Saml

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML Module (Mendix 7 compatible) (All versions >= V1.17.0), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML Module (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML Module (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML Module (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML Module (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML Module (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4).

9.8
2022-11-08 CVE-2022-39352 Openfga Incorrect Authorization vulnerability in Openfga

OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar.

9.8
2022-11-08 CVE-2022-31199 Netwrix Deserialization of Untrusted Data vulnerability in Netwrix Auditor 9.7/9.8

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems.

9.8
2022-11-07 CVE-2022-3878 Maxonerp SQL Injection vulnerability in Maxonerp Maxon

A vulnerability classified as critical has been found in Maxon ERP.

9.8
2022-11-07 CVE-2022-43303 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Strings 0.1.0

The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-43304 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Timer 0.1.0

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-43305 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Python 0.1.0

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44048 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Urls 0.1.0

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44049 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Python 0.1.0

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44050 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Networking 0.1.0

The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44051 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Stats 0.1.0

The d8s-stats for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44052 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Dates 0.1.0

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44053 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Networking 0.1.0

The d8s-networking for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-44054 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Xml 0.1.0

The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

9.8
2022-11-07 CVE-2022-42920 Apache Out-of-bounds Write vulnerability in Apache Commons Bcel

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics.

9.8
2022-11-07 CVE-2022-3463 Fluentforms Improper Neutralization of Formula Elements in a CSV File vulnerability in Fluentforms Contact Form

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection

9.8
2022-11-07 CVE-2022-3481 Opmc SQL Injection vulnerability in Opmc Woocommerce Dropshipping

The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection

9.8
2022-11-07 CVE-2022-44796 Objectfirst Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Objectfirst Object First 1.0.7.712

An issue was discovered in Object First 1.0.7.712.

9.8
2022-11-07 CVE-2022-44797 Btcd Project Unspecified vulnerability in Btcd Project Btcd

btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking.

9.8
2022-11-11 CVE-2022-26513 Intel Out-of-bounds Write vulnerability in Intel XMM 7560 Firmware

Out-of-bounds write in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

9.6
2022-11-09 CVE-2022-3890 Google
Debian
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in Crashpad in Google Chrome on Android prior to 107.0.5304.106 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

9.6
2022-11-08 CVE-2022-27513 Citrix Insufficient Verification of Data Authenticity vulnerability in Citrix Application Delivery Controller Firmware and Gateway

Remote desktop takeover via phishing

9.6
2022-11-10 CVE-2022-44727 Lineagrafica SQL Injection vulnerability in Lineagrafica EU Cookie LAW Gdpr

The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).

9.1
2022-11-09 CVE-2022-39881 Samsung Out-of-bounds Read vulnerability in Samsung Exynos Firmware

Improper input validation vulnerability for processing SIB12 PDU in Exynos modems prior to SMR Sep-2022 Release allows remote attacker to read out of bounds memory.

9.1
2022-11-09 CVE-2021-34566 Wago Classic Buffer Overflow vulnerability in Wago products

In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to crash the iocheck process and write memory resulting in loss of integrity and DoS.

9.1
2022-11-08 CVE-2022-43958 Siemens Cleartext Storage of Sensitive Information vulnerability in Siemens QMS Automotive

A vulnerability has been identified in QMS Automotive (All versions).

9.1
2022-11-07 CVE-2022-37865 Apache Path Traversal vulnerability in Apache IVY 2.4.0/2.5.0

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging.

9.1
2022-11-07 CVE-2022-42905 Wolfssl Out-of-bounds Read vulnerability in Wolfssl

In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes.

9.1
2022-11-10 CVE-2022-3726 Gitlab Unspecified vulnerability in Gitlab

Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account.

9.0

224 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-13 CVE-2022-3976 MZ Automation Path Traversal vulnerability in Mz-Automation Libiec61850

A vulnerability has been found in MZ Automation libiec61850 up to 1.4 and classified as critical.

8.8
2022-11-13 CVE-2022-3974 Axiosys Heap-based Buffer Overflow vulnerability in Axiosys Bento4 20221008

A vulnerability classified as critical was found in Axiomatic Bento4.

8.8
2022-11-12 CVE-2022-40773 Zohocorp Incorrect Authorization vulnerability in Zohocorp products

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation.

8.8
2022-11-12 CVE-2022-45193 Bruhn Newtech Incorrect Permission Assignment for Critical Resource vulnerability in Bruhn-Newtech Cbrn-Analysis

CBRN-Analysis before 22 has weak file permissions under Public Profile, leading to disclosure of file contents or privilege escalation.

8.8
2022-11-11 CVE-2022-38387 IBM OS Command Injection vulnerability in IBM Cloud PAK for Security 1.10.0.0/1.10.2.0

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

8.8
2022-11-11 CVE-2022-26341 Intel Insufficiently Protected Credentials vulnerability in Intel products

Insufficiently protected credentials in software in Intel(R) AMT SDK before version 16.0.4.1, Intel(R) EMA before version 1.7.1 and Intel(R) MC before version 2.3.2 may allow an authenticated user to potentially enable escalation of privilege via network access.

8.8
2022-11-11 CVE-2022-29893 Intel Improper Authentication vulnerability in Intel Active Management Technology

Improper authentication in firmware for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an authenticated user to potentially enable escalation of privilege via network access.

8.8
2022-11-11 CVE-2022-33942 Intel Unspecified vulnerability in Intel Data Center Manager 3.6.2

Protection mechanism failure in the Intel(R) DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

8.8
2022-11-11 CVE-2022-3944 ERP Project Unrestricted Upload of File with Dangerous Type vulnerability in ERP Project ERP

A vulnerability was found in jerryhanjj ERP.

8.8
2022-11-10 CVE-2022-39038 Flowring Improper Authentication vulnerability in Flowring Agentflow 4.0.0.1183.552

Agentflow BPM enterprise management system has improper authentication.

8.8
2022-11-10 CVE-2022-42787 WUT Use of Insufficiently Random Values vulnerability in WUT products

Multiple W&T products of the Comserver Series use a small number space for allocating sessions ids.

8.8
2022-11-09 CVE-2022-41047 Microsoft Unspecified vulnerability in Microsoft products

Microsoft ODBC Driver Remote Code Execution Vulnerability.

8.8
2022-11-09 CVE-2022-41048 Microsoft Unspecified vulnerability in Microsoft products

Microsoft ODBC Driver Remote Code Execution Vulnerability.

8.8
2022-11-09 CVE-2022-41062 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Remote Code Execution Vulnerability.

8.8
2022-11-09 CVE-2022-41085 Microsoft Unspecified vulnerability in Microsoft Azure Cyclecloud 7.0/8.0

Azure CycleCloud Elevation of Privilege Vulnerability.

8.8
2022-11-09 CVE-2022-41128 Microsoft Unspecified vulnerability in Microsoft products

Windows Scripting Languages Remote Code Execution Vulnerability.

8.8
2022-11-09 CVE-2022-43031 Dedecms Cross-Site Request Forgery (CSRF) vulnerability in Dedecms 6.1.9

DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords.

8.8
2022-11-09 CVE-2022-3445 Google Use After Free vulnerability in Google Chrome

Use after free in Skia in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3446 Google Out-of-bounds Write vulnerability in Google Chrome

Heap buffer overflow in WebSQL in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3448 Google Use After Free vulnerability in Google Chrome

Use after free in Permissions API in Google Chrome prior to 106.0.5249.119 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3449 Google Use After Free vulnerability in Google Chrome

Use after free in Safe Browsing in Google Chrome prior to 106.0.5249.119 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

8.8
2022-11-09 CVE-2022-3450 Google Use After Free vulnerability in Google Chrome

Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-28689 Inhandnetworks Unspecified vulnerability in Inhandnetworks Ir302 Firmware 3.5.45

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45.

8.8
2022-11-09 CVE-2022-30543 Inhandnetworks Unspecified vulnerability in Inhandnetworks Ir302 Firmware 3.5.45

A leftover debug code vulnerability exists in the console infct functionality of InHand Networks InRouter302 V3.5.45.

8.8
2022-11-09 CVE-2022-3885 Google
Debian
Use After Free vulnerability in multiple products

Use after free in V8 in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3886 Google
Debian
Use After Free vulnerability in multiple products

Use after free in Speech Recognition in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3887 Google
Debian
Use After Free vulnerability in multiple products

Use after free in Web Workers in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3888 Google
Debian
Use After Free vulnerability in multiple products

Use after free in WebCodecs in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-09 CVE-2022-3889 Google
Debian
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-08 CVE-2022-41203 SAP Deserialization of Untrusted Data vulnerability in SAP Businessobjects Business Intelligence 4.2/4.3

In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability.

8.8
2022-11-08 CVE-2022-38137 Analytify Cross-Site Request Forgery (CSRF) vulnerability in Analytify - Google Analytics Dashboard

Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress.

8.8
2022-11-08 CVE-2022-41136 Getshortcodes Cross-Site Request Forgery (CSRF) vulnerability in Getshortcodes Shortcodes Ultimate

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress.

8.8
2022-11-08 CVE-2022-44741 Slidervilla Cross-Site Request Forgery (CSRF) vulnerability in Slidervilla Testimonial Slider

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) in David Anderson Testimonial Slider plugin <= 1.3.1 on WordPress.

8.8
2022-11-08 CVE-2022-41757 ARM Unspecified vulnerability in ARM Valhall GPU Kernel Driver

An issue was discovered in the Arm Mali GPU Kernel Driver.

8.8
2022-11-08 CVE-2022-43398 Siemens Session Fixation vulnerability in Siemens products

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50).

8.8
2022-11-08 CVE-2022-43439 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50).

8.8
2022-11-08 CVE-2022-43545 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50).

8.8
2022-11-08 CVE-2022-43546 Siemens Improper Input Validation vulnerability in Siemens products

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50).

8.8
2022-11-07 CVE-2022-43306 Democritus Unrestricted Upload of File with Dangerous Type vulnerability in Democritus D8S-Timer 0.1.0

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party.

8.8
2022-11-07 CVE-2022-43318 Human Resource Management System Project SQL Injection vulnerability in Human Resource Management System Project Human Resource Management System 1.0

Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the stateedit parameter at /hrm/state.php.

8.8
2022-11-07 CVE-2022-3494 Really Simple Plugins SQL Injection vulnerability in Really-Simple-Plugins Complianz

The Complianz WordPress plugin before 6.3.4, and Complianz Premium WordPress plugin before 6.3.6 allow a translators to inject arbitrary SQL through an unsanitized translation.

8.8
2022-11-07 CVE-2022-3536 Addify Deserialization of Untrusted Data vulnerability in Addify Role Based Pricing for Woocommerce

The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog

8.8
2022-11-07 CVE-2022-3537 Addify Unrestricted Upload of File with Dangerous Type vulnerability in Addify Role Based Pricing for Woocommerce

The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP

8.8
2022-11-07 CVE-2022-44794 Objectfirst Unspecified vulnerability in Objectfirst Object First 1.0.7.712

An issue was discovered in Object First 1.0.7.712.

8.8
2022-11-11 CVE-2022-41906 Amazon Server-Side Request Forgery (SSRF) vulnerability in Amazon Opensearch Notifications

OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels.

8.7
2022-11-08 CVE-2022-41214 SAP Improper Input Validation vulnerability in SAP Netweaver Application Server Abap

Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted.

8.7
2022-11-10 CVE-2022-39393 Bytecodealliance Improper Cross-boundary Removal of Sensitive Data vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

8.6
2022-11-07 CVE-2022-3872 Qemu Off-by-one Error vulnerability in Qemu

An off-by-one read/write issue was found in the SDHCI device of QEMU.

8.6
2022-11-11 CVE-2022-27639 Intel Unspecified vulnerability in Intel XMM 7560 Firmware

Incomplete cleanup in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via adjacent access.

8.4
2022-11-11 CVE-2022-26079 Intel Improper Check for Unusual or Exceptional Conditions vulnerability in Intel XMM 7560 Firmware

Improper conditions check in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via local access.

8.2
2022-11-11 CVE-2022-26367 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel XMM 7560 Firmware

Improper buffer restrictions in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via local access.

8.2
2022-11-11 CVE-2022-28126 Intel Improper Input Validation vulnerability in Intel XMM 7560 Firmware

Improper input validation in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via local access.

8.2
2022-11-10 CVE-2022-39368 Eclipse Incomplete Cleanup vulnerability in Eclipse Californium

Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services.

8.2
2022-11-09 CVE-2021-34567 Wago Out-of-bounds Read vulnerability in Wago products

In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to provoke a denial of service and an limited out-of-bounds read.

8.2
2022-11-13 CVE-2022-3964 Ffmpeg Out-of-bounds Read vulnerability in Ffmpeg

A vulnerability classified as problematic has been found in ffmpeg.

8.1
2022-11-13 CVE-2022-3965 Ffmpeg Out-of-bounds Read vulnerability in Ffmpeg

A vulnerability classified as problematic was found in ffmpeg.

8.1
2022-11-11 CVE-2022-26369 Intel Out-of-bounds Read vulnerability in Intel XMM 7560 Firmware

Out-of-bounds read in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via adjacent access.

8.1
2022-11-09 CVE-2022-37966 Microsoft Unspecified vulnerability in Microsoft products

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.

8.1
2022-11-09 CVE-2022-38023 Microsoft Unspecified vulnerability in Microsoft products

Netlogon RPC Elevation of Privilege Vulnerability.

8.1
2022-11-09 CVE-2022-39306 Grafana Improper Input Validation vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

8.1
2022-11-09 CVE-2022-41039 Microsoft Race Condition vulnerability in Microsoft products

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability.

8.1
2022-11-09 CVE-2022-41044 Microsoft Race Condition vulnerability in Microsoft Windows 7 and Windows Server 2008

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability.

8.1
2022-11-09 CVE-2022-41088 Microsoft Race Condition vulnerability in Microsoft products

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability.

8.1
2022-11-09 CVE-2022-29888 Inhandnetworks Unspecified vulnerability in Inhandnetworks Ir302 Firmware 3.5.45

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45.

8.1
2022-11-08 CVE-2022-39328 Grafana Race Condition vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

8.1
2022-11-08 CVE-2022-44311 Html2Xhtml Project Out-of-bounds Read vulnerability in Html2Xhtml Project Html2Xhtml 1.3

html2xhtml v1.3 was discovered to contain an Out-Of-Bounds read in the function static void elm_close(tree_node_t *nodo) at procesador.c.

8.1
2022-11-07 CVE-2022-3558 Codection Improper Neutralization of Formula Elements in a CSV File vulnerability in Codection Import and Export Users and Customers

The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.

8.0
2022-11-13 CVE-2022-3967 Vestacp Argument Injection or Modification vulnerability in Vestacp Control Panel

A vulnerability, which was classified as critical, was found in Vesta Control Panel.

7.8
2022-11-12 CVE-2022-45188 Netatalk Project Out-of-bounds Write vulnerability in Netatalk Project Netatalk

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file.

7.8
2022-11-12 CVE-2022-41339 Zohocorp Unspecified vulnerability in Zohocorp Manageengine Mobile Device Manager Plus 10.1.2207.4

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

7.8
2022-11-11 CVE-2022-41882 Nextcloud Code Injection vulnerability in Nextcloud Desktop 3.6.0

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer.

7.8
2022-11-11 CVE-2021-33064 Intel Uncontrolled Search Path Element vulnerability in Intel System Studio

Uncontrolled search path in the software installer for Intel(R) System Studio for all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-26024 Intel Unspecified vulnerability in Intel products

Improper access control in the Intel(R) NUC HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN before version 1.78.2.0.7 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-26124 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel products

Improper buffer restrictions in BIOS firmware for some Intel(R) NUC Boards, Intel(R) NUC 8 Boards, Intel(R) NUC 8 Rugged Boards and Intel(R) NUC 8 Rugged Kits before version CHAPLCEL.0059 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-27187 Intel Uncontrolled Search Path Element vulnerability in Intel Quartus Prime

Uncontrolled search path element in the Intel(R) Quartus Prime Standard edition software before version 21.1 Patch 0.02std may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-27638 Intel Uncontrolled Search Path Element vulnerability in Intel Advanced Link Analyzer

Uncontrolled search path element in the Intel(R) Advanced Link Analyzer Pro before version 22.2 and Standard edition software before version 22.1.1 STD may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-30297 Intel Cross-site Scripting vulnerability in Intel Endpoint Management Assistant

Cross-site scripting in the Intel(R) EMA software before version 1.8.0 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-30548 Intel Uncontrolled Search Path Element vulnerability in Intel Glorp 1.0.0

Uncontrolled search path element in the Intel(R) Glorp software may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-36370 Intel Improper Authentication vulnerability in Intel products

Improper authentication in BIOS firmware for some Intel(R) NUC Boards and Intel(R) NUC Kits before version MYi30060 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-36377 Intel Incorrect Default Permissions vulnerability in Intel NUC KIT Wireless Adapter Driver Installer

Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-36400 Intel Path Traversal vulnerability in Intel NUC KIT Wireless Adapter Driver Installer

Path traversal in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-36789 Intel Unspecified vulnerability in Intel products

Improper access control in BIOS firmware for some Intel(R) NUC 10 Performance Kits and Intel(R) NUC 10 Performance Mini PCs before version FNCML357.0053 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-37334 Intel Improper Initialization vulnerability in Intel products

Improper initialization in BIOS firmware for some Intel(R) NUC 11 Pro Kits and Intel(R) NUC 11 Pro Boards before version TNTGL357.0064 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-37345 Intel Improper Authentication vulnerability in Intel products

Improper authentication in BIOS firmware[A1] for some Intel(R) NUC Kits before version RY0386 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-11-11 CVE-2022-38099 Intel Unspecified vulnerability in Intel products

Improper input validation in BIOS firmware for some Intel(R) NUC 11 Compute Elements before version EBTGL357.0065 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2022-11-09 CVE-2022-37992 Microsoft Unspecified vulnerability in Microsoft products

Windows Group Policy Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-39880 Google Improper Input Validation vulnerability in Google Android 11.0/12.0

Improper input validation vulnerability in DualOutFocusViewer prior to SMR Nov-2022 Release 1 allows local attacker to perform an arbitrary code execution.

7.8
2022-11-09 CVE-2022-39882 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsmat.so library prior to SMR Nov-2022 Release 1 allows local attacker to execute arbitrary code.

7.8
2022-11-09 CVE-2022-39883 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 10.0/11.0/12.0

Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API.

7.8
2022-11-09 CVE-2022-41045 Microsoft Race Condition vulnerability in Microsoft products

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41050 Microsoft Unspecified vulnerability in Microsoft products

Windows Extensible File Allocation Table Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41051 Microsoft Unspecified vulnerability in Microsoft Azure Rtos Guix Studio

Azure RTOS GUIX Studio Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41052 Microsoft Unspecified vulnerability in Microsoft products

Windows Graphics Component Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41054 Microsoft Unspecified vulnerability in Microsoft products

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41057 Microsoft Unspecified vulnerability in Microsoft products

Windows HTTP.sys Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41061 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41063 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41073 Microsoft Unspecified vulnerability in Microsoft products

Windows Print Spooler Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41092 Microsoft Unspecified vulnerability in Microsoft Windows 10, Windows 11 and Windows Server 2022

Windows Win32k Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41093 Microsoft Race Condition vulnerability in Microsoft products

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41095 Microsoft Unspecified vulnerability in Microsoft products

Windows Digital Media Receiver Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41096 Microsoft Unspecified vulnerability in Microsoft products

Microsoft DWM Core Library Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41100 Microsoft Race Condition vulnerability in Microsoft products

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41101 Microsoft Unspecified vulnerability in Microsoft products

Windows Overlay Filter Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41102 Microsoft Unspecified vulnerability in Microsoft products

Windows Overlay Filter Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41104 Microsoft Unspecified vulnerability in Microsoft 365 Apps, Excel and Office

Microsoft Excel Security Feature Bypass Vulnerability.

7.8
2022-11-09 CVE-2022-41106 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Excel Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41107 Microsoft Unspecified vulnerability in Microsoft 365 Apps and Office

Microsoft Office Graphics Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41109 Microsoft Unspecified vulnerability in Microsoft products

Windows Win32k Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41113 Microsoft Unspecified vulnerability in Microsoft products

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41119 Microsoft Unspecified vulnerability in Microsoft Visual Studio 2017

Visual Studio Remote Code Execution Vulnerability.

7.8
2022-11-09 CVE-2022-41120 Microsoft Unspecified vulnerability in Microsoft Windows Sysmon

Microsoft Windows Sysmon Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41123 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2016/2019

Microsoft Exchange Server Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2022-41125 Microsoft Unspecified vulnerability in Microsoft products

Windows CNG Key Isolation Service Elevation of Privilege Vulnerability.

7.8
2022-11-09 CVE-2020-12930 AMD Unspecified vulnerability in AMD products

Improper parameters handling in AMD Secure Processor (ASP) drivers may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity.

7.8
2022-11-09 CVE-2020-12931 AMD Unspecified vulnerability in AMD products

Improper parameters handling in the AMD Secure Processor (ASP) kernel may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity.

7.8
2022-11-09 CVE-2021-26360 AMD Incorrect Authorization vulnerability in AMD products

An attacker with local access to the system can make unauthorized modifications of the security configuration of the SOC registers.

7.8
2022-11-09 CVE-2021-26391 AMD Unspecified vulnerability in AMD products

Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.

7.8
2022-11-09 CVE-2021-26392 AMD Out-of-bounds Write vulnerability in AMD products

Insufficient verification of missing size check in 'LoadModule' may lead to an out-of-bounds write potentially allowing an attacker with privileges to gain code execution of the OS/kernel by loading a malicious TA.

7.8
2022-11-09 CVE-2022-43310 Foxitsoftware Uncontrolled Search Path Element vulnerability in Foxitsoftware Foxit Reader

An Uncontrolled Search Path Element in Foxit Software released Foxit Reader v11.2.118.51569 allows attackers to escalate privileges when searching for DLL libraries without specifying an absolute path.

7.8
2022-11-09 CVE-2022-32588 Accusoft Out-of-bounds Write vulnerability in Accusoft Imagegear 20.0

An out-of-bounds write vulnerability exists in the PICT parsing pctwread_14841 functionality of Accusoft ImageGear 20.0.

7.8
2022-11-09 CVE-2022-31253 Opensuse Untrusted Search Path vulnerability in Opensuse Openldap2

A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root.

7.8
2022-11-08 CVE-2021-1050 Google Out-of-bounds Write vulnerability in Google Android

In MMU_UnmapPages of the PowerVR kernel driver, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-11-08 CVE-2021-39661 Google Out-of-bounds Write vulnerability in Google Android

In _PMRLogicalOffsetToPhysicalOffset of the PowerVR kernel driver, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-11-08 CVE-2022-20441 Google Unspecified vulnerability in Google Android

In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code.

7.8
2022-11-08 CVE-2022-20450 Google Missing Authorization vulnerability in Google Android

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check.

7.8
2022-11-08 CVE-2022-20451 Google Missing Authorization vulnerability in Google Android

In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check.

7.8
2022-11-08 CVE-2022-20452 Google Unspecified vulnerability in Google Android 13.0

In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy.

7.8
2022-11-08 CVE-2022-20462 Google Out-of-bounds Write vulnerability in Google Android

In phNxpNciHal_write_unlocked of phNxpNciHal.cc, there is a possible out of bounds write due to a missing bounds check.

7.8
2022-11-08 CVE-2022-41211 SAP Out-of-bounds Write vulnerability in SAP products

Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, Arbitrary Code Execution can be triggered when payload forces:Re-use of dangling pointer which refers to overwritten space in memory.

7.8
2022-11-08 CVE-2022-32601 Google Deserialization of Untrusted Data vulnerability in Google Android 10.0/11.0/12.0

In telephony, there is a possible permission bypass due to a parcel format mismatch.

7.8
2022-11-08 CVE-2022-39136 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V13.3 (All versions >= V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-39157 Siemens Out-of-bounds Read vulnerability in Siemens Parasolid 34.0.252/34.1.242/35.0.170

A vulnerability has been identified in Parasolid V34.0 (All versions < V34.0.252), Parasolid V34.0 (All versions >= V34.0.252 < V34.0.254), Parasolid V34.1 (All versions < V34.1.242), Parasolid V34.1 (All versions >= V34.1.242 < V34.1.244), Parasolid V35.0 (All versions < V35.0.170), Parasolid V35.0 (All versions >= V35.0.170 < V35.0.184).

7.8
2022-11-08 CVE-2022-41660 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-41661 Siemens Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-41662 Siemens Out-of-bounds Read vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-41663 Siemens Use After Free vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-41664 Siemens Out-of-bounds Write vulnerability in Siemens Jt2Go and Teamcenter Visualization

A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4).

7.8
2022-11-08 CVE-2022-43397 Siemens Out-of-bounds Write vulnerability in Siemens Parasolid

A vulnerability has been identified in Parasolid V34.0 (All versions < V34.0.252), Parasolid V34.1 (All versions < V34.1.242), Parasolid V35.0 (All versions < V35.0.170).

7.8
2022-11-08 CVE-2022-39343 Microsoft Integer Underflow (Wrap or Wraparound) vulnerability in Microsoft Azure Rtos Filex

Azure RTOS FileX is a FAT-compatible file system that’s fully integrated with Azure RTOS ThreadX.

7.8
2022-11-07 CVE-2022-43359 Gifdec Project Out-of-bounds Read vulnerability in Gifdec Project Gifdec

Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered to contain an out-of-bounds read in the function read_image_data.

7.8
2022-11-07 CVE-2022-44747 Acronis Link Following vulnerability in Acronis Cyber Protect Home Office

Local privilege escalation due to improper soft link handling.

7.8
2022-11-07 CVE-2022-44732 Acronis Improper Privilege Management vulnerability in Acronis Cyber Protect Home Office

Local privilege escalation due to insecure folder permissions.

7.8
2022-11-07 CVE-2022-44733 Acronis Incorrect Permission Assignment for Critical Resource vulnerability in Acronis Cyber Protect Home Office

Local privilege escalation due to insecure folder permissions.

7.8
2022-11-07 CVE-2022-37710 Pattersondental Use of Hard-coded Credentials vulnerability in Pattersondental Eaglesoft 21.0

Patterson Dental Eaglesoft 21 has AES-256 encryption but there are two ways to obtain a keyfile: (1) keybackup.data > License > Encryption Key or (2) Eaglesoft.Server.Configuration.data > DbEncryptKeyPrimary > Encryption Key.

7.8
2022-11-07 CVE-2022-42919 Python Unspecified vulnerability in Python

Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration.

7.8
2022-11-13 CVE-2022-3966 Ultimatemember Pathname Traversal and Equivalence Errors vulnerability in Ultimatemember Ultimate Member

A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0.

7.5
2022-11-12 CVE-2022-45196 Hyperledger Resource Exhaustion vulnerability in Hyperledger Fabric 2.3

Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name.

7.5
2022-11-11 CVE-2022-26508 Intel Improper Authentication vulnerability in Intel Server Debug and Provisioning Tool

Improper authentication in the Intel(R) SDP Tool before version 3.0.0 may allow an unauthenticated user to potentially enable information disclosure via network access.

7.5
2022-11-11 CVE-2022-27233 Intel XML Injection (aka Blind XPath Injection) vulnerability in Intel Quartus Prime

XML injection in the Intel(R) Quartus Prime Pro and Standard edition software may allow an unauthenticated user to potentially enable information disclosure via network access.

7.5
2022-11-11 CVE-2022-27497 Intel NULL Pointer Dereference vulnerability in Intel Active Management Technology

Null pointer dereference in firmware for Intel(R) AMT before version 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow an unauthenticated user to potentially enable denial of service via network access.

7.5
2022-11-10 CVE-2022-41607 Etictelecom Path Traversal vulnerability in Etictelecom Remote Access Server

All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prior’s application programmable interface (API) is vulnerable to directory traversal through several different methods.

7.5
2022-11-10 CVE-2022-41719 Messagepack Project Unspecified vulnerability in Messagepack Project Messagepack

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.

7.5
2022-11-10 CVE-2021-40226 Glyphandcog Out-of-bounds Write vulnerability in Glyphandcog Xpdfreader 4.03

xpdfreader 4.03 is vulnerable to Buffer Overflow.

7.5
2022-11-10 CVE-2022-38122 Upspowercom Cleartext Transmission of Sensitive Information vulnerability in Upspowercom Upsmon PRO 2.57

UPSMON PRO transmits sensitive data in cleartext over HTTP protocol.

7.5
2022-11-10 CVE-2022-39037 Flowring Path Traversal vulnerability in Flowring Agentflow 4.0.0.1183.552

Agentflow BPM file download function has a path traversal vulnerability.

7.5
2022-11-10 CVE-2022-45129 Payara Files or Directories Accessible to External Parties vulnerability in Payara

Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422.

7.5
2022-11-09 CVE-2022-3285 Gitlab Unspecified vulnerability in Gitlab

Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab

7.5
2022-11-09 CVE-2022-39890 Samsung Unspecified vulnerability in Samsung Billing

Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information.

7.5
2022-11-09 CVE-2022-39891 Samsung Out-of-bounds Write vulnerability in Samsung Editor Lite 4.0.40.14

Heap overflow vulnerability in parse_pce function in libsavsaudio.so in Editor Lite prior to version 4.0.41.3 allows attacker to get information.

7.5
2022-11-09 CVE-2022-41053 Microsoft Unspecified vulnerability in Microsoft products

Windows Kerberos Denial of Service Vulnerability.

7.5
2022-11-09 CVE-2022-41056 Microsoft Unspecified vulnerability in Microsoft products

Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability.

7.5
2022-11-09 CVE-2022-41058 Microsoft Unspecified vulnerability in Microsoft products

Windows Network Address Translation (NAT) Denial of Service Vulnerability.

7.5
2022-11-09 CVE-2022-41078 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Spoofing Vulnerability.

7.5
2022-11-09 CVE-2022-41079 Microsoft Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019

Microsoft Exchange Server Spoofing Vulnerability.

7.5
2022-11-09 CVE-2022-41118 Microsoft Race Condition vulnerability in Microsoft products

Windows Scripting Languages Remote Code Execution Vulnerability.

7.5
2022-11-09 CVE-2021-46852 Huawei Missing Authentication for Critical Function vulnerability in Huawei Emui and Harmonyos

The memory management module has the logic bypass vulnerability.

7.5
2022-11-09 CVE-2022-23831 AMD Unspecified vulnerability in AMD Uprof 3.4.494/3.4.502

Insufficient validation of the IOCTL input buffer in AMD ?Prof may allow an attacker to send an arbitrary buffer leading to a potential Windows kernel crash resulting in denial of service.

7.5
2022-11-09 CVE-2022-27673 AMD Unspecified vulnerability in AMD Link

Insufficient access controls in the AMD Link Android app may potentially result in information disclosure.

7.5
2022-11-09 CVE-2022-27674 AMD Unspecified vulnerability in AMD Uprof 3.4.494/3.4.502

Insufficient validation in the IOCTL input/output buffer in AMD ?Prof may allow an attacker to bypass bounds checks potentially leading to a Windows kernel crash resulting in denial of service.

7.5
2022-11-09 CVE-2022-44546 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The kernel module has the vulnerability that the mapping is not cleared after the memory is automatically released.

7.5
2022-11-09 CVE-2022-44547 Huawei Use After Free vulnerability in Huawei Emui and Harmonyos

The Display Service module has a UAF vulnerability.

7.5
2022-11-09 CVE-2022-44549 Huawei Exposure of Resource to Wrong Sphere vulnerability in Huawei Emui and Harmonyos

The LBS module has a vulnerability in geofencing API access.

7.5
2022-11-09 CVE-2022-44550 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The graphics display module has a UAF vulnerability when traversing graphic layers.

7.5
2022-11-09 CVE-2022-44552 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The lock screen module has defects introduced in the design process.

7.5
2022-11-09 CVE-2022-44554 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The power module has a vulnerability in permission verification.

7.5
2022-11-09 CVE-2022-44555 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The DDMP/ODMF module has a service hijacking vulnerability.

7.5
2022-11-09 CVE-2022-44557 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The SmartTrimProcessEvent module has a vulnerability of obtaining the read and write permissions on arbitrary system files.

7.5
2022-11-09 CVE-2022-44561 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Harmonyos

The preset launcher module has a permission verification vulnerability.

7.5
2022-11-09 CVE-2022-42964 Pymatgen Unspecified vulnerability in Pymatgen

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

7.5
2022-11-09 CVE-2022-42965 Snowflake Unspecified vulnerability in Snowflake Snowflake-Connector-Python

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method

7.5
2022-11-09 CVE-2022-42966 Python Poetry Unspecified vulnerability in Python-Poetry Cleo

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method

7.5
2022-11-09 CVE-2021-34579 Phoenixcontact Unspecified vulnerability in Phoenixcontact FL Mguard DM 1.12.0/1.13.0

In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”).

7.5
2022-11-09 CVE-2021-34568 Wago Allocation of Resources Without Limits or Throttling vulnerability in Wago products

In WAGO I/O-Check Service in multiple products an unauthenticated remote attacker can send a specially crafted packet containing OS commands to provoke a denial of service.

7.5
2022-11-09 CVE-2022-45061 Python
Fedoraproject
Resource Exhaustion vulnerability in multiple products

An issue was discovered in Python before 3.11.1.

7.5
2022-11-09 CVE-2022-45059 Varnish Cache Project
Fedoraproject
HTTP Request Smuggling vulnerability in multiple products

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1.

7.5
2022-11-09 CVE-2022-45060 Varnish Software
Varnish Cache Project
Fedoraproject
Debian
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1.
7.5
2022-11-08 CVE-2022-20445 Google Out-of-bounds Read vulnerability in Google Android

In process_service_search_rsp of sdp_discovery.cc, there is a possible out of bounds read due to improper input validation.

7.5
2022-11-08 CVE-2022-39386 Fastify Unspecified vulnerability in Fastify Websocket

@fastify/websocket provides WebSocket support for Fastify.

7.5
2022-11-08 CVE-2022-26446 Mediatek Reachable Assertion vulnerability in Mediatek products

In Modem 4G RRC, there is a possible system crash due to improper input validation.

7.5
2022-11-08 CVE-2022-44556 Huawei Improper Input Validation vulnerability in Huawei Emui 12.0.0

Missing parameter type validation in the DRM module.

7.5
2022-11-08 CVE-2022-43343 N Prolog Project Classic Buffer Overflow vulnerability in N-Prolog Project N-Prolog 1.91

N-Prolog v1.91 was discovered to contain a global buffer overflow vulnerability in the function gettoken() at Main.c.

7.5
2022-11-07 CVE-2022-43319 Simple E Learning System Project Unspecified vulnerability in Simple E-Learning System Project Simple E-Learning System 1.0

An information disclosure vulnerability in the component vcs/downloadFiles.php?download=./search.php of Simple E-Learning System v1.0 allows attackers to read arbitrary files.

7.5
2022-11-07 CVE-2022-37866 Apache Path Traversal vulnerability in Apache IVY

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version.

7.5
2022-11-07 CVE-2022-42955 Passwork Cleartext Storage of Sensitive Information vulnerability in Passwork 5.0.9

The PassWork extension 5.0.9 for Chrome and other browsers allows an attacker to obtain cleartext cached credentials.

7.5
2022-11-07 CVE-2022-42956 Passwork Cleartext Storage of Sensitive Information vulnerability in Passwork 5.0.9

The PassWork extension 5.0.9 for Chrome and other browsers allows an attacker to obtain the cleartext master password.

7.5
2022-11-07 CVE-2020-12509 Badgermeter Path Traversal vulnerability in Badgermeter Moni::Tool

In s::can moni::tools in versions below 4.2 an unauthenticated attacker could get any file from the device by path traversal in the camera-file module.

7.5
2022-11-10 CVE-2022-39392 Bytecodealliance Out-of-bounds Write vulnerability in Bytecodealliance Wasmtime

Wasmtime is a standalone runtime for WebAssembly.

7.4
2022-11-11 CVE-2022-26028 Intel Uncontrolled Search Path Element vulnerability in Intel Vtune Profiler

Uncontrolled search path in the Intel(R) VTune(TM) Profiler software before version 2022.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.3
2022-11-11 CVE-2022-26086 Intel Uncontrolled Search Path Element vulnerability in Intel Gametechdev Presentmon

Uncontrolled search path element in the PresentMon software maintained by Intel(R) before version 1.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.3
2022-11-11 CVE-2022-36380 Intel Uncontrolled Search Path Element vulnerability in Intel NUC KIT Wireless Adapter Driver Installer

Uncontrolled search path in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.3
2022-11-11 CVE-2022-36384 Intel Unquoted Search Path or Element vulnerability in Intel NUC KIT Wireless Adapter Driver Installer

Unquoted search path in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.3
2022-11-07 CVE-2022-44744 Acronis Uncontrolled Search Path Element vulnerability in Acronis Cyber Protect Home Office

Local privilege escalation due to DLL hijacking vulnerability.

7.3
2022-11-11 CVE-2022-26045 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel XMM 7560 Firmware

Improper buffer restrictions in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via physical access.

7.2
2022-11-11 CVE-2022-27874 Intel Improper Authentication vulnerability in Intel XMM 7560 Firmware

Improper authentication in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via physical access.

7.2
2022-11-11 CVE-2022-28611 Intel Improper Input Validation vulnerability in Intel XMM 7560 Firmware

Improper input validation in some Intel(R) XMM(TM) 7560 Modem software before version M2_7560_R_01.2146.00 may allow a privileged user to potentially enable escalation of privilege via physical access.

7.2
2022-11-09 CVE-2022-37967 Microsoft Unspecified vulnerability in Microsoft products

Windows Kerberos Elevation of Privilege Vulnerability.

7.2
2022-11-09 CVE-2022-43277 Canteen Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via ip/youthappam/php_action/editFile.php.

7.2
2022-11-09 CVE-2022-43278 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the categoriesId parameter at /php_action/fetchSelectedCategories.php.

7.2
2022-11-09 CVE-2022-43290 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editcategory.php.

7.2
2022-11-09 CVE-2022-43291 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editclient.php.

7.2
2022-11-09 CVE-2022-43292 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editfood.php.

7.2
2022-11-07 CVE-2022-43049 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

Canteen Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the component /youthappam/add-food.php.

7.2
2022-11-07 CVE-2022-43050 Online Tours AND Travels Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Tours and Travels Management System Project Online Tours and Travels Management System 1.0

Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component update_profile.php.

7.2
2022-11-07 CVE-2022-43051 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete_test.

7.2
2022-11-07 CVE-2022-43052 Online Diagnostic LAB Management System Project SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/classes/Users.php?f=delete.

7.2
2022-11-07 CVE-2022-42990 Food Ordering Management System Project SQL Injection vulnerability in Food Ordering Management System Project Food Ordering Management System 1.0

Food Ordering Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /foms/all-orders.php?status=Cancelled%20by%20Customer.

7.2
2022-11-07 CVE-2022-43350 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_inquiry.

7.2
2022-11-07 CVE-2022-43352 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-sms/classes/Master.php?f=delete_quote.

7.2
2022-11-07 CVE-2022-2711 Soflyy Path Traversal vulnerability in Soflyy WP ALL Import

The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.

7.2
2022-11-07 CVE-2022-3418 Soflyy Code Injection vulnerability in Soflyy WP ALL Import

The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files

7.2
2022-11-11 CVE-2022-3952 Manydesigns Exposure of Resource to Wrong Sphere vulnerability in Manydesigns Portofino 5.3.2

A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic.

7.1
2022-11-09 CVE-2022-38014 Microsoft Race Condition vulnerability in Microsoft products

Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability.

7.0
2022-11-09 CVE-2022-41114 Microsoft Race Condition vulnerability in Microsoft Windows 10, Windows 11 and Windows Server 2022

Windows Bind Filter Driver Elevation of Privilege Vulnerability.

7.0

197 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-08 CVE-2022-32617 Google Incorrect Calculation of Buffer Size vulnerability in Google Android 11.0/12.0/13.0

In typec, there is a possible out of bounds write due to an incorrect calculation of buffer size.

6.8
2022-11-08 CVE-2022-32618 Google Incorrect Calculation of Buffer Size vulnerability in Google Android 11.0/12.0/13.0

In typec, there is a possible out of bounds write due to an incorrect calculation of buffer size.

6.8
2022-11-11 CVE-2021-33159 Intel Improper Authentication vulnerability in Intel Active Management Technology

Improper authentication in subsystem for Intel(R) AMT before versions 11.8.93, 11.22.93, 11.12.93, 12.0.92, 14.1.67, 15.0.42, 16.1.25 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2021-33164 Intel Unspecified vulnerability in Intel products

Improper access control in BIOS firmware for some Intel(R) NUCs before version INWHL357.0046 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-21794 Intel Improper Authentication vulnerability in Intel products

Improper authentication in BIOS firmware for some Intel(R) NUC Boards, Intel(R) NUC Business, Intel(R) NUC Enthusiast, Intel(R) NUC Kits before version HN0067 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-26006 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-30542 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in the firmware for some Intel(R) Server Board S2600WF, Intel(R) Server System R1000WF and Intel(R) Server System R2000WF families before version R02.01.0014 may allow a privileged user to potentially enable an escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-32569 Intel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Intel products

Improper buffer restrictions in BIOS firmware for some Intel(R) NUC M15 Laptop Kits before version BCTGL357.0074 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-33176 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in BIOS firmware for some Intel(R) NUC 11 Performance kits and Intel(R) NUC 11 Performance Mini PCs before version PATGL357.0042 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-34152 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in BIOS firmware for some Intel(R) NUC Boards, Intel(R) NUC Kits before version TY0070 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-11 CVE-2022-35276 Intel Unspecified vulnerability in Intel products

Improper access control in BIOS firmware for some Intel(R) NUC 8 Compute Elements before version CBWHL357.0096 may allow a privileged user to potentially enable escalation of privilege via local access.

6.7
2022-11-10 CVE-2021-0185 Intel Improper Input Validation vulnerability in Intel M10Jnp2Sb Firmware 7.209/7.210

Improper input validation in the firmware for some Intel(R) Server Board M10JNP Family before version 7.216 may allow a privileged user to potentially enable an escalation of privilege via local access.

6.7
2022-11-09 CVE-2022-0031 Paloaltonetworks Insufficient Verification of Data Authenticity vulnerability in Paloaltonetworks Cortex Xsoar 6.5.0/6.6.0/6.8.0

A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges.

6.7
2022-11-08 CVE-2022-20454 Google Integer Overflow or Wraparound vulnerability in Google Android

In fdt_next_tag of fdt.c, there is a possible out of bounds write due to an integer overflow.

6.7
2022-11-08 CVE-2022-21778 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In vpu, there is a possible information disclosure due to an incorrect bounds check.

6.7
2022-11-08 CVE-2022-32603 Google Improper Input Validation vulnerability in Google Android 12.0

In gpu drm, there is a possible out of bounds write due to improper input validation.

6.7
2022-11-08 CVE-2022-32605 Google Out-of-bounds Write vulnerability in Google Android 12.0

In isp, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-11-08 CVE-2022-32607 Google Use After Free vulnerability in Google Android 11.0/12.0

In aee, there is a possible use after free due to a missing bounds check.

6.7
2022-11-08 CVE-2022-32611 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In isp, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-11-08 CVE-2022-32614 Google Double Free vulnerability in Google Android 12.0

In audio, there is a possible memory corruption due to a logic error.

6.7
2022-11-08 CVE-2022-32615 Google Improper Input Validation vulnerability in Google Android 12.0

In ccd, there is a possible out of bounds write due to uninitialized data.

6.7
2022-11-08 CVE-2022-32616 Google Improper Input Validation vulnerability in Google Android 12.0

In isp, there is a possible out of bounds write due to uninitialized data.

6.7
2022-11-09 CVE-2022-44244 LIN CMS Project Improper Authentication vulnerability in Lin-Cms Project Lin-Cms 0.2.1

An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalate privileges to Super Administrator.

6.6
2022-11-11 CVE-2022-31772 IBM Improper Input Validation vulnerability in IBM MQ

IBM MQ 8.0, 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD, and 9.2 LTS could allow an authenticated and authorized user to cause a denial of service to the MQTT channels.

6.5
2022-11-11 CVE-2022-41904 Element Unspecified vulnerability in Element

Element iOS is an iOS Matrix client provided by Element.

6.5
2022-11-11 CVE-2021-26251 Intel Improper Input Validation vulnerability in Intel Openvino 2018

Improper input validation in the Intel(R) Distribution of OpenVINO(TM) Toolkit may allow an authenticated user to potentially enable denial of service via network access.

6.5
2022-11-11 CVE-2022-26047 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow unauthenticated user to potentially enable denial of service via local access.

6.5
2022-11-11 CVE-2022-28667 Intel Out-of-bounds Write vulnerability in Intel products

Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software before version 22.140 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

6.5
2022-11-11 CVE-2022-3957 Gpac Memory Leak vulnerability in Gpac

A vulnerability classified as problematic was found in GPAC.

6.5
2022-11-11 CVE-2022-3953 Exiv2 Infinite Loop vulnerability in Exiv2

A vulnerability was found in Exiv2.

6.5
2022-11-11 CVE-2022-41854 Snakeyaml Project Out-of-bounds Write vulnerability in Snakeyaml Project Snakeyaml

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS).

6.5
2022-11-10 CVE-2022-38120 Upspowercom Path Traversal vulnerability in Upspowercom Upsmon PRO 2.57

UPSMON PRO’s has a path traversal vulnerability.

6.5
2022-11-10 CVE-2022-38121 Upspowercom Insufficiently Protected Credentials vulnerability in Upspowercom Upsmon PRO 2.57

UPSMON PRO configuration file stores user password in plaintext under public user directory.

6.5
2022-11-10 CVE-2022-45130 Plesk Cross-Site Request Forgery (CSRF) vulnerability in Plesk Obsidian

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password.

6.5
2022-11-09 CVE-2022-38015 Microsoft Unspecified vulnerability in Microsoft products

Windows Hyper-V Denial of Service Vulnerability.

6.5
2022-11-09 CVE-2022-41097 Microsoft Unspecified vulnerability in Microsoft products

Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability.

6.5
2022-11-09 CVE-2022-41098 Microsoft Unspecified vulnerability in Microsoft products

Windows GDI+ Information Disclosure Vulnerability.

6.5
2022-11-09 CVE-2022-41122 Microsoft Unspecified vulnerability in Microsoft products

Microsoft SharePoint Server Spoofing Vulnerability.

6.5
2022-11-09 CVE-2022-26023 Inhandnetworks Unspecified vulnerability in Inhandnetworks Ir302 Firmware 3.5.45

A leftover debug code vulnerability exists in the console verify functionality of InHand Networks InRouter302 V3.5.45.

6.5
2022-11-09 CVE-2022-29481 Inhandnetworks Unspecified vulnerability in Inhandnetworks Ir302 Firmware 3.5.45

A leftover debug code vulnerability exists in the console nvram functionality of InHand Networks InRouter302 V3.5.45.

6.5
2022-11-09 CVE-2021-34577 Kadenvodomery Use of Hard-coded Credentials vulnerability in Kadenvodomery Picoflux AIR Firmware

In the Kaden PICOFLUX AiR water meter an adversary can read the values through wireless M-Bus mode 5 with a hardcoded shared key while being adjacent to the device.

6.5
2022-11-09 CVE-2022-41978 Zohocorp Unspecified vulnerability in Zohocorp Zoho CRM Lead Magnet

Auth.

6.5
2022-11-08 CVE-2022-20447 Google Use After Free vulnerability in Google Android 13.0

In PAN_WriteBuf of pan_api.cc, there is a possible out of bounds read due to a use after free.

6.5
2022-11-08 CVE-2022-41258 SAP Cross-site Scripting vulnerability in SAP Financial Consolidation 1010

Due to insufficient input validation, SAP Financial Consolidation - version 1010, allows an authenticated attacker to inject malicious script when running a common query in the Web Administration Console.

6.5
2022-11-08 CVE-2022-41259 SAP Unspecified vulnerability in SAP SQL Anywhere 17.0

SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use an ARRAY constructor.

6.5
2022-11-08 CVE-2022-40128 Algolplus Cross-Site Request Forgery (CSRF) vulnerability in Algolplus Advanced Order Export

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.

6.5
2022-11-08 CVE-2022-42494 Aioseo Server-Side Request Forgery (SSRF) vulnerability in Aioseo ALL in ONE SEO

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

6.5
2022-11-07 CVE-2022-38164 F Secure Unspecified vulnerability in F-Secure Safe

WithSecure through 2022-08-10 allows attackers to cause a denial of service (issue 3 of 5).

6.5
2022-11-07 CVE-2022-43351 Sanitization Management System Project Unspecified vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /classes/Master.php?f=delete_img.

6.5
2022-11-07 CVE-2022-44795 Objectfirst Use of Insufficiently Random Values vulnerability in Objectfirst Object First 1.0.7.712

An issue was discovered in Object First 1.0.7.712.

6.5
2022-11-07 CVE-2022-44792 NET Snmp NULL Pointer Dereference vulnerability in Net-Snmp

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

6.5
2022-11-07 CVE-2022-44793 NET Snmp NULL Pointer Dereference vulnerability in Net-Snmp

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

6.5
2022-11-11 CVE-2022-21198 Intel Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Intel products

Time-of-check time-of-use race condition in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

6.4
2022-11-09 CVE-2022-41086 Microsoft Race Condition vulnerability in Microsoft products

Windows Group Policy Elevation of Privilege Vulnerability.

6.4
2022-11-08 CVE-2022-32608 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android 12.0

In jpeg, there is a possible use after free due to a race condition.

6.4
2022-11-08 CVE-2022-32609 Google Improper Synchronization vulnerability in Google Android 11.0/12.0/13.0

In vcu, there is a possible use after free due to a race condition.

6.4
2022-11-08 CVE-2022-32610 Google Improper Synchronization vulnerability in Google Android 11.0/12.0/13.0

In vcu, there is a possible use after free due to a race condition.

6.4
2022-11-08 CVE-2022-32612 Google Improper Synchronization vulnerability in Google Android 11.0/12.0/13.0

In vcu, there is a possible use after free due to a race condition.

6.4
2022-11-08 CVE-2022-32613 Google Improper Synchronization vulnerability in Google Android 11.0/12.0/13.0

In vcu, there is a possible memory corruption due to a race condition.

6.4
2022-11-13 CVE-2022-3975 Nukeviet Improper Enforcement of Message or Data Structure vulnerability in Nukeviet

A vulnerability, which was classified as problematic, has been found in NukeViet CMS.

6.1
2022-11-13 CVE-2022-3968 Emlog Cross-site Scripting vulnerability in Emlog

A vulnerability has been found in emlog and classified as problematic.

6.1
2022-11-11 CVE-2022-41905 Wsgidav Project Cross-site Scripting vulnerability in Wsgidav Project Wsgidav

WsgiDAV is a generic and extendable WebDAV server based on WSGI.

6.1
2022-11-11 CVE-2022-3950 Publiccms Cross-site Scripting vulnerability in Publiccms

A vulnerability, which was classified as problematic, was found in sanluan PublicCMS.

6.1
2022-11-11 CVE-2022-3949 Simple Cashiering System Project Cross-site Scripting vulnerability in Simple Cashiering System Project Simple Cashiering System 1.0

A vulnerability, which was classified as problematic, has been found in Sourcecodester Simple Cashiering System.

6.1
2022-11-11 CVE-2022-3942 Sanitization Management System Project Cross-site Scripting vulnerability in Sanitization Management System Project Sanitization Management System

A vulnerability was found in SourceCodester Sanitization Management System and classified as problematic.

6.1
2022-11-10 CVE-2022-35740 Dotcms Cross-site Scripting vulnerability in Dotcms

dotCMS before 22.06 allows remote attackers to bypass intended access control and obtain sensitive information by using a semicolon in a URL to introduce a matrix parameter.

6.1
2022-11-10 CVE-2021-40289 MM WKI Project Cross-site Scripting vulnerability in Mm-Wki Project Mm-Wki 0.2.1

mm-wki v0.2.1 is vulnerable to Cross Site Scripting (XSS).

6.1
2022-11-10 CVE-2022-39398 Infotel Cross-site Scripting vulnerability in Infotel Tasklists

tasklists is a tasklists plugin for GLPI (Kanban).

6.1
2022-11-09 CVE-2022-3280 Gitlab Open Redirect vulnerability in Gitlab

An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content.

6.1
2022-11-09 CVE-2022-3486 Gitlab Open Redirect vulnerability in Gitlab

An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL.

6.1
2022-11-09 CVE-2022-31688 Vmware Cross-site Scripting vulnerability in VMWare Workspace ONE Assist

VMware Workspace ONE Assist prior to 22.10 contains a Reflected cross-site scripting (XSS) vulnerability.

6.1
2022-11-09 CVE-2022-43118 Flatcore Cross-site Scripting vulnerability in Flatcore Flatcore-Cms 2.1.0

A cross-site scripting (XSS) vulnerability in flatCore-CMS v2.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username text field.

6.1
2022-11-09 CVE-2022-43119 Csphere Cross-site Scripting vulnerability in Csphere Clansphere 2011.4

A cross-site scripting (XSS) vulnerability in Clansphere CMS v2011.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username parameter.

6.1
2022-11-09 CVE-2022-43120 Intelliants Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.1

A cross-site scripting (XSS) vulnerability in the /panel/fields/add component of Intelliants Subrion CMS v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field default value text field.

6.1
2022-11-09 CVE-2022-43121 Intelliants Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.1

A cross-site scripting (XSS) vulnerability in the CMS Field Add page of Intelliants Subrion CMS v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tooltip text field.

6.1
2022-11-09 CVE-2022-43320 Feehi Cross-site Scripting vulnerability in Feehi Feehicms 2.1.1

FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer.

6.1
2022-11-09 CVE-2022-43321 Shopwind Cross-site Scripting vulnerability in Shopwind 3.4.3

Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php.

6.1
2022-11-08 CVE-2022-41205 SAP Code Injection vulnerability in SAP GUI 7.70

SAP GUI allows an authenticated attacker to execute scripts in the local network.

6.1
2022-11-08 CVE-2022-41207 SAP Open Redirect vulnerability in SAP Biller Direct 635/750

SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL.

6.1
2022-11-08 CVE-2022-41260 SAP Cross-site Scripting vulnerability in SAP Financial Consolidation 1010

SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a web script via a GET request.

6.1
2022-11-08 CVE-2022-33322 Mitsubishielectric Cross-site Scripting vulnerability in Mitsubishielectric products

Cross-site scripting vulnerability in Mitsubishi Electric consumer electronics products (Air Conditioning, Wi-Fi Interface, Refrigerator, HEMS adapter, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch and Air Purifier) allows a remote unauthenticated attacker to execute an malicious script on a user's browser to disclose information, etc.

6.1
2022-11-08 CVE-2022-27914 Joomla Cross-site Scripting vulnerability in Joomla Joomla! 4.0.0/4.2.0

An issue was discovered in Joomla! 4.0.0 through 4.2.4.

6.1
2022-11-08 CVE-2022-36077 Electronjs Insufficiently Protected Credentials vulnerability in Electronjs Electron

The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS.

6.1
2022-11-08 CVE-2022-41434 Eyesofnetwork Cross-site Scripting vulnerability in Eyesofnetwork web Interface 5.3

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.

6.1
2022-11-07 CVE-2022-43317 Human Resource Management System Project Cross-site Scripting vulnerability in Human Resource Management System Project Human Resource Management System 1.0

A cross-site scripting (XSS) vulnerability in /hrm/index.php?msg of Human Resource Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

6.1
2022-11-07 CVE-2022-3873 Diagrams Cross-site Scripting vulnerability in Diagrams Drawio

Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.

6.1
2022-11-09 CVE-2022-41090 Microsoft Race Condition vulnerability in Microsoft products

Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability.

5.9
2022-11-09 CVE-2022-41116 Microsoft Race Condition vulnerability in Microsoft Windows 7 and Windows Server 2008

Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability.

5.9
2022-11-09 CVE-2022-44563 Huawei Race Condition vulnerability in Huawei Emui and Harmonyos

There is a race condition vulnerability in SD upgrade mode.

5.9
2022-11-09 CVE-2022-41064 Microsoft Unspecified vulnerability in Microsoft .Net Framework and Nuget

.NET Framework Information Disclosure Vulnerability.

5.8
2022-11-13 CVE-2022-3971 Matrix Improper Enforcement of Message or Data Structure vulnerability in Matrix IRC Bridge

A vulnerability was found in matrix-appservice-irc up to 0.35.1.

5.6
2022-11-13 CVE-2022-3969 Openkm Insecure Temporary File vulnerability in Openkm

A vulnerability was found in OpenKM up to 6.3.11 and classified as problematic.

5.5
2022-11-11 CVE-2022-29466 Intel Improper Input Validation vulnerability in Intel Server Platform Services Firmware

Improper input validation in firmware for Intel(R) SPS before version SPS_E3_04.01.04.700.0 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-11-11 CVE-2022-29515 Intel Memory Leak vulnerability in Intel Server Platform Services Firmware

Missing release of memory after effective lifetime in firmware for Intel(R) SPS before versions SPS_E3_06.00.03.035.0 may allow a privileged user to potentially enable denial of service via local access.

5.5
2022-11-11 CVE-2022-30691 Intel Resource Exhaustion vulnerability in Intel Support 21.7.40

Uncontrolled resource consumption in the Intel(R) Support Android application before version 22.02.28 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-11-11 CVE-2022-36349 Intel Insecure Default Initialization of Resource vulnerability in Intel products

Insecure default variable initialization in BIOS firmware for some Intel(R) NUC Boards and Intel(R) NUC Kits before version MYi30060 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2022-11-10 CVE-2022-34666 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.

5.5
2022-11-09 CVE-2022-41055 Microsoft Unspecified vulnerability in Microsoft products

Windows Human Interface Device Information Disclosure Vulnerability.

5.5
2022-11-09 CVE-2022-41060 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Information Disclosure Vulnerability.

5.5
2022-11-09 CVE-2022-41103 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Word Information Disclosure Vulnerability.

5.5
2022-11-09 CVE-2022-41105 Microsoft Unspecified vulnerability in Microsoft 365 Apps and Office

Microsoft Excel Information Disclosure Vulnerability.

5.5
2022-11-09 CVE-2021-26393 AMD Memory Leak vulnerability in AMD products

Insufficient memory cleanup in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE) may allow an authenticated attacker with privileges to generate a valid signed TA and potentially poison the contents of the process memory with attacker controlled data resulting in a loss of confidentiality.

5.5
2022-11-09 CVE-2022-23824 XEN
AMD
Fedoraproject
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.
5.5
2022-11-08 CVE-2022-20414 Google Improper Check for Unusual or Exceptional Conditions vulnerability in Google Android

In setImpl of AlarmManagerService.java, there is a possible way to put a device into a boot loop due to an uncaught exception.

5.5
2022-11-08 CVE-2022-20426 Google Resource Exhaustion vulnerability in Google Android

In multiple functions of many files, there is a possible obstruction of the user's ability to select a phone account due to resource exhaustion.

5.5
2022-11-08 CVE-2022-20448 Google Unspecified vulnerability in Google Android

In buzzBeepBlinkLocked of NotificationManagerService.java, there is a possible way to share data across users due to a permissions bypass.

5.5
2022-11-08 CVE-2022-20453 Google Path Traversal vulnerability in Google Android

In update of MmsProvider.java, there is a possible constriction of directory permissions due to a path traversal error.

5.5
2022-11-08 CVE-2022-20457 Google Improper Input Validation vulnerability in Google Android 13.0

In getMountModeInternal of StorageManagerService.java, there is a possible prevention of package installation due to improper input validation.

5.5
2022-11-08 CVE-2022-3821 Systemd Project
Redhat
Fedoraproject
Off-by-one Error vulnerability in multiple products

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c.

5.5
2022-11-08 CVE-2022-32602 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In keyinstall, there is a possible out of bounds read due to a missing bounds check.

5.5
2022-11-08 CVE-2022-44312 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the ExpressionCoerceInteger function in expression.c when called from ExpressionInfixOperator.

5.5
2022-11-08 CVE-2022-44313 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the ExpressionCoerceUnsignedInteger function in expression.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44314 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the StringStrncpy function in cstdlib/string.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44315 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the ExpressionAssign function in expression.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44316 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the LexGetStringConstant function in lex.c when called from LexScanGetToken.

5.5
2022-11-08 CVE-2022-44317 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the StdioOutPutc function in cstdlib/stdio.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44318 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the StringStrcat function in cstdlib/string.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44319 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the StdioBasePrintf function in cstdlib/string.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44320 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the ExpressionCoerceFP function in expression.c when called from ExpressionParseFunctionCall.

5.5
2022-11-08 CVE-2022-44321 Picoc Project Out-of-bounds Write vulnerability in Picoc Project Picoc 3.2.2

PicoC Version 3.2.2 was discovered to contain a heap buffer overflow in the LexSkipComment function in lex.c when called from LexScanGetToken.

5.5
2022-11-07 CVE-2022-44745 Acronis Information Exposure Through Log Files vulnerability in Acronis Cyber Protect Home Office

Sensitive information leak through log files.

5.5
2022-11-07 CVE-2022-44746 Acronis Incorrect Permission Assignment for Critical Resource vulnerability in Acronis Cyber Protect Home Office

Sensitive information disclosure due to insecure folder permissions.

5.5
2022-11-07 CVE-2022-2188 Mcafee Incorrect Authorization vulnerability in Mcafee Data Exchange Layer

Privilege escalation vulnerability in DXL Broker for Windows prior to 6.0.0.280 allows local users to gain elevated privileges by exploiting weak directory controls in the logs directory.

5.5
2022-11-12 CVE-2022-3963 Gnuboard Cross-site Scripting vulnerability in Gnuboard Gnuboard5

A vulnerability was found in gnuboard5.

5.4
2022-11-11 CVE-2022-36776 IBM Cross-site Scripting vulnerability in IBM Cloud PAK for Security 1.10.0.0/1.10.2.0

IBM Cloud Pak for Security (CP4S) 1.10.0.0 79and 1.10.2.0 is vulnerable to cross-site scripting.

5.4
2022-11-11 CVE-2022-40750 IBM Cross-site Scripting vulnerability in IBM Websphere Application Server 8.5/9.0

IBM WebSphere Application Server 8.5, and 9.0 is vulnerable to cross-site scripting.

5.4
2022-11-11 CVE-2022-3943 Foru CMS Project Cross-site Scripting vulnerability in Foru CMS Project Foru CMS

A vulnerability was found in ForU CMS.

5.4
2022-11-11 CVE-2022-41873 Contiki NG Out-of-bounds Read vulnerability in Contiki-Ng

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices.

5.4
2022-11-10 CVE-2022-42460 Sedlex Cross-site Scripting vulnerability in Sedlex Traffic Manager

Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) in Traffic Manager plugin <= 1.4.5 on WordPress.

5.4
2022-11-10 CVE-2022-26088 BMC Cross-site Scripting vulnerability in BMC Remedy IT Service Management Suite 20.02

An issue was discovered in BMC Remedy before 22.1.

5.4
2022-11-10 CVE-2022-43754 Uyuni Project
Suse
Cross-site Scripting vulnerability in multiple products

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to embed Javascript code via /rhn/audit/scap/Search.do This issue affects: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls versions prior to 4.2.28.

5.4
2022-11-10 CVE-2022-42786 WUT Cross-site Scripting vulnerability in WUT products

Multiple W&T Products of the ComServer Series are prone to an XSS attack.

5.4
2022-11-09 CVE-2022-3265 Gitlab Cross-site Scripting vulnerability in Gitlab

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2.

5.4
2022-11-09 CVE-2022-3483 Gitlab Unspecified vulnerability in Gitlab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2.

5.4
2022-11-09 CVE-2022-41049 Microsoft Unspecified vulnerability in Microsoft products

Windows Mark of the Web Security Feature Bypass Vulnerability.

5.4
2022-11-09 CVE-2022-41091 Microsoft Unspecified vulnerability in Microsoft products

Windows Mark of the Web Security Feature Bypass Vulnerability.

5.4
2022-11-09 CVE-2022-44590 Simple Video Embedder Project Cross-site Scripting vulnerability in Simple Video Embedder Project Simple Video Embedder 2.2

Auth.

5.4
2022-11-08 CVE-2022-43144 Canteen Management System Project Cross-site Scripting vulnerability in Canteen Management System Project Canteen Management System 1.0

A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

5.4
2022-11-08 CVE-2022-41208 SAP Cross-site Scripting vulnerability in SAP Financial Consolidation 1010

Due to insufficient input validation, SAP Financial Consolidation - version 1010, allows an authenticated attacker with user privileges to alter current user session.

5.4
2022-11-08 CVE-2022-40632 Gvectors Cross-Site Request Forgery (CSRF) vulnerability in Gvectors Wpforo Forum

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion.

5.4
2022-11-08 CVE-2021-40303 Perfexcrm Cross-site Scripting vulnerability in Perfexcrm Perfex CRM 1.10

perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.

5.4
2022-11-12 CVE-2022-45195 Simplex Use of a Broken or Risky Cryptographic Algorithm vulnerability in Simplex Chat and Simplexmq

SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key.

5.3
2022-11-11 CVE-2022-3959 Drogon Use of Insufficiently Random Values vulnerability in Drogon

A vulnerability, which was classified as problematic, has been found in drogon up to 1.8.1.

5.3
2022-11-11 CVE-2022-3945 Kavitareader Improper Restriction of Excessive Authentication Attempts vulnerability in Kavitareader Kavita

Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3.

5.3
2022-11-11 CVE-2022-3941 Activity LOG Project Improper Encoding or Escaping of Output vulnerability in Activity LOG Project Activity LOG

A vulnerability has been found in Activity Log Plugin and classified as critical.

5.3
2022-11-10 CVE-2022-41876 Ibexa Insecure Storage of Sensitive Information vulnerability in Ibexa Ezplatform-Graphql 2.0.0

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source.

5.3
2022-11-10 CVE-2022-43679 Owncloud Unspecified vulnerability in Owncloud

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless.

5.3
2022-11-10 CVE-2022-36022 Eclipse Use of Insufficiently Random Values vulnerability in Eclipse Deeplearning4J

Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM.

5.3
2022-11-10 CVE-2022-3793 Gitlab Unspecified vulnerability in Gitlab

An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to.

5.3
2022-11-10 CVE-2022-3818 Gitlab Resource Exhaustion vulnerability in Gitlab

An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance.

5.3
2022-11-09 CVE-2022-2761 Gitlab Unspecified vulnerability in Gitlab

An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to.

5.3
2022-11-09 CVE-2022-39307 Grafana Unspecified vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

5.3
2022-11-09 CVE-2022-44553 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The HiView module has a vulnerability of not filtering third-party apps out when the HiView module traverses to invoke the system provider.

5.3
2022-11-09 CVE-2022-44560 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

The launcher module has an Intent redirection vulnerability.

5.3
2022-11-08 CVE-2022-30515 Zkteco Missing Authentication for Critical Function vulnerability in Zkteco Biotime 8.5.4/8.5.5

ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.

5.3
2022-11-08 CVE-2022-39069 ZTE SQL Injection vulnerability in ZTE Zaip-Aie

There is a SQL injection vulnerability in ZTE ZAIP-AIE.

5.3
2022-11-07 CVE-2022-3489 Weberge Missing Authorization vulnerability in Weberge WP Hide 0.0.2

The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request

5.3
2022-11-08 CVE-2022-41212 SAP Path Traversal vulnerability in SAP Netweaver Application Server Abap

Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted.

4.9
2022-11-08 CVE-2022-30545 5 Anker Cross-site Scripting vulnerability in 5-Anker 5 Anker Connect

Auth.

4.8
2022-11-08 CVE-2022-32776 Wpadvancedads Cross-site Scripting vulnerability in Wpadvancedads Advanced ADS - AD Manager & Adsense

Auth.

4.8
2022-11-08 CVE-2022-41980 Webartesanal Cross-site Scripting vulnerability in Webartesanal Mantenimiento web

Auth.

4.8
2022-11-08 CVE-2022-41432 Eyesofnetwork Cross-site Scripting vulnerability in Eyesofnetwork web Interface 5.3

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/report_event/index.php.

4.8
2022-11-08 CVE-2022-41433 Eyesofnetwork Cross-site Scripting vulnerability in Eyesofnetwork web Interface 5.3

EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/admin_bp/add_application.php.

4.8
2022-11-07 CVE-2022-43046 Food Ordering Management System Project Cross-site Scripting vulnerability in Food Ordering Management System Project Food Ordering Management System 1.0

Food Ordering Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /foms/place-order.php.

4.8
2022-11-07 CVE-2022-3462 Highlight Focus Project Cross-site Scripting vulnerability in Highlight Focus Project Highlight Focus 1.1

The Highlight Focus WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-11-12 CVE-2022-45194 Bruhn Newtech XXE vulnerability in Bruhn-Newtech Cbrn-Analysis

CBRN-Analysis before 22 allows XXE attacks via am mws XML document, leading to NTLMv2-SSP hash disclosure.

4.7
2022-11-10 CVE-2022-41874 Tauri Use of Incorrectly-Resolved Name or Reference vulnerability in Tauri

Tauri is a framework for building binaries for all major desktop platforms.

4.7
2022-11-08 CVE-2022-41215 SAP Open Redirect vulnerability in SAP Netweaver Application Server Abap

SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation.

4.7
2022-11-07 CVE-2021-42205 Lenovo Unspecified vulnerability in Lenovo Elan Miniport Touchpad Driver

ELAN Miniport touchpad Windows driver before 24.21.51.2, as used in PC hardware from multiple manufacturers, allows local users to cause a system crash by sending a certain IOCTL request, because that request is handled twice.

4.7
2022-11-09 CVE-2022-41099 Microsoft Unspecified vulnerability in Microsoft Windows 10 and Windows 11

BitLocker Security Feature Bypass Vulnerability.

4.6
2022-11-08 CVE-2022-20465 Google Unspecified vulnerability in Google Android

In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lockscreen bypass due to a logic error in the code.

4.6
2022-11-11 CVE-2022-25917 Intel Unspecified vulnerability in Intel products

Uncaught exception in the firmware for some Intel(R) Server Board M50CYP Family before version R01.01.0005 may allow a privileged user to potentially enable a denial of service via local access.

4.4
2022-11-11 CVE-2022-27499 Intel Unspecified vulnerability in Intel SGX SDK

Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

4.4
2022-11-11 CVE-2022-36367 Intel Incorrect Default Permissions vulnerability in Intel Support 21.7.40

Incorrect default permissions in the Intel(R) Support Android application before version v22.02.28 may allow a privileged user to potentially enable information disclosure via local access.

4.4
2022-11-09 CVE-2022-41066 Microsoft Unspecified vulnerability in Microsoft Dynamics 365 Business Central and Dynamics NAV

Microsoft Business Central Information Disclosure Vulnerability.

4.4
2022-11-13 CVE-2022-3978 Nodebb Cross-Site Request Forgery (CSRF) vulnerability in Nodebb

A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7.

4.3
2022-11-10 CVE-2022-31255 Uyuni Project
Suse
Path Traversal vulnerability in multiple products

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to read files available to the user running the process, typically tomcat.

4.3
2022-11-10 CVE-2022-43753 Uyuni Project
Suse
Path Traversal vulnerability in multiple products

A Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to read files available to the user running the process, typically tomcat.

4.3
2022-11-10 CVE-2022-3866 Hashicorp Exposure of Resource to Wrong Sphere vulnerability in Hashicorp Nomad 1.4.0/1.4.1

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.

4.3
2022-11-10 CVE-2022-3867 Hashicorp Insufficient Session Expiration vulnerability in Hashicorp Nomad 1.4.0/1.4.1

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected.

4.3
2022-11-10 CVE-2022-3413 Gitlab Incorrect Authorization vulnerability in Gitlab

Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events.

4.3
2022-11-10 CVE-2022-3706 Gitlab Unspecified vulnerability in Gitlab

Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project.

4.3
2022-11-10 CVE-2022-3819 Gitlab Unspecified vulnerability in Gitlab

An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to.

4.3
2022-11-09 CVE-2022-29836 Westerndigital Path Traversal vulnerability in Westerndigital products

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system.

4.3
2022-11-09 CVE-2022-44548 Huawei Incorrect Default Permissions vulnerability in Huawei Emui and Harmonyos

There is a vulnerability in permission verification during the Bluetooth pairing process.

4.3
2022-11-09 CVE-2022-3447 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2022-11-09 CVE-2022-43488 Algolplus Cross-Site Request Forgery (CSRF) vulnerability in Algolplus Advanced Dynamic Pricing for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.

4.3
2022-11-08 CVE-2022-27855 Fatcatapps Cross-Site Request Forgery (CSRF) vulnerability in Fatcatapps Analytics CAT

Cross-Site Request Forgery (CSRF) vulnerability in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress allows Plugin Settings Change.

4.3
2022-11-08 CVE-2022-32587 Codeandmore Cross-Site Request Forgery (CSRF) vulnerability in Codeandmore WP Page Widget

Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page Widget plugin <= 3.9 on WordPress leading to plugin settings change.

4.3
2022-11-08 CVE-2022-40205 Gvectors Authorization Bypass Through User-Controlled Key vulnerability in Gvectors Wpforo Forum

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved.

4.3
2022-11-08 CVE-2022-40206 Gvectors Authorization Bypass Through User-Controlled Key vulnerability in Gvectors Wpforo Forum

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

4.3
2022-11-08 CVE-2022-40223 Searchwp Missing Authorization vulnerability in Searchwp

Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.

4.3
2022-11-08 CVE-2022-43481 Rymera Cross-Site Request Forgery (CSRF) vulnerability in Rymera Advanced Coupons

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.

4.3
2022-11-08 CVE-2022-43491 Algolplus Cross-Site Request Forgery (CSRF) vulnerability in Algolplus Advanced Dynamic Pricing for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.

4.3
2022-11-08 CVE-2020-35473 Bluetooth Authentication Bypass by Capture-replay vulnerability in Bluetooth Core Specification

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses.

4.3
2022-11-07 CVE-2022-2387 Sandhillsdev Cross-Site Request Forgery (CSRF) vulnerability in Sandhillsdev Easy Digital Downloads

The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history.

4.3
2022-11-07 CVE-2022-3451 Addify Missing Authorization vulnerability in Addify Product Stock Manager

The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them.

4.3

13 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-10 CVE-2022-39388 Istio Incorrect Authorization vulnerability in Istio 1.15.0/1.15.1/1.15.2

Istio is an open platform to connect, manage, and secure microservices.

3.5
2022-11-08 CVE-2022-30694 Siemens Cross-Site Request Forgery (CSRF) vulnerability in Siemens products

A vulnerability has been identified in SIMATIC Drive Controller family (All versions), SIMATIC ET 200S IM151-8 PN/DP CPU (All versions < V3.2.19), SIMATIC ET 200S IM151-8F PN/DP CPU (All versions < V3.2.19), SIMATIC ET 200pro IM154-8 PN/DP CPU (All versions < V3.2.19), SIMATIC ET 200pro IM154-8F PN/DP CPU (All versions < V3.2.19), SIMATIC ET 200pro IM154-8FX PN/DP CPU (All versions < V3.2.19), SIMATIC PC Station (All versions >= V2.1), SIMATIC S7-1200 CPU family (incl.

3.5
2022-11-07 CVE-2022-38163 F Secure Unspecified vulnerability in F-Secure Safe

A Drag and Drop spoof vulnerability was discovered in F-Secure SAFE Browser for Android and iOS version 19.0 and below.

3.5
2022-11-11 CVE-2022-33973 Intel Unspecified vulnerability in Intel Wlan Authentication and Privacy Infrastructure

Improper access control in the Intel(R) WAPI Security software for Windows 10/11 before version 22.2150.0.1 may allow an authenticated user to potentially enable information disclosure via local access.

3.3
2022-11-09 CVE-2022-39879 Google Missing Authorization vulnerability in Google Android 11.0/12.0

Improper authorization vulnerability in?CallBGProvider prior to SMR Nov-2022 Release 1 allows local attacker to grant permission for accessing information with phone uid.

3.3
2022-11-09 CVE-2022-39884 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in IImsService prior to SMR Nov-2022 Release 1 allows local attacker to access to Call information.

3.3
2022-11-09 CVE-2022-39885 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in BootCompletedReceiver_CMCC in DeviceManagement prior to SMR Nov-2022 Release 1 allows local attacker to access to Device information.

3.3
2022-11-09 CVE-2022-39886 Google Exposure of Resource to Wrong Sphere vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in IpcRxServiceModeBigDataInfo in RIL prior to SMR Nov-2022 Release 1 allows local attacker to access Device information.

3.3
2022-11-09 CVE-2022-39887 Google Incorrect Permission Assignment for Critical Resource vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.

3.3
2022-11-09 CVE-2022-39889 Samsung Unspecified vulnerability in Samsung Galaxywatch4Plugin 2.2.11.22102751

Improper access control vulnerability in GalaxyWatch4Plugin prior to versions 2.2.11.22101351 and 2.2.12.22101351 allows attackers to access wearable device information.

3.3
2022-11-09 CVE-2022-39893 Samsung Information Exposure Through Log Files vulnerability in Samsung Galaxy Buds PRO Manage

Sensitive information exposure vulnerability in FmmBaseModel in Galaxy Buds Pro Manage prior to version 4.1.22092751 allows local attackers with log access permission to get device identifier data through device log.

3.3
2022-11-08 CVE-2022-20446 Google Missing Authorization vulnerability in Google Android 10.0/11.0

In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check.

3.3
2022-11-08 CVE-2022-20463 Google Unspecified vulnerability in Google Android

In factoryReset of WifiServiceImpl, there is a possible way to preserve WiFi settings due to a logic error in the code.

3.3