Weekly Vulnerabilities Reports > November 14 to 20, 2022
Overview
481 new vulnerabilities reported during this period, including 65 critical vulnerabilities and 186 high severity vulnerabilities. This weekly summary report vulnerabilities in 637 products from 190 vendors including Cisco, Google, Jenkins, Insyde, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Cross-Site Request Forgery (CSRF)", "Out-of-bounds Write", and "Time-of-check Time-of-use (TOCTOU) Race Condition".
- 397 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 184 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 253 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 33 reported vulnerabilities.
- Backclick has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
65 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-11-18 | CVE-2022-34827 | Carel | Unspecified vulnerability in Carel Boss Mini Firmware 1.5.0 Carel Boss Mini 1.5.0 has Improper Access Control. | 9.9 |
2022-11-17 | CVE-2022-36786 | Dlink | Command Injection vulnerability in Dlink Dsl-224 Firmware DLINK - DSL-224 Post-auth RCE. DLINK router version 3.0.8 has an interface where you can configure NTP servers (Network Time Protocol) via jsonrpc API. It is possible to inject a command through this interface that will run with ROOT permissions on the router. | 9.9 |
2022-11-20 | CVE-2022-4070 | Librenms | Insufficient Session Expiration vulnerability in Librenms Insufficient Session Expiration in GitHub repository librenms/librenms prior to 22.10.0. | 9.8 |
2022-11-19 | CVE-2022-41155 | Webence | Unspecified vulnerability in Webence IQ Block Country Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress. | 9.8 |
2022-11-18 | CVE-2022-42497 | Api2Cart | SQL Injection vulnerability in Api2Cart Bridge Connector 1.0.0/1.1.0 Arbitrary Code Execution vulnerability in Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress. | 9.8 |
2022-11-18 | CVE-2022-42698 | Api2Cart | Unrestricted Upload of File with Dangerous Type vulnerability in Api2Cart Bridge Connector 1.0.0/1.1.0 Unauth. | 9.8 |
2022-11-18 | CVE-2022-45132 | Linaro | Code Injection vulnerability in Linaro Lava In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. | 9.8 |
2022-11-18 | CVE-2022-41900 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 9.8 | |
2022-11-18 | CVE-2022-41652 | Expresstech | Unspecified vulnerability in Expresstech Quiz and Survey Master Bypass vulnerability in Quiz And Survey Master plugin <= 7.3.10 on WordPress. | 9.8 |
2022-11-18 | CVE-2022-41781 | Permalink Manager Lite Project | Unspecified vulnerability in Permalink Manager Lite Project Permalink Manager Lite Broken Access Control vulnerability in Permalink Manager Lite plugin <= 2.2.20 on WordPress. | 9.8 |
2022-11-18 | CVE-2022-41840 | Collne | Path Traversal vulnerability in Collne Welcart E-Commerce Unauth. | 9.8 |
2022-11-18 | CVE-2022-45474 | Drachtio | Use After Free vulnerability in Drachtio Drachtio-Server 0.8.18 drachtio-server 0.8.18 has a request-handler.cpp event_cb use-after-free for any request. | 9.8 |
2022-11-18 | CVE-2022-44204 | Dlink | Classic Buffer Overflow vulnerability in Dlink Dir-3060 Firmware 1.11B04 D-Link DIR3060 DIR3060A1_FW111B04.bin is vulnerable to Buffer Overflow. | 9.8 |
2022-11-17 | CVE-2022-36784 | Elsight | Unspecified vulnerability in Elsight Halo Firmware Elsight – Elsight Halo Remote Code Execution (RCE) Elsight Halo web panel allows us to perform connection validation. through the POST request : /api/v1/nics/wifi/wlan0/ping we can abuse DESTINATION parameter and leverage it to remote code execution. | 9.8 |
2022-11-17 | CVE-2022-36787 | Webvendome Project | Unspecified vulnerability in Webvendome Project Webvendome 1.0 webvendome - webvendome SQL Injection. SQL Injection in the Parameter " DocNumber" Request : Get Request : /webvendome/showfiles.aspx?jobnumber=nullDoc Number=HERE. | 9.8 |
2022-11-17 | CVE-2022-38165 | Withsecure | Unspecified vulnerability in Withsecure F-Secure Policy Manager Arbitrary file write in F-Secure Policy Manager through 2022-08-10 allows unauthenticated users to write the file with the contents in arbitrary locations on the F-Secure Policy Manager Server. | 9.8 |
2022-11-17 | CVE-2022-39180 | College Management System Project | Unspecified vulnerability in College Management System Project College Management System 1.0 College Management System v1.0 - SQL Injection (SQLi). By inserting SQL commands to the username and password fields in the login.php page | 9.8 |
2022-11-17 | CVE-2022-44001 | Backclick | Missing Authentication for Critical Function vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-17 | CVE-2022-43138 | Dolibarr | Unspecified vulnerability in Dolibarr Erp/Crm Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. | 9.8 |
2022-11-17 | CVE-2022-4051 | Hostel Searching Project | SQL Injection vulnerability in Hostel Searching Project Hostel Searching Project A vulnerability has been found in Hostel Searching Project and classified as critical. | 9.8 |
2022-11-17 | CVE-2022-40881 | Contec | Command Injection vulnerability in Contec Solarview Compact Firmware 6.00 SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php | 9.8 |
2022-11-17 | CVE-2022-42245 | Dreamer CMS Project | SQL Injection vulnerability in Dreamer CMS Project Dreamer CMS 4.0.01 Dreamer CMS 4.0.01 is vulnerable to SQL Injection. | 9.8 |
2022-11-17 | CVE-2022-43781 | Atlassian | Command Injection vulnerability in Atlassian Bitbucket There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. | 9.8 |
2022-11-17 | CVE-2022-43782 | Atlassian | Unspecified vulnerability in Atlassian Crowd Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3 | 9.8 |
2022-11-16 | CVE-2022-40752 | IBM | Command Injection vulnerability in IBM products IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. | 9.8 |
2022-11-16 | CVE-2022-44000 | Backclick | Improper Control of Dynamically-Managed Code Resources vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-16 | CVE-2022-44003 | Backclick | SQL Injection vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-16 | CVE-2022-44004 | Backclick | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-16 | CVE-2022-44006 | Backclick | Path Traversal vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-16 | CVE-2022-43999 | Backclick | Missing Authentication for Critical Function vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 9.8 |
2022-11-16 | CVE-2022-43135 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php. | 9.8 |
2022-11-16 | CVE-2022-43234 | Hoosk | Unrestricted Upload of File with Dangerous Type vulnerability in Hoosk 1.8.0 An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file. | 9.8 |
2022-11-16 | CVE-2022-43256 | Seacms | SQL Injection vulnerability in Seacms SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php. | 9.8 |
2022-11-16 | CVE-2022-43262 | Oretnom23 | SQL Injection vulnerability in Oretnom23 Human Resource Management System 1.0 Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php. | 9.8 |
2022-11-16 | CVE-2022-3980 | Sophos | XXE vulnerability in Sophos Mobile 5.0.0/9.7.3/9.7.4 An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4. | 9.8 |
2022-11-16 | CVE-2022-45047 | Apache | Deserialization of Untrusted Data vulnerability in Apache Sshd Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. | 9.8 |
2022-11-16 | CVE-2022-4011 | Simple History Project | Improper Encoding or Escaping of Output vulnerability in Simple History Project Simple History A vulnerability was found in Simple History Plugin. | 9.8 |
2022-11-16 | CVE-2022-4012 | Hospital Management Center Project | SQL Injection vulnerability in Hospital Management Center Project Hospital Management Center A vulnerability classified as critical has been found in Hospital Management Center. | 9.8 |
2022-11-16 | CVE-2022-4015 | Sports Club Management System Project | SQL Injection vulnerability in Sports Club Management System Project Sports Club Management System 119 A vulnerability, which was classified as critical, was found in Sports Club Management System 119. | 9.8 |
2022-11-16 | CVE-2022-2166 | Joinmastodon | Improper Restriction of Excessive Authentication Attempts vulnerability in Joinmastodon Mastodon Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | 9.8 |
2022-11-15 | CVE-2022-24942 | Silabs | Out-of-bounds Write vulnerability in Silabs Micrium Uc-Http 3.01.01 Heap based buffer overflow in HTTP Server functionality in Micrium uC-HTTP 3.01.01 allows remote code execution via HTTP request. | 9.8 |
2022-11-15 | CVE-2022-43265 | Canteen Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Canteen Management System Project Canteen Management System 1.0 An arbitrary file upload vulnerability in the component /pages/save_user.php of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 9.8 |
2022-11-15 | CVE-2022-45395 | Jenkins | XXE vulnerability in Jenkins Cccc Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
2022-11-15 | CVE-2022-45396 | Jenkins | XXE vulnerability in Jenkins Sourcemonitor 0.2 Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
2022-11-15 | CVE-2022-45397 | Jenkins | XXE vulnerability in Jenkins OSF Builder Suite :: XML Linter 1.0.2 Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
2022-11-15 | CVE-2022-45400 | Jenkins | XXE vulnerability in Jenkins Japex 1.7 Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 9.8 |
2022-11-15 | CVE-2022-3998 | SCM Project | Unspecified vulnerability in SCM Project SCM A vulnerability, which was classified as critical, was found in MonikaBrzica scm. | 9.8 |
2022-11-15 | CVE-2022-25674 | Qualcomm | Unspecified vulnerability in Qualcomm products Cryptographic issues in WLAN during the group key handshake of the WPA/WPA2 protocol in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music | 9.8 |
2022-11-15 | CVE-2022-25727 | Qualcomm | Improper Validation of Specified Quantity in Input vulnerability in Qualcomm products Memory Corruption in modem due to improper length check while copying into memory in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music | 9.8 |
2022-11-15 | CVE-2022-33234 | Qualcomm | Out-of-bounds Write vulnerability in Qualcomm products Memory corruption in video due to configuration weakness. | 9.8 |
2022-11-15 | CVE-2022-42058 | Tenda | Out-of-bounds Write vulnerability in Tenda W15E Firmware 15.11.0.10(1576) Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a stack overflow via the setRemoteWebManage function. | 9.8 |
2022-11-15 | CVE-2022-42120 | Liferay | SQL Injection vulnerability in Liferay DXP and Liferay Portal A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute. | 9.8 |
2022-11-15 | CVE-2022-42122 | Liferay | SQL Injection vulnerability in Liferay DXP and Liferay Portal A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. | 9.8 |
2022-11-15 | CVE-2022-42984 | Wowonder | SQL Injection vulnerability in Wowonder 4.1.4 WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=search&s=recipients. | 9.8 |
2022-11-14 | CVE-2022-43294 | Tasmota Project | Out-of-bounds Write vulnerability in Tasmota Project Tasmota Tasmota before commit 066878da4d4762a9b6cb169fdf353e804d735cfd was discovered to contain a stack overflow via the ClientPortPtr parameter at lib/libesp32/rtsp/CRtspSession.cpp. | 9.8 |
2022-11-14 | CVE-2022-37109 | Camp Project | Insufficiently Protected Credentials vulnerability in Camp Project Camp patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. | 9.8 |
2022-11-14 | CVE-2022-3362 | Ikus Soft | Insufficient Session Expiration vulnerability in Ikus-Soft Rdiffweb Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0. | 9.8 |
2022-11-14 | CVE-2022-24937 | Silabs | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silabs Emberznet 1.0.0 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows Overflow Buffers. | 9.8 |
2022-11-14 | CVE-2022-3993 | Kavitareader | Unspecified vulnerability in Kavitareader Kavita Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. | 9.8 |
2022-11-14 | CVE-2022-45136 | Apache | Unspecified vulnerability in Apache Jena SDB 3.17.0 Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. | 9.8 |
2022-11-14 | CVE-2022-3477 | Tagdiv Composer Project Newsmag Project Newspaper Project | The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address | 9.8 |
2022-11-14 | CVE-2022-3574 | Wpforms | Unspecified vulnerability in Wpforms PRO The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | 9.8 |
2022-11-14 | CVE-2022-45378 | Apache | Unspecified vulnerability in Apache Soap 1.2/2.2/2.3 In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. | 9.8 |
2022-11-18 | CVE-2022-44584 | Watchtowerhq | Unspecified vulnerability in Watchtowerhq Watchtower Unauth. | 9.1 |
2022-11-18 | CVE-2022-41880 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 9.1 |
186 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-11-20 | CVE-2022-3525 | Librenms | Deserialization of Untrusted Data vulnerability in Librenms Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. | 8.8 |
2022-11-19 | CVE-2022-41609 | Wordplus | Server-Side Request Forgery (SSRF) vulnerability in Wordplus Better Messages Auth. | 8.8 |
2022-11-18 | CVE-2021-33621 | Ruby Lang Fedoraproject | Injection vulnerability in multiple products The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. | 8.8 |
2022-11-18 | CVE-2022-40695 | Clogica | Cross-Site Request Forgery (CSRF) vulnerability in Clogica SEO Redirection Multiple Cross-Site Scripting (CSRF) vulnerabilities in SEO Redirection Plugin plugin <= 8.9 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-41634 | Maxfoundry | Cross-Site Request Forgery (CSRF) vulnerability in Maxfoundry Media Library Folders Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-41685 | Visztpeter | Cross-Site Request Forgery (CSRF) vulnerability in Visztpeter products Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter's Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCommerce-hez plugin <= 1.9.0.2 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-43492 | Gvectors | Authorization Bypass Through User-Controlled Key vulnerability in Gvectors Wpdiscuz 7.4.2 Auth. | 8.8 |
2022-11-18 | CVE-2022-44740 | Constantcontact | Cross-Site Request Forgery (CSRF) vulnerability in Constantcontact Creative Mail Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative Mail plugin <= 1.5.4 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-45073 | Miniorange | Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Wordpress Rest API Authentication Cross-Site Request Forgery (CSRF) vulnerability in REST API Authentication plugin <= 2.4.0 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-42461 | Miniorange | Unspecified vulnerability in Miniorange Google Authenticator Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-43482 | Codepeople | Missing Authorization vulnerability in Codepeople Appointment Booking Calendar Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-40686 | Constantcontact | Cross-Site Request Forgery (CSRF) vulnerability in Constantcontact Creative Mail Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-40687 | Constantcontact | Cross-Site Request Forgery (CSRF) vulnerability in Constantcontact Creative Mail Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress. | 8.8 |
2022-11-18 | CVE-2022-41692 | Dwbooster | Missing Authorization vulnerability in Dwbooster Appointment Hour Booking Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. | 8.8 |
2022-11-17 | CVE-2022-40192 | Gvectors | Cross-Site Request Forgery (CSRF) vulnerability in Gvectors Wpforo Forum Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. | 8.8 |
2022-11-17 | CVE-2022-40200 | Gvectors | Unrestricted Upload of File with Dangerous Type vulnerability in Gvectors Wpforo Forum Auth. | 8.8 |
2022-11-17 | CVE-2022-41775 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie SQL Injection in Handler_CFG.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network | 8.8 |
2022-11-17 | CVE-2022-41791 | Metagauss | Improper Neutralization of Formula Elements in a CSV File vulnerability in Metagauss Profilegrid Auth. | 8.8 |
2022-11-17 | CVE-2022-43447 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie SQL Injection in AM_EBillAnalysis.aspx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network | 8.8 |
2022-11-17 | CVE-2022-43452 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie SQL Injection in FtyInfoSetting.aspx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network | 8.8 |
2022-11-17 | CVE-2022-43457 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie SQL Injection in HandlerPage_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network | 8.8 |
2022-11-17 | CVE-2022-43506 | Deltaww | SQL Injection vulnerability in Deltaww Diaenergie SQL Injection in HandlerTag_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network | 8.8 |
2022-11-17 | CVE-2022-45066 | Thriveweb | Unspecified vulnerability in Thriveweb Wooswipe Woocommerce Gallery Auth. | 8.8 |
2022-11-17 | CVE-2022-45069 | Automattic | Unspecified vulnerability in Automattic Crowdsignal Dashboard Auth. | 8.8 |
2022-11-17 | CVE-2022-45077 | Muffingroup | Deserialization of Untrusted Data vulnerability in Muffingroup Betheme 26.5.1.4 Auth. | 8.8 |
2022-11-17 | CVE-2022-45071 | Wpml | Cross-Site Request Forgery (CSRF) vulnerability in Wpml Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. | 8.8 |
2022-11-17 | CVE-2022-43183 | Xuxueli | Server-Side Request Forgery (SSRF) vulnerability in Xuxueli Xxl-Job XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. | 8.8 |
2022-11-17 | CVE-2022-41920 | Lancet Project | Unspecified vulnerability in Lancet Project Lancet Lancet is a general utility library for the go programming language. | 8.8 |
2022-11-17 | CVE-2022-44384 | Rconfig | Unrestricted Upload of File with Dangerous Type vulnerability in Rconfig 3.9.6 An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. | 8.8 |
2022-11-17 | CVE-2022-45461 | Veritas | OS Command Injection vulnerability in Veritas Netbackup The Java Admin Console in Veritas NetBackup through 10.1 and related Veritas products on Linux and UNIX allows authenticated non-root users (that have been explicitly added to the auth.conf file) to execute arbitrary commands as root. | 8.8 |
2022-11-17 | CVE-2022-42246 | Duofoxtechnologies | Cross-Site Request Forgery (CSRF) vulnerability in Duofoxtechnologies Duofox CMS 0.0.4 Doufox 0.0.4 contains a CSRF vulnerability that can add system administrator account. | 8.8 |
2022-11-17 | CVE-2021-38819 | Simple Image Gallery WEB APP Project | SQL Injection vulnerability in Simple Image Gallery web APP Project Simple Image Gallery web APP A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page. | 8.8 |
2022-11-16 | CVE-2022-44007 | Backclick | Session Fixation vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 8.8 |
2022-11-16 | CVE-2022-4013 | Hospital Management Center Project | Cross-Site Request Forgery (CSRF) vulnerability in Hospital Management Center Project Hospital Management Center A vulnerability classified as problematic was found in Hospital Management Center. | 8.8 |
2022-11-15 | CVE-2022-29277 | AMD Intel | Out-of-bounds Write vulnerability in multiple products Incorrect pointer checks within the the FwBlockServiceSmm driver can allow arbitrary RAM modifications During review of the FwBlockServiceSmm driver, certain instances of SpiAccessLib could be tricked into writing 0xff to arbitrary system and SMRAM addresses. | 8.8 |
2022-11-15 | CVE-2020-12507 | Badgermeter | Unspecified vulnerability in Badgermeter Moni::Tool 4.2 In s::can moni::tools before version 4.2 an authenticated attacker could get full access to the database through SQL injection. | 8.8 |
2022-11-15 | CVE-2022-20926 | Cisco | OS Command Injection vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web management interface of the Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient validation of user-supplied parameters for certain API endpoints. | 8.8 |
2022-11-15 | CVE-2022-3240 | Follow ME Plugin Project | Cross-Site Request Forgery (CSRF) vulnerability in Follow ME Plugin Project Follow ME Plugin The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. | 8.8 |
2022-11-15 | CVE-2022-42121 | Liferay | SQL Injection vulnerability in Liferay DXP and Liferay Portal A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted payload injected into a page template's 'Name' field. | 8.8 |
2022-11-15 | CVE-2022-35613 | Konker | Cross-Site Request Forgery (CSRF) vulnerability in Konker Platform 2.3.9 Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF). | 8.8 |
2022-11-14 | CVE-2022-43323 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.5.9 EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module. | 8.8 |
2022-11-14 | CVE-2022-44387 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.5.9 EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module. | 8.8 |
2022-11-14 | CVE-2022-43693 | Concretecms | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | 8.8 |
2022-11-14 | CVE-2022-43288 | Rukovoditel | SQL Injection vulnerability in Rukovoditel 3.2.1 Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | 8.8 |
2022-11-14 | CVE-2022-40127 | Apache | Unspecified vulnerability in Apache Airflow A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. | 8.8 |
2022-11-14 | CVE-2022-45183 | Ironmansoftware | Improper Privilege Management vulnerability in Ironmansoftware Powershell Universal Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with a valid app token to retrieve other app tokens by ID via an HTTP web request. | 8.8 |
2022-11-19 | CVE-2022-4066 | Mozilla Onion Project | A vulnerability was found in davidmoreno onion. | 8.2 |
2022-11-15 | CVE-2022-29276 | Insyde | Out-of-bounds Write vulnerability in Insyde Kernel SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. | 8.2 |
2022-11-15 | CVE-2022-29278 | Insyde | Improper Check for Unusual or Exceptional Conditions vulnerability in Insyde Kernel Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. | 8.2 |
2022-11-15 | CVE-2022-29279 | Insyde | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Insyde Kernel Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice. | 8.2 |
2022-11-15 | CVE-2022-29275 | Insyde | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Insyde Kernel In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. | 8.2 |
2022-11-15 | CVE-2022-30771 | Insyde | Out-of-bounds Write vulnerability in Insyde Kernel Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions. | 8.2 |
2022-11-15 | CVE-2022-30772 | Insyde | Out-of-bounds Write vulnerability in Insyde Kernel Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. | 8.2 |
2022-11-18 | CVE-2022-41894 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 8.1 | |
2022-11-15 | CVE-2022-38385 | IBM | Improper Input Validation vulnerability in IBM Cloud PAK for Security 1.10.0.0/1.10.2.0 IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow an authenticated user to obtain highly sensitive information or perform unauthorized actions due to improper input validation. | 8.1 |
2022-11-15 | CVE-2022-45381 | Jenkins | Path Traversal vulnerability in Jenkins Pipeline Utility Steps 2.13.1 Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. | 8.1 |
2022-11-19 | CVE-2022-4065 | Testng Project | Unspecified vulnerability in Testng Project Testng A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. | 7.8 |
2022-11-19 | CVE-2022-31606 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a failure to properly validate data might allow an attacker with basic user capabilities to cause an out-of-bounds access in kernel mode, which could lead to denial of service, information disclosure, escalation of privileges, or data tampering. | 7.8 |
2022-11-19 | CVE-2022-31607 | Nvidia | Unspecified vulnerability in Nvidia Cloud Gaming Guest and GPU Display Driver NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges, data tampering, and limited information disclosure. | 7.8 |
2022-11-19 | CVE-2022-31608 | Nvidia | Improper Preservation of Permissions vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file, where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 7.8 |
2022-11-19 | CVE-2022-31610 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a local user with basic capabilities can cause an out-of-bounds write, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |
2022-11-19 | CVE-2022-31617 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a local user with basic capabilities can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |
2022-11-18 | CVE-2022-37197 | Iobit | Unquoted Search Path or Element vulnerability in Iobit Iotransfer 4.0 IOBit IOTransfer V4 is vulnerable to Unquoted Service Path. | 7.8 |
2022-11-18 | CVE-2022-43308 | Intelbras | Improper Privilege Management vulnerability in Intelbras SG 2404 MR Firmware and SG 2404 POE Firmware INTELBRAS SG 2404 MR 20180928-rel64938 allows authenticated attackers to arbitrarily create Administrator accounts via crafted user cookies. | 7.8 |
2022-11-17 | CVE-2022-23748 | Audinate | Untrusted Search Path vulnerability in Audinate Dante Application Library mDNSResponder.exe is vulnerable to DLL Sideloading attack. | 7.8 |
2022-11-17 | CVE-2022-28768 | Zoom | Race Condition vulnerability in Zoom Meetings The Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6 contains a local privilege escalation vulnerability. | 7.8 |
2022-11-17 | CVE-2022-36924 | Zoom | Uncontrolled Search Path Element vulnerability in Zoom Rooms The Zoom Rooms Installer for Windows prior to 5.12.6 contains a local privilege escalation vulnerability. | 7.8 |
2022-11-17 | CVE-2022-42533 | Integer Overflow or Wraparound vulnerability in Google Android In shared_metadata_init of SharedMetadata.cpp, there is a possible out of bounds write due to an integer overflow. | 7.8 | |
2022-11-17 | CVE-2022-44725 | Opcfoundation | Incorrect Permission Assignment for Critical Resource vulnerability in Opcfoundation Local Discovery Server OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. | 7.8 |
2022-11-15 | CVE-2022-3377 | Hornerautomation | Unspecified vulnerability in Hornerautomation Cscape Horner Automation's Cscape version 9.90 SP 6 and prior does not properly validate user-supplied data. | 7.8 |
2022-11-15 | CVE-2022-25724 | Qualcomm | Classic Buffer Overflow vulnerability in Qualcomm products Memory corruption in graphics due to buffer overflow while validating the user address in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-11-15 | CVE-2022-25743 | Qualcomm | Use After Free vulnerability in Qualcomm products Memory corruption in graphics due to use-after-free while importing graphics buffer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables | 7.8 |
2022-11-15 | CVE-2022-41395 | Tenda | OS Command Injection vulnerability in Tenda W15E Firmware 15.11.0.10(1576) Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the dmzHost parameter in the setDMZ function. | 7.8 |
2022-11-15 | CVE-2022-41396 | Tenda | OS Command Injection vulnerability in Tenda W15E Firmware 15.11.0.10(1576) Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain multiple command injection vulnerabilities in the function setIPsecTunnelList via the IPsecLocalNet and IPsecRemoteNet parameters. | 7.8 |
2022-11-15 | CVE-2022-42053 | Tenda | OS Command Injection vulnerability in Tenda W15E Firmware 15.11.0.10(1576) Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the PortMappingServer parameter in the setPortMapping function. | 7.8 |
2022-11-15 | CVE-2022-40847 | Tenda | OS Command Injection vulnerability in Tenda W15E Firmware 15.11.0.10(1576) In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), there exists a command injection vulnerability in the function formSetFixTools. | 7.8 |
2022-11-14 | CVE-2022-34325 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Insydeh2O DMA transactions which are targeted at input buffers used for the StorageSecurityCommandDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.8 |
2022-11-14 | CVE-2022-3238 | Linux | Double Free vulnerability in Linux Kernel 6.1 A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. | 7.8 |
2022-11-19 | CVE-2022-30256 | Maradns | Operation on a Resource after Expiration or Release vulnerability in Maradns An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allows variant V1 of unintended domain name resolution. | 7.5 |
2022-11-18 | CVE-2022-38871 | Free5Gc | Resource Exhaustion vulnerability in Free5Gc 3.0.5 In Free5gc v3.0.5, the AMF breaks due to malformed NAS messages. | 7.5 |
2022-11-18 | CVE-2022-42883 | Expresstech | Unspecified vulnerability in Expresstech Quiz and Survey Master Sensitive Information Disclosure vulnerability discovered by Quiz And Survey Master plugin <= 7.3.10 on WordPress. | 7.5 |
2022-11-18 | CVE-2022-44583 | Watchtowerhq | Files or Directories Accessible to External Parties vulnerability in Watchtowerhq Watchtower Unauth. | 7.5 |
2022-11-18 | CVE-2022-41884 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41885 | Incorrect Calculation of Buffer Size vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41886 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41887 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41888 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41889 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41890 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41891 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41893 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41895 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41896 | Improper Validation of Specified Quantity in Input vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41897 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41898 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41899 | Reachable Assertion vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41901 | Reachable Assertion vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41907 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41908 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41909 | NULL Pointer Dereference vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41911 | Unspecified vulnerability in Google Tensorflow TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-41883 | Unspecified vulnerability in Google Tensorflow 2.10.0 TensorFlow is an open source platform for machine learning. | 7.5 | |
2022-11-18 | CVE-2022-45471 | Jetbrains | Allocation of Resources Without Limits or Throttling vulnerability in Jetbrains HUB In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address | 7.5 |
2022-11-17 | CVE-2022-36785 | Dlink | Incorrect Authorization vulnerability in Dlink G Integrated Access Device4 Firmware 1.0 D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. | 7.5 |
2022-11-17 | CVE-2022-42732 | Siemens | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-42733 | Siemens | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-42734 | Siemens | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-42891 | Siemens | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-42893 | Siemens | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-42894 | Siemens | Server-Side Request Forgery (SSRF) vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 7.5 |
2022-11-17 | CVE-2022-43140 | Keking | Server-Side Request Forgery (SSRF) vulnerability in Keking Kkfileview 4.1.0 kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. | 7.5 |
2022-11-17 | CVE-2022-42982 | Bund | Missing Authentication for Critical Function vulnerability in Bund BKG Professional Ntripcaster 2.0.39 BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. | 7.5 |
2022-11-16 | CVE-2022-43264 | Guitar PRO | Path Traversal vulnerability in Guitar-Pro Guitar PRO Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to perform directory traversal and download arbitrary files via a crafted web request. | 7.5 |
2022-11-16 | CVE-2022-3920 | Hashicorp | Missing Authorization vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. | 7.5 |
2022-11-15 | CVE-2022-41916 | Heimdal Project Debian | Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. | 7.5 |
2022-11-15 | CVE-2022-4006 | Wbce | Improper Restriction of Excessive Authentication Attempts vulnerability in Wbce CMS A vulnerability, which was classified as problematic, has been found in WBCE CMS. | 7.5 |
2022-11-15 | CVE-2022-20854 | Cisco | Improper Handling of Exceptional Conditions vulnerability in Cisco Secure Firewall Management Center A vulnerability in the processing of SSH connections of Cisco Firepower Management Center (FMC) and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when an SSH session fails to be established. | 7.5 |
2022-11-15 | CVE-2022-20918 | Cisco | Improper Authentication vulnerability in Cisco products A vulnerability in the Simple Network Management Protocol (SNMP) access controls for Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module, Cisco Firepower Management Center (FMC) Software, and Cisco Next-Generation Intrusion Prevention System (NGIPS) Software could allow an unauthenticated, remote attacker to perform an SNMP GET request using a default credential. This vulnerability is due to the presence of a default credential for SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2). | 7.5 |
2022-11-15 | CVE-2022-20946 | Cisco | Out-of-bounds Write vulnerability in Cisco Firepower Threat Defense A vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a memory handling error that occurs when GRE traffic is processed. | 7.5 |
2022-11-15 | CVE-2022-20947 | Cisco | Unspecified vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in dynamic access policies (DAP) functionality of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to improper processing of HostScan data received from the Posture (HostScan) module. | 7.5 |
2022-11-15 | CVE-2022-30283 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. | 7.5 |
2022-11-15 | CVE-2022-27895 | Palantir | Information Exposure Through Log Files vulnerability in Palantir Foundry Build2 Information Exposure Through Log Files vulnerability discovered in Foundry when logs were captured using an underlying library known as Build2. | 7.5 |
2022-11-15 | CVE-2022-38666 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Ns-Nd Integration Performance Publisher Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. | 7.5 |
2022-11-15 | CVE-2022-45379 | Jenkins | Inadequate Encryption Strength vulnerability in Jenkins Script Security Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. | 7.5 |
2022-11-15 | CVE-2022-45385 | Jenkins | Missing Authorization vulnerability in Jenkins Cloudbees Docker Hub/Registry Notification 2.6.2 A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. | 7.5 |
2022-11-15 | CVE-2022-45388 | Jenkins | Unspecified vulnerability in Jenkins Config Rotator 2.0.1 Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system. | 7.5 |
2022-11-15 | CVE-2022-45391 | Jenkins | Improper Certificate Validation vulnerability in Jenkins Ns-Nd Integration Performance Publisher Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. | 7.5 |
2022-11-15 | CVE-2022-40308 | Apache | Unspecified vulnerability in Apache Archiva If anonymous read enabled, it's possible to read the database file directly without logging in. | 7.5 |
2022-11-15 | CVE-2022-25667 | Qualcomm | Improper Authentication vulnerability in Qualcomm products Information disclosure in kernel due to improper handling of ICMP requests in Snapdragon Wired Infrastructure and Networking | 7.5 |
2022-11-15 | CVE-2022-25671 | Qualcomm | Reachable Assertion vulnerability in Qualcomm products Denial of service in MODEM due to reachable assertion in Snapdragon Mobile | 7.5 |
2022-11-15 | CVE-2022-25710 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Denial of service due to null pointer dereference when GATT is disconnected in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music | 7.5 |
2022-11-15 | CVE-2022-25741 | Qualcomm | NULL Pointer Dereference vulnerability in Qualcomm products Denial of service in WLAN due to potential null pointer dereference while accessing the memory location in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 7.5 |
2022-11-15 | CVE-2022-25742 | Qualcomm | Infinite Loop vulnerability in Qualcomm products Denial of service in modem due to infinite loop while parsing IGMPv2 packet from server in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music | 7.5 |
2022-11-15 | CVE-2022-33236 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Transient DOS due to buffer over-read in WLAN firmware while parsing cipher suite info attributes. | 7.5 |
2022-11-15 | CVE-2022-33237 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Transient DOS due to buffer over-read in WLAN firmware while processing PPE threshold. | 7.5 |
2022-11-15 | CVE-2022-33239 | Qualcomm | Infinite Loop vulnerability in Qualcomm products Transient DOS due to loop with unreachable exit condition in WLAN firmware while parsing IPV6 extension header. | 7.5 |
2022-11-15 | CVE-2022-42060 | Tenda | Out-of-bounds Write vulnerability in Tenda W15E Firmware 15.11.0.10(1576) Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a stack overflow via the setWanPpoe function. | 7.5 |
2022-11-15 | CVE-2022-42123 | Liferay | Path Traversal vulnerability in Liferay Digital Experience Platform and Liferay Portal A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite existing files on the filesystem via the installation of a malicious Elasticsearch Sidecar plugin. | 7.5 |
2022-11-15 | CVE-2022-42124 | Liferay | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted payload injected into the 'name' field of a layout prototype. | 7.5 |
2022-11-15 | CVE-2022-42125 | Liferay | Path Traversal vulnerability in Liferay Digital Experience Platform and Liferay Portal Zip slip vulnerability in FileUtil.unzip in Liferay Portal 7.4.3.5 through 7.4.3.35 and Liferay DXP 7.4 update 1 through update 34 allows attackers to create or overwrite existing files on the filesystem via the deployment of a malicious plugin/module. | 7.5 |
2022-11-15 | CVE-2022-42977 | Atlassian | Path Traversal vulnerability in Atlassian Confluence Data Center The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. | 7.5 |
2022-11-15 | CVE-2022-42978 | Atlassian | Incorrect Authorization vulnerability in Atlassian Confluence Data Center In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. | 7.5 |
2022-11-15 | CVE-2022-40405 | Wowonder | SQL Injection vulnerability in Wowonder 4.1.2 WoWonder Social Network Platform v4.1.2 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=load-my-blogs. | 7.5 |
2022-11-14 | CVE-2022-40735 | Diffie Hellman KEY Exchange Project | Resource Exhaustion vulnerability in Diffie-Hellman KEY Exchange Project Diffie-Hellman KEY Exchange The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. | 7.5 |
2022-11-14 | CVE-2022-27896 | Palantir | Information Exposure Through Log Files vulnerability in Palantir Foundry Code-Workbooks 4.144.0/4.460.0 Information Exposure Through Log Files vulnerability discovered in Foundry Code-Workbooks where the endpoint backing that console was generating service log records of any Python code being run. | 7.5 |
2022-11-14 | CVE-2022-34320 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-11-14 | CVE-2022-24938 | Silabs | Out-of-bounds Write vulnerability in Silabs Emberznet 1.0.0 A malformed packet causes a stack overflow in the Ember ZNet stack. | 7.5 |
2022-11-14 | CVE-2022-34319 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Cics TX 11.7 IBM CICS TX 11.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-11-14 | CVE-2022-0324 | Linuxfoundation | Classic Buffer Overflow vulnerability in Linuxfoundation Software for Open Networking in the Cloud 202111 There is a vulnerability in DHCPv6 packet parsing code that could be explored by remote attacker to craft a packet that could cause buffer overflow in a memcpy call, leading to out-of-bounds memory write that would cause dhcp6relay to crash. | 7.5 |
2022-11-14 | CVE-2022-27949 | Apache | Unspecified vulnerability in Apache Airflow A vulnerability in UI of Apache Airflow allows an attacker to view unmasked secrets in rendered template values for tasks which were not executed (for example when they were depending on past and previous instances of the task failed). | 7.5 |
2022-11-14 | CVE-2022-45198 | Python | Unspecified vulnerability in Python Pillow Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). | 7.5 |
2022-11-14 | CVE-2022-45199 | Python | Resource Exhaustion vulnerability in Python Pillow Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. | 7.5 |
2022-11-14 | CVE-2021-38827 | Xiongmaitech | Authentication Bypass by Capture-replay vulnerability in Xiongmaitech Xm-Jpr2-Lx Firmware 4.02.R12.A6420987.10002.147502.00000 Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to account takeover. | 7.5 |
2022-11-19 | CVE-2022-41939 | Linuxfoundation | Unspecified vulnerability in Linuxfoundation Knative Func knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. | 7.4 |
2022-11-19 | CVE-2022-4055 | Freedesktop | Unspecified vulnerability in Freedesktop Xdg-Utils When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. | 7.4 |
2022-11-18 | CVE-2022-31694 | Installbuilder | Uncontrolled Search Path Element vulnerability in Installbuilder InstallBuilder Qt installers built with versions previous to 22.10 try to load DLLs from the installer binary parent directory when displaying popups. | 7.3 |
2022-11-17 | CVE-2022-28766 | Zoom | Uncontrolled Search Path Element vulnerability in Zoom Meetings and Rooms Windows 32-bit versions of the Zoom Client for Meetings before 5.12.6 and Zoom Rooms for Conference Room before version 5.12.6 are susceptible to a DLL injection vulnerability. | 7.3 |
2022-11-18 | CVE-2022-42459 | Oxilab | Improper Privilege Management vulnerability in Oxilab Image Hover Effects Ultimate Auth. | 7.2 |
2022-11-18 | CVE-2022-42904 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Admanager Plus Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings. | 7.2 |
2022-11-18 | CVE-2022-44413 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/mechanics/manage_mechanic.php?id=. | 7.2 |
2022-11-18 | CVE-2022-44414 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/services/manage_service.php?id=. | 7.2 |
2022-11-18 | CVE-2022-44415 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/mechanics/view_mechanic.php?id=. | 7.2 |
2022-11-18 | CVE-2022-44820 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/?page=transactions/manage_transaction&id=. | 7.2 |
2022-11-18 | CVE-2022-44378 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL via /asms/classes/Master.php?f=delete_mechanic. | 7.2 |
2022-11-18 | CVE-2022-44379 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f=delete_service. | 7.2 |
2022-11-17 | CVE-2022-39179 | College Management System Project | SQL Injection vulnerability in College Management System Project College Management System 1.0 College Management System v1.0 - Authenticated remote code execution. An admin user (the authentication can be bypassed using SQL Injection that mentioned in my other report) can upload .php file that contains malicious code via student.php file. | 7.2 |
2022-11-17 | CVE-2022-43162 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/view_test.php. | 7.2 |
2022-11-17 | CVE-2022-43163 | Online Diagnostic LAB Management System Project | SQL Injection vulnerability in Online Diagnostic LAB Management System Project Online Diagnostic LAB Management System 1.0 Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php. | 7.2 |
2022-11-17 | CVE-2022-43179 | Online Leave Management System Project | SQL Injection vulnerability in Online Leave Management System Project Online Leave Management System 1.0 Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manage_user&id=. | 7.2 |
2022-11-17 | CVE-2022-44402 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/classes/Master.php?f=delete_transaction. | 7.2 |
2022-11-17 | CVE-2022-44403 | Automotive Shop Management System Project | SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0 Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/?page=user/manage_user&id=. | 7.2 |
2022-11-17 | CVE-2022-4052 | Student Attendance Management System Project | SQL Injection vulnerability in Student Attendance Management System Project Student Attendance Management System A vulnerability was found in Student Attendance Management System and classified as critical. | 7.2 |
2022-11-15 | CVE-2022-20925 | Cisco | OS Command Injection vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web management interface of the Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient validation of user-supplied parameters for certain API endpoints. | 7.2 |
2022-11-15 | CVE-2022-43279 | Limesurvey | SQL Injection vulnerability in Limesurvey 5.4.4 LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. | 7.2 |
2022-11-14 | CVE-2022-43030 | Siyucms | Weak Password Requirements vulnerability in Siyucms 6.1.7 Siyucms v6.1.7 was discovered to contain a remote code execution (RCE) vulnerability in the background. | 7.2 |
2022-11-14 | CVE-2022-43146 | Canteen Management System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Canteen Management System Project Canteen Management System 1.0 An arbitrary file upload vulnerability in the image upload function of Canteen Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | 7.2 |
2022-11-14 | CVE-2022-45184 | Ironmansoftware | Path Traversal vulnerability in Ironmansoftware Powershell Universal The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the configuration directory, which allows a remote attacker with administrator privilege to create, delete, update, and display files outside of the configuration directory via a crafted HTTP request to particular endpoints in the web server. | 7.2 |
2022-11-19 | CVE-2022-31612 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a local user with basic capabilities can cause an out-of-bounds read, which may lead to a system crash or a leak of internal kernel information. | 7.1 |
2022-11-19 | CVE-2022-31616 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a local user with basic capabilities can cause an out-of-bounds read, which may lead to denial of service, or information disclosure. | 7.1 |
2022-11-14 | CVE-2022-31630 | PHP | Out-of-bounds Read vulnerability in PHP In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. | 7.1 |
2022-11-15 | CVE-2022-33905 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the AhciBusDxe software SMI handler could cause SMRAM corruption (a TOCTOU attack). | 7.0 |
2022-11-15 | CVE-2022-33908 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the SdHostDriver software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.0 |
2022-11-15 | CVE-2022-33909 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the HddPassword software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.0 |
2022-11-15 | CVE-2022-33983 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the NvmExpressLegacy software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.0 |
2022-11-15 | CVE-2022-33984 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the SdMmcDevice software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.0 |
2022-11-15 | CVE-2022-33985 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the NvmExpressDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 7.0 |
220 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-11-17 | CVE-2022-43096 | M5T | Unspecified vulnerability in M5T Mediatrix 4102S Firmware Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port. | 6.8 |
2022-11-15 | CVE-2022-20826 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the secure boot implementation of Cisco Secure Firewalls 3100 Series that are running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated attacker with physical access to the device to bypass the secure boot functionality. This vulnerability is due to a logic error in the boot process. | 6.8 |
2022-11-17 | CVE-2022-20427 | Out-of-bounds Write vulnerability in Google Android In (TBD) of (TBD), there is a possible way to corrupt memory due to improper input validation. | 6.7 | |
2022-11-17 | CVE-2022-20428 | Out-of-bounds Write vulnerability in Google Android In (TBD) of (TBD), there is a possible out of bounds write due to a missing bounds check. | 6.7 | |
2022-11-17 | CVE-2022-20459 | Improper Input Validation vulnerability in Google Android In (TBD) of (TBD), there is a possible way to redirect code execution due to improper input validation. | 6.7 | |
2022-11-17 | CVE-2022-20460 | Out-of-bounds Write vulnerability in Google Android In (TBD) mprot_unmap? of (TBD), there is a possible way to corrupt the memory mapping due to improper input validation. | 6.7 | |
2022-11-17 | CVE-2022-43192 | Dedecms | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.101 An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. | 6.7 |
2022-11-15 | CVE-2022-20934 | Cisco | OS Command Injection vulnerability in Cisco Firepower Threat Defense A vulnerability in the CLI of Cisco Firepower Threat Defense (FTD) Software and Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to improper input validation for specific CLI commands. | 6.7 |
2022-11-19 | CVE-2022-31613 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where any local user can cause a null-pointer dereference, which may lead to a kernel panic. | 6.5 |
2022-11-19 | CVE-2022-34665 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming Guest, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service. | 6.5 |
2022-11-18 | CVE-2022-40216 | Wordplus | Unspecified vulnerability in Wordplus Better Messages Auth. | 6.5 |
2022-11-18 | CVE-2022-41655 | Algolplus | Unspecified vulnerability in Algolplus Phone Orders for Woocommerce Auth. | 6.5 |
2022-11-18 | CVE-2022-44641 | Linaro Debian | XML Entity Expansion vulnerability in multiple products In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service. | 6.5 |
2022-11-18 | CVE-2022-24939 | Silabs | Out-of-bounds Write vulnerability in Silabs Gecko Software Development KIT and Zigbee Emberznet A malformed packet containing an invalid destination address, causes a stack overflow in the Ember ZNet stack. | 6.5 |
2022-11-17 | CVE-2022-43171 | Lief Project | Out-of-bounds Write vulnerability in Lief-Project Lief 0.12.1 A heap buffer overflow in the LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind function of LIEF v0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted MachO file. | 6.5 |
2022-11-17 | CVE-2022-39389 | Lightning Network Daemon Project Btcd Project | Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. | 6.5 |
2022-11-16 | CVE-2022-44008 | Backclick | Path Traversal vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 6.5 |
2022-11-16 | CVE-2022-39383 | Linuxfoundation | Server-Side Request Forgery (SSRF) vulnerability in Linuxfoundation Kubevela KubeVela is an open source application delivery platform. | 6.5 |
2022-11-15 | CVE-2022-20922 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. | 6.5 |
2022-11-15 | CVE-2022-20924 | Cisco | Improper Input Validation vulnerability in Cisco products A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. | 6.5 |
2022-11-15 | CVE-2022-20927 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in the SSL/TLS client of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper memory management when a device initiates SSL/TLS connections. | 6.5 |
2022-11-15 | CVE-2022-45383 | Jenkins | Incorrect Authorization vulnerability in Jenkins Support Core An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. | 6.5 |
2022-11-15 | CVE-2022-45384 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Reverse Proxy Auth Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | 6.5 |
2022-11-15 | CVE-2022-45392 | Jenkins | Insufficiently Protected Credentials vulnerability in Jenkins Ns-Nd Integration Performance Publisher Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | 6.5 |
2022-11-15 | CVE-2022-40845 | Tenda | Forced Browsing vulnerability in Tenda W15E Firmware 15.11.0.10(1576) The Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is affected by a password exposure vulnerability. | 6.5 |
2022-11-14 | CVE-2022-40903 | Aiphone | Unspecified vulnerability in Aiphone products Aiphone GT-DMB-N 3-in-1 Video Entrance Station with NFC Reader 1.0.3 does not mitigate against repeated failed access attempts, which allows an attacker to gain administrative privileges. | 6.5 |
2022-11-14 | CVE-2022-43686 | Concretecms | Allocation of Resources Without Limits or Throttling vulnerability in Concretecms Concrete CMS In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | 6.5 |
2022-11-14 | CVE-2022-39385 | Discourse | Incorrect Authorization vulnerability in Discourse Discourse is the an open source discussion platform. | 6.5 |
2022-11-14 | CVE-2022-44389 | Eyoucms | Cross-Site Request Forgery (CSRF) vulnerability in Eyoucms 1.5.9 EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. | 6.5 |
2022-11-14 | CVE-2022-2449 | Resmush IT | Unspecified vulnerability in Resmush.It Image Optimizer The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. | 6.5 |
2022-11-14 | CVE-2022-3538 | Webmaster Tools Verification Project | Missing Authorization vulnerability in Webmaster Tools Verification Project Webmaster Tools Verification The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | 6.5 |
2022-11-14 | CVE-2022-3632 | Digitialpixies | Unspecified vulnerability in Digitialpixies Oauth Client The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. | 6.5 |
2022-11-15 | CVE-2022-30774 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) . | 6.4 |
2022-11-15 | CVE-2022-31243 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel Update description and links DMA transactions which are targeted at input buffers used for the software SMI handler used by the FvbServicesRuntimeDxe driver could cause SMRAM corruption through a TOCTOU attack.. | 6.4 |
2022-11-15 | CVE-2022-32267 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the SmmResourceCheckDxe software SMI handler cause SMRAM corruption (a TOCTOU attack) DMA transactions which are targeted at input buffers used for the software SMI handler used by the SmmResourceCheckDxe driver could cause SMRAM corruption through a TOCTOU attack... | 6.4 |
2022-11-15 | CVE-2022-33906 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the FwBlockServiceSmm software SMI handler could cause SMRAM corruption through a TOCTOU attack. | 6.4 |
2022-11-15 | CVE-2022-33986 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. | 6.4 |
2022-11-14 | CVE-2022-33907 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA transactions which are targeted at input buffers used for the software SMI handler used by the IdeBusDxe driver could cause SMRAM corruption through a TOCTOU attack... | 6.4 |
2022-11-14 | CVE-2022-33982 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA attacks on the parameter buffer used by the Int15ServiceSmm software SMI handler could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. | 6.4 |
2022-11-14 | CVE-2022-30773 | Insyde | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Insyde Kernel DMA attacks on the parameter buffer used by the IhisiSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack). | 6.4 |
2022-11-14 | CVE-2022-32266 | Insyde | Out-of-bounds Write vulnerability in Insyde Kernel DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. | 6.4 |
2022-11-15 | CVE-2022-41918 | Amazon | Unspecified vulnerability in Amazon Opensearch OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. | 6.3 |
2022-11-14 | CVE-2022-43690 | Concretecms | Unspecified vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. | 6.3 |
2022-11-20 | CVE-2022-3516 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. | 6.1 |
2022-11-20 | CVE-2022-3561 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0. | 6.1 |
2022-11-18 | CVE-2021-22141 | Elastic | Open Redirect vulnerability in Elastic Kibana An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. | 6.1 |
2022-11-18 | CVE-2021-31739 | Seppmail | Cross-site Scripting vulnerability in Seppmail 11.1.10 The SEPPmail solution is vulnerable to a Cross-Site Scripting vulnerability (XSS), because user input is not correctly encoded in HTML attributes when returned by the server.SEPPmail 11.1.10 allows XSS via a recipient address. | 6.1 |
2022-11-18 | CVE-2022-40698 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Auth. | 6.1 |
2022-11-18 | CVE-2022-41615 | Agilelogix | Cross-site Scripting vulnerability in Agilelogix Store Locator Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress. | 6.1 |
2022-11-18 | CVE-2022-38075 | Webartesanal | Cross-Site Request Forgery (CSRF) vulnerability in Webartesanal Mantenimiento web Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Mantenimiento web plugin <= 0.13 on WordPress. | 6.1 |
2022-11-17 | CVE-2022-36357 | Webpsilon | Unspecified vulnerability in Webpsilon Ultimate Tables Unauth. | 6.1 |
2022-11-17 | CVE-2022-39181 | Glpi Project | Unspecified vulnerability in Glpi-Project Reports GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. | 6.1 |
2022-11-17 | CVE-2022-41132 | Ezoic | Cross-site Scripting vulnerability in Ezoic Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability in Ezoic plugin <= 2.8.8 on WordPress. | 6.1 |
2022-11-17 | CVE-2022-43332 | Wondercms | Cross-site Scripting vulnerability in Wondercms 3.3.4 A cross-site scripting (XSS) vulnerability in Wondercms v3.3.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Site title field of the Configuration Panel. | 6.1 |
2022-11-17 | CVE-2022-43142 | Password Storage Application Project | Cross-site Scripting vulnerability in Password Storage Application Project Password Storage Application 1.0 A cross-site scripting (XSS) vulnerability in the add-fee.php component of Password Storage Application v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter. | 6.1 |
2022-11-17 | CVE-2022-42187 | Hustoj | Cross-site Scripting vulnerability in Hustoj 22.09.22 Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php. | 6.1 |
2022-11-16 | CVE-2022-44002 | Backclick | Cross-site Scripting vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 6.1 |
2022-11-16 | CVE-2022-43263 | Guitar PRO | Cross-site Scripting vulnerability in Guitar-Pro Guitar PRO A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the name of an uploaded file. | 6.1 |
2022-11-15 | CVE-2022-38201 | Esri | Unspecified vulnerability in Esri Arcgis Quickcapture An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS Quick Capture Web Designer versions 10.8.1 to 10.9.1. | 6.1 |
2022-11-15 | CVE-2022-3997 | SCM Project | Unspecified vulnerability in SCM Project SCM A vulnerability, which was classified as critical, has been found in MonikaBrzica scm. | 6.1 |
2022-11-15 | CVE-2022-3895 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice and Common User Interface Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS). | 6.1 |
2022-11-15 | CVE-2022-45402 | Apache | Unspecified vulnerability in Apache Airflow In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. | 6.1 |
2022-11-15 | CVE-2022-42118 | Liferay | Cross-site Scripting vulnerability in Liferay Portal A Cross-site scripting (XSS) vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the `tag` parameter. | 6.1 |
2022-11-15 | CVE-2022-42110 | Liferay | Cross-site Scripting vulnerability in Liferay Portal A Cross-site scripting (XSS) vulnerability in the Announcements module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML. | 6.1 |
2022-11-14 | CVE-2022-43967 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. | 6.1 |
2022-11-14 | CVE-2022-43968 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. | 6.1 |
2022-11-14 | CVE-2022-38167 | Nintex | Cross-site Scripting vulnerability in Nintex Workflow 5.2.2.30 The Nintex Workflow plugin 5.2.2.30 for SharePoint allows XSS. | 6.1 |
2022-11-14 | CVE-2022-43692 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. | 6.1 |
2022-11-14 | CVE-2022-43694 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | 6.1 |
2022-11-14 | CVE-2022-38705 | IBM | Unspecified vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 Standard and Advanced could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. | 6.1 |
2022-11-14 | CVE-2022-3992 | Sanitization Management System Project | Cross-site Scripting vulnerability in Sanitization Management System Project Sanitization Management System A vulnerability classified as problematic was found in SourceCodester Sanitization Management System. | 6.1 |
2022-11-14 | CVE-2021-40272 | OP5 | Cross-site Scripting vulnerability in OP5 Monitor OP5 Monitor 8.3.1, 8.3.2, and OP5 8.3.3 are vulnerable to Cross Site Scripting (XSS). | 6.1 |
2022-11-14 | CVE-2022-3415 | Bluecoral | Cross-site Scripting vulnerability in Bluecoral Chat Bubble The Chat Bubble WordPress plugin before 2.3 does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message | 6.1 |
2022-11-14 | CVE-2022-3484 | WPB Show Core Project | Unspecified vulnerability in WPB Show Core Project WPB Show Core The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | 6.1 |
2022-11-14 | CVE-2022-3578 | Metagauss | Unspecified vulnerability in Metagauss Profilegrid The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-11-14 | CVE-2022-3988 | Frappe | Cross-site Scripting vulnerability in Frappe A vulnerability was found in Frappe. | 6.1 |
2022-11-15 | CVE-2022-42132 | Liferay | Information Exposure vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2 The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7.4 GA includes the LDAP credential in the page URL when paginating through the list of users, which allows man-in-the-middle attackers or attackers with access to the request logs to see the LDAP credential. | 5.9 |
2022-11-15 | CVE-2022-20928 | Cisco | Incorrect Authorization vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to a flaw in the authorization verifications during the VPN authentication flow. | 5.8 |
2022-11-15 | CVE-2022-20943 | Cisco | Unspecified vulnerability in Cisco products Multiple vulnerabilities in the Server Message Block Version 2 (SMB2) processor of the Snort detection engine on multiple Cisco products could allow an unauthenticated, remote attacker to bypass the configured policies or cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to improper management of system resources when the Snort detection engine is processing SMB2 traffic. | 5.8 |
2022-11-16 | CVE-2022-39318 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 5.7 |
2022-11-16 | CVE-2022-39316 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 5.7 |
2022-11-16 | CVE-2022-39347 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 5.7 |
2022-11-19 | CVE-2022-31615 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service. | 5.5 |
2022-11-18 | CVE-2022-45473 | Drachtio | Unspecified vulnerability in Drachtio Drachtio-Server 0.8.18 In drachtio-server 0.8.18, /var/log/drachtio has mode 0777 and drachtio.log has mode 0666. | 5.5 |
2022-11-17 | CVE-2021-33897 | Synthesiagame | Classic Buffer Overflow vulnerability in Synthesiagame Synthesia A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. | 5.5 |
2022-11-15 | CVE-2022-45386 | Jenkins | XXE vulnerability in Jenkins Violations 0.7.11 Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | 5.5 |
2022-11-15 | CVE-2022-43071 | Xpdfreader | Out-of-bounds Write vulnerability in Xpdfreader Xpdf 4.04 A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. | 5.5 |
2022-11-15 | CVE-2022-25676 | Qualcomm | Out-of-bounds Read vulnerability in Qualcomm products Information disclosure in video due to buffer over-read while parsing avi files in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 5.5 |
2022-11-15 | CVE-2022-25679 | Qualcomm | Unspecified vulnerability in Qualcomm products Denial of service in video due to improper access control in broadcast receivers in Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | 5.5 |
2022-11-14 | CVE-2022-43295 | Xpdfreader | Out-of-bounds Write vulnerability in Xpdfreader Xpdf 4.04 XPDF v4.04 was discovered to contain a stack overflow via the function FileStream::copy() at xpdf/Stream.cc:795. | 5.5 |
2022-11-14 | CVE-2022-0137 | Htmldoc Project | Out-of-bounds Write vulnerability in Htmldoc Project Htmldoc A heap buffer overflow in image_set_mask function of HTMLDOC before 1.9.15 allows an attacker to write outside the buffer boundaries. | 5.5 |
2022-11-14 | CVE-2022-35719 | IBM | Information Exposure Through Log Files vulnerability in IBM MQ Internet Pass-Thru 2.1/9.2 IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user. | 5.5 |
2022-11-14 | CVE-2022-37290 | Gnome Fedoraproject | NULL Pointer Dereference vulnerability in multiple products GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive. | 5.5 |
2022-11-20 | CVE-2022-3562 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. | 5.4 |
2022-11-20 | CVE-2022-4067 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.10.0. | 5.4 |
2022-11-20 | CVE-2022-4068 | Librenms | Cross-site Scripting vulnerability in Librenms A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. | 5.4 |
2022-11-19 | CVE-2022-41938 | Flarum | Unspecified vulnerability in Flarum 1.5.0/1.6.0/1.6.1 Flarum is an open source discussion platform. | 5.4 |
2022-11-18 | CVE-2021-37936 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana It was discovered that Kibana was not sanitizing document fields containing HTML snippets. | 5.4 |
2022-11-18 | CVE-2022-40963 | Themeum | Cross-site Scripting vulnerability in Themeum WP Page Builder Multiple Auth. | 5.4 |
2022-11-18 | CVE-2022-41788 | Pencidesign | Cross-site Scripting vulnerability in Pencidesign Soledad Auth. | 5.4 |
2022-11-17 | CVE-2021-36905 | Expresstech | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master Multiple Auth. | 5.4 |
2022-11-17 | CVE-2022-45375 | Cyberchimps | Unspecified vulnerability in Cyberchimps Ifeature Slider 1.2 Auth. | 5.4 |
2022-11-17 | CVE-2022-38390 | IBM | Cross-site Scripting vulnerability in IBM Business Automation Workflow Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. | 5.4 |
2022-11-17 | CVE-2022-36432 | Amasty | Cross-site Scripting vulnerability in Amasty Blog PRO The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. | 5.4 |
2022-11-17 | CVE-2022-39834 | Keyfactor | Cross-site Scripting vulnerability in Keyfactor Primekey Ejbca A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. | 5.4 |
2022-11-17 | CVE-2022-42954 | Keyfactor | Cross-site Scripting vulnerability in Keyfactor Kefactor Ejbca Keyfactor EJBCA before 7.10.0 allows XSS. | 5.4 |
2022-11-17 | CVE-2022-42960 | Equalweb | Cross-site Scripting vulnerability in Equalweb Accessibility Widget EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js. | 5.4 |
2022-11-16 | CVE-2022-44069 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 9.3.57186 Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module. | 5.4 |
2022-11-16 | CVE-2022-44070 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 9.3.57186 Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via News articles. | 5.4 |
2022-11-16 | CVE-2022-44071 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 9.3.57186 Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) via profile. | 5.4 |
2022-11-16 | CVE-2022-44073 | Tribalsystems | Cross-site Scripting vulnerability in Tribalsystems Zenario 9.3.57186 Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via svg,Users & Contacts. | 5.4 |
2022-11-16 | CVE-2022-4022 | Benbodhi | Cross-site Scripting vulnerability in Benbodhi SVG Support 2.5.0/2.5.1 The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. | 5.4 |
2022-11-15 | CVE-2022-30768 | Zoneminder | Cross-site Scripting vulnerability in Zoneminder 1.36.12 A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. | 5.4 |
2022-11-15 | CVE-2022-40753 | IBM | Cross-site Scripting vulnerability in IBM Infosphere Information Server 11.7 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. | 5.4 |
2022-11-15 | CVE-2022-45380 | Jenkins | Cross-site Scripting vulnerability in Jenkins Junit Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-11-15 | CVE-2022-45382 | Jenkins | Cross-site Scripting vulnerability in Jenkins Naginator 1.18.1 Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | 5.4 |
2022-11-15 | CVE-2022-45387 | Jenkins | Cross-site Scripting vulnerability in Jenkins Bart 1.0.3 Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. | 5.4 |
2022-11-15 | CVE-2022-45401 | Jenkins | Cross-site Scripting vulnerability in Jenkins Associated Files 0.2.1 Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 5.4 |
2022-11-15 | CVE-2022-41558 | Tibco | Cross-site Scripting vulnerability in Tibco products The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Desktop, TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. | 5.4 |
2022-11-15 | CVE-2022-3958 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. | 5.4 |
2022-11-15 | CVE-2022-41789 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage. | 5.4 |
2022-11-15 | CVE-2022-41814 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage. | 5.4 |
2022-11-15 | CVE-2022-42000 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage. | 5.4 |
2022-11-15 | CVE-2022-42001 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation. | 5.4 |
2022-11-15 | CVE-2022-40844 | Tenda | Cross-site Scripting vulnerability in Tenda W15E Firmware 15.11.0.10(1576) In Tenda (Shenzhen Tenda Technology Co., Ltd) AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) issue exists allowing an attacker to execute JavaScript code via the applications website filtering tab, specifically the URL body. | 5.4 |
2022-11-15 | CVE-2022-42111 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal A Cross-site scripting (XSS) vulnerability in the Sharing module's user notification in Liferay Portal 7.2.1 through 7.4.2, and Liferay DXP 7.2 before fix pack 19, and 7.3 before update 4 allows remote attackers to inject arbitrary web script or HTML by sharing an asset with a crafted payload. | 5.4 |
2022-11-15 | CVE-2022-42119 | Liferay | Cross-site Scripting vulnerability in Liferay DXP and Liferay Portal Certain Liferay products are vulnerable to Cross Site Scripting (XSS) via the Commerce module. | 5.4 |
2022-11-14 | CVE-2022-43687 | Concretecms | Session Fixation vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. | 5.4 |
2022-11-14 | CVE-2022-41913 | Discourse | Unspecified vulnerability in Discourse Calendar 0.2 Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. | 5.4 |
2022-11-14 | CVE-2022-34317 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 is vulnerable to cross-site scripting. | 5.4 |
2022-11-14 | CVE-2022-44390 | Eyoucms | Cross-site Scripting vulnerability in Eyoucms 1.5.9 A cross-site scripting (XSS) vulnerability in EyouCMS V1.5.9-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Public Security Record Number text field. | 5.4 |
2022-11-14 | CVE-2022-34315 | IBM | Cross-site Scripting vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 is vulnerable to cross-site scripting. | 5.4 |
2022-11-14 | CVE-2022-43342 | Eramba | Cross-site Scripting vulnerability in Eramba C2.8.1 A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field. | 5.4 |
2022-11-18 | CVE-2022-41135 | Wpchill | Unspecified vulnerability in Wpchill Customizable Wordpress Gallery Plugin - Modula Image Gallery Unauth. | 5.3 |
2022-11-18 | CVE-2022-41618 | Davidlingren | Information Exposure Through Log Files vulnerability in Davidlingren Media Library Assistant Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. | 5.3 |
2022-11-18 | CVE-2022-41839 | Wpbrigade | Unspecified vulnerability in Wpbrigade Loginpress Broken Access Control vulnerability in WordPress LoginPress plugin <= 1.6.2 on WordPress leading to unauth. | 5.3 |
2022-11-17 | CVE-2022-39178 | Webvendome Project | Path Traversal vulnerability in Webvendome Project Webvendome 1.0 Webvendome - webvendome Internal Server IP Disclosure. Send GET Request to the request which is shown in the picture. Internal Server IP and Full path disclosure. | 5.3 |
2022-11-17 | CVE-2022-3090 | Redlion | Unspecified vulnerability in Redlion Crimson Red Lion Controls Crimson 3.0 versions 707.000 and prior, Crimson 3.1 versions 3126.001 and prior, and Crimson 3.2 versions 3.2.0044.0 and prior are vulnerable to path traversal. | 5.3 |
2022-11-17 | CVE-2022-42892 | Siemens | Path Traversal vulnerability in Siemens Syngo Dynamics Cardiovascular Imaging and Information System A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). | 5.3 |
2022-11-16 | CVE-2022-44005 | Backclick | Authorization Bypass Through User-Controlled Key vulnerability in Backclick 5.9.63 An issue was discovered in BACKCLICK Professional 5.9.63. | 5.3 |
2022-11-15 | CVE-2021-4240 | Phpservermonitor | Use of Insufficiently Random Values vulnerability in PHPservermonitor PHP Server Monitor A vulnerability, which was classified as problematic, was found in phpservermon. | 5.3 |
2022-11-15 | CVE-2021-4241 | Phpservermonitor | Use of Insufficiently Random Values vulnerability in PHPservermonitor PHP Server Monitor A vulnerability, which was classified as problematic, was found in phpservermon. | 5.3 |
2022-11-15 | CVE-2022-20940 | Cisco | Information Exposure Through Discrepancy vulnerability in Cisco Firepower Threat Defense A vulnerability in the TLS handler of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain access to sensitive information. This vulnerability is due to improper implementation of countermeasures against a Bleichenbacher attack on a device that uses SSL decryption policies. | 5.3 |
2022-11-15 | CVE-2022-20941 | Cisco | Missing Authorization vulnerability in Cisco Secure Firewall Management Center A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. | 5.3 |
2022-11-15 | CVE-2022-20950 | Cisco | Improper Check for Unusual or Exceptional Conditions vulnerability in Cisco Firepower Threat Defense 7.2.0/7.2.0.1 A vulnerability in the interaction of SIP and Snort 3 for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 detection engine to restart. This vulnerability is due to a lack of error-checking when SIP bidirectional flows are being inspected by Snort 3. | 5.3 |
2022-11-15 | CVE-2022-45389 | Jenkins | Missing Authorization vulnerability in Jenkins Xp-Dev 1.0 A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. | 5.3 |
2022-11-15 | CVE-2022-42127 | Liferay | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Friendly Url module in Liferay Portal 7.4.3.5 through 7.4.3.36, and Liferay DXP 7.4 update 1 though 36 does not properly check user permissions, which allows remote attackers to obtain the history of all friendly URLs that was assigned to a page. | 5.3 |
2022-11-15 | CVE-2022-42128 | Liferay | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCode API. | 5.3 |
2022-11-14 | CVE-2022-43689 | Concretecms | XXE vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | 5.3 |
2022-11-14 | CVE-2022-43691 | Concretecms | Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | 5.3 |
2022-11-14 | CVE-2022-34316 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. | 5.3 |
2022-11-14 | CVE-2022-34329 | IBM | Unspecified vulnerability in IBM Cics TX 11.7 IBM CICS TX 11.7 could allow an attacker to obtain sensitive information from HTTP response headers. | 5.3 |
2022-11-14 | CVE-2021-38828 | Xiongmaitech | Cleartext Transmission of Sensitive Information vulnerability in Xiongmaitech Xm-Jpr2-Lx Firmware 4.02.R12.A6420987.10002.147502.00000 Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to plain-text traffic sniffing. | 5.3 |
2022-11-18 | CVE-2022-44634 | Villatheme | Unspecified vulnerability in Villatheme S2W - Import Shopify to Woocommerce Auth. | 4.9 |
2022-11-17 | CVE-2022-40751 | IBM | Insufficiently Protected Credentials vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 6.2.7.0 through 6.2.7.17, 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with administrative privileges including "Manage Security" permissions may be able to recover a credential previously saved for performing authenticated LDAP searches. IBM X-Force ID: 236601. | 4.9 |
2022-11-15 | CVE-2022-20949 | Cisco | Unspecified vulnerability in Cisco Firepower Threat Defense A vulnerability in the management web server of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with high privileges to execute configuration commands on an affected system. This vulnerability exists because access to HTTPS endpoints is not properly restricted on an affected device. | 4.9 |
2022-11-15 | CVE-2022-40843 | Tenda | Unspecified vulnerability in Tenda W15E Firmware 15.11.0.10(1576) The Tenda AC1200 V-W15Ev2 V15.11.0.10(1576) router is vulnerable to improper authorization / improper session management that allows the router login page to be bypassed. | 4.9 |
2022-11-20 | CVE-2022-4069 | Librenms | Cross-site Scripting vulnerability in Librenms Cross-site Scripting (XSS) - Generic in GitHub repository librenms/librenms prior to 22.10.0. | 4.8 |
2022-11-18 | CVE-2022-41643 | Accessibility Project | Cross-site Scripting vulnerability in Accessibility Project Accessibility 1.0/1.0.1 Auth. | 4.8 |
2022-11-18 | CVE-2022-45082 | Oxilab | Cross-site Scripting vulnerability in Oxilab Accordions Multiple Auth. | 4.8 |
2022-11-18 | CVE-2022-43463 | Yikesinc | Cross-site Scripting vulnerability in Yikesinc Custom Product Tabs for Woocommerce Auth. | 4.8 |
2022-11-17 | CVE-2022-40694 | Storeapps | Cross-site Scripting vulnerability in Storeapps News Announcement Scroll Auth. | 4.8 |
2022-11-17 | CVE-2022-41315 | Ezoic | Cross-site Scripting vulnerability in Ezoic Auth. | 4.8 |
2022-11-17 | CVE-2022-44591 | Anthologize Project | Cross-site Scripting vulnerability in Anthologize Project Anthologize Auth. | 4.8 |
2022-11-17 | CVE-2022-44736 | Chameleon Project | Cross-site Scripting vulnerability in Chameleon Project Chameleon Auth. | 4.8 |
2022-11-17 | CVE-2022-4053 | Student Attendance Management System Project | Cross-site Scripting vulnerability in Student Attendance Management System Project Student Attendance Management System A vulnerability was found in Student Attendance Management System. | 4.8 |
2022-11-17 | CVE-2022-42985 | Scratch Wiki | Cross-site Scripting vulnerability in Scratch-Wiki Scratch Login The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS). | 4.8 |
2022-11-15 | CVE-2022-20831 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20832 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20833 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20834 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20835 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20836 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20838 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20839 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20840 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20843 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20872 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20905 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20932 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20935 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-20936 | Cisco | Cross-site Scripting vulnerability in Cisco Secure Firewall Management Center Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface. | 4.8 |
2022-11-15 | CVE-2022-3893 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application. | 4.8 |
2022-11-15 | CVE-2022-41611 | Hallowelt | Cross-site Scripting vulnerability in Hallowelt Bluespice Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application. | 4.8 |
2022-11-15 | CVE-2022-40846 | Tenda | Cross-site Scripting vulnerability in Tenda W15E Firmware 15.11.0.10(1576) In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), a Stored Cross Site Scripting (XSS) vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname. | 4.8 |
2022-11-15 | CVE-2022-42131 | Liferay | Improper Certificate Validation vulnerability in Liferay Digital Experience Platform and Liferay Portal Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. | 4.8 |
2022-11-14 | CVE-2022-43688 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. | 4.8 |
2022-11-14 | CVE-2022-43695 | Concretecms | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. | 4.8 |
2022-11-14 | CVE-2022-3469 | Marcomilesi | Unspecified vulnerability in Marcomilesi WP Attachments The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | 4.8 |
2022-11-14 | CVE-2022-3539 | Themepoints | Unspecified vulnerability in Themepoints Testimonials and Testimonials PRO The Testimonials WordPress plugin before 2.7, super-testimonial-pro WordPress plugin before 1.0.8 do not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
2022-11-14 | CVE-2022-3631 | Digitialpixies | Cross-site Scripting vulnerability in Digitialpixies Oauth Client The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | 4.8 |
2022-11-18 | CVE-2022-43673 | Wire | Information Exposure Through Log Files vulnerability in Wire Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. | 4.7 |
2022-11-18 | CVE-2022-45163 | NXP | Information Exposure Through Discrepancy vulnerability in NXP products An information-disclosure vulnerability exists on select NXP devices when configured in Serial Download Protocol (SDP) mode: i.MX RT 1010, i.MX RT 1015, i.MX RT 1020, i.MX RT 1050, i.MX RT 1060, i.MX 6 Family, i.MX 7Dual/Solo, i.MX 7ULP, i.MX 8M Quad, i.MX 8M Mini, and Vybrid. | 4.6 |
2022-11-16 | CVE-2022-39317 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 4.6 |
2022-11-16 | CVE-2022-39319 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 4.6 |
2022-11-16 | CVE-2022-39320 | Freerdp Fedoraproject | FreeRDP is a free remote desktop protocol library and clients. | 4.6 |
2022-11-16 | CVE-2022-41877 | Freerdp Fedoraproject | Improper Validation of Specified Quantity in Input vulnerability in multiple products FreeRDP is a free remote desktop protocol library and clients. | 4.6 |
2022-11-15 | CVE-2022-30769 | Zoneminder | Session Fixation vulnerability in Zoneminder Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | 4.6 |
2022-11-14 | CVE-2022-3903 | Linux | Unspecified vulnerability in Linux Kernel 6.1 An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. | 4.6 |
2022-11-19 | CVE-2022-34667 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Cuda Toolkit NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow vulnerability in cuobjdump, where an unprivileged remote attacker could exploit this buffer overflow condition by persuading a local user to download a specially crafted corrupted file and execute cuobjdump against it locally, which may lead to a limited denial of service and some loss of data integrity for the local user. | 4.4 |
2022-11-18 | CVE-2022-45369 | Richplugins | Unspecified vulnerability in Richplugins Plugin for Google Reviews Auth. | 4.3 |
2022-11-18 | CVE-2022-38974 | Wpml | Unspecified vulnerability in Wpml Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with subscriber or higher user roles to change the status of the translation jobs. | 4.3 |
2022-11-18 | CVE-2022-41805 | Booster | Cross-Site Request Forgery (CSRF) vulnerability in Booster for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Booster for WooCommerce plugin <= 5.6.6 on WordPress. | 4.3 |
2022-11-17 | CVE-2021-31608 | Proofpoint | Unspecified vulnerability in Proofpoint Enterprise Protection Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control. | 4.3 |
2022-11-17 | CVE-2022-38461 | Wpml | Unspecified vulnerability in Wpml Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content). | 4.3 |
2022-11-17 | CVE-2022-45072 | Wpml | Cross-Site Request Forgery (CSRF) vulnerability in Wpml Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. | 4.3 |
2022-11-16 | CVE-2022-4021 | Permalink Manager Lite Project | Cross-Site Request Forgery (CSRF) vulnerability in Permalink Manager Lite Project Permalink Manager Lite The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. | 4.3 |
2022-11-16 | CVE-2022-4018 | Ikus Soft | Missing Authentication for Critical Function vulnerability in Ikus-Soft Rdiffweb Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | 4.3 |
2022-11-16 | CVE-2022-4014 | Feehi | Cross-Site Request Forgery (CSRF) vulnerability in Feehi Feehicms A vulnerability, which was classified as problematic, has been found in FeehiCMS. | 4.3 |
2022-11-16 | CVE-2022-41917 | Amazon | Improper Handling of Exceptional Conditions vulnerability in Amazon Opensearch OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. | 4.3 |
2022-11-15 | CVE-2022-20938 | Cisco | XXE vulnerability in Cisco Secure Firewall Management Center A vulnerability in the module import function of the administrative interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to view sensitive information. This vulnerability is due to insufficient validation of the XML syntax when importing a module. | 4.3 |
2022-11-15 | CVE-2022-45390 | Jenkins | Missing Authorization vulnerability in Jenkins Loader.Io 1.0.1 A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 4.3 |
2022-11-15 | CVE-2022-45394 | Jenkins | Missing Authorization vulnerability in Jenkins Delete LOG 1.0 A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. | 4.3 |
2022-11-15 | CVE-2022-45398 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Cluster Statistics 0.4.6 A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. | 4.3 |
2022-11-15 | CVE-2022-45399 | Jenkins | Missing Authorization vulnerability in Jenkins Cluster Statistics 0.4.6 A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. | 4.3 |
2022-11-15 | CVE-2022-40309 | Apache | Unspecified vulnerability in Apache Archiva Users with write permissions to a repository can delete arbitrary directories. | 4.3 |
2022-11-15 | CVE-2022-42129 | Liferay | Authorization Bypass Through User-Controlled Key vulnerability in Liferay Digital Experience Platform and Liferay Portal An Insecure direct object reference (IDOR) vulnerability in the Dynamic Data Mapping module in Liferay Portal 7.3.2 through 7.4.3.4, and Liferay DXP 7.3 before update 4, and 7.4 GA allows remote authenticated users to view and access form entries via the `formInstanceRecordId` parameter. | 4.3 |
2022-11-15 | CVE-2022-42130 | Liferay | Incorrect Default Permissions vulnerability in Liferay Digital Experience Platform and Liferay Portal The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access all form entries. | 4.3 |
2022-11-15 | CVE-2022-42126 | Liferay | Unspecified vulnerability in Liferay Digital Experience Platform and Liferay Portal The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI. | 4.3 |
2022-11-14 | CVE-2022-2450 | Resmush IT | Unspecified vulnerability in Resmush.It Image Optimizer The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | 4.3 |
10 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-11-19 | CVE-2022-4064 | Dalli Project | Injection vulnerability in Dalli Project Dalli A vulnerability was found in Dalli. | 3.7 |
2022-11-16 | CVE-2022-41914 | Zulip | Information Exposure Through Discrepancy vulnerability in Zulip Server Zulip is an open-source team collaboration tool. | 3.7 |
2022-11-15 | CVE-2022-45393 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Delete LOG 1.0 A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. | 3.5 |
2022-11-17 | CVE-2022-42903 | Zohocorp | Missing Authorization vulnerability in Zohocorp Manageengine Supportcenter Plus 11.0 Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list. | 3.3 |
2022-11-16 | CVE-2022-34354 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Partner Engagement Manager 6.1.2/6.2.0/6.2.1 IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. | 3.3 |
2022-11-14 | CVE-2022-28764 | Zoom | Incomplete Cleanup vulnerability in Zoom Meetings, Rooms and VDI Windows Meeting Clients The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.6 is susceptible to a local information exposure vulnerability. | 3.3 |
2022-11-14 | CVE-2022-34314 | IBM | Incorrect Permission Assignment for Critical Resource vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings. | 3.3 |
2022-11-14 | CVE-2022-34312 | IBM | Insecure Storage of Sensitive Information vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 allows web pages to be stored locally which can be read by another user on the system. | 3.3 |
2022-11-18 | CVE-2022-40130 | WP Polls Project | Race Condition vulnerability in Wp-Polls Project Wp-Polls Auth. | 3.1 |
2022-11-14 | CVE-2022-34313 | IBM | Unspecified vulnerability in IBM Cics TX 11.1 IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. | 3.1 |