Weekly Vulnerabilities Reports > November 28 to December 4, 2022

Overview

354 new vulnerabilities reported during this period, including 56 critical vulnerabilities and 133 high severity vulnerabilities. This weekly summary report vulnerabilities in 518 products from 161 vendors including Google, Tendacn, Tenda, Kibokolabs, and Webtareas Project. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Classic Buffer Overflow", "Cross-Site Request Forgery (CSRF)", and "Use After Free".

  • 317 reported vulnerabilities are remotely exploitables.
  • 128 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 214 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 23 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

56 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-04 CVE-2022-35508 Proxmox Server-Side Request Forgery (SSRF) vulnerability in Proxmox products

Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon.

9.8
2022-12-04 CVE-2022-46414 Veritas Unspecified vulnerability in Veritas Access Appliance and Netbackup Flex Scale Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100.

9.8
2022-12-03 CVE-2022-4277 Xsjczx SQL Injection vulnerability in Xsjczx Background Management System

A vulnerability was found in Shaoxing Background Management System.

9.8
2022-12-03 CVE-2022-4274 House Rental System Project SQL Injection vulnerability in House Rental System Project House Rental System

A vulnerability, which was classified as critical, was found in House Rental System.

9.8
2022-12-03 CVE-2022-4275 House Rental System Project SQL Injection vulnerability in House Rental System Project House Rental System

A vulnerability has been found in House Rental System and classified as critical.

9.8
2022-12-03 CVE-2022-4276 House Rental System Project Unrestricted Upload of File with Dangerous Type vulnerability in House Rental System Project House Rental System

A vulnerability was found in House Rental System and classified as critical.

9.8
2022-12-03 CVE-2022-4272 Warehouse Management System Project Incorrect Privilege Assignment vulnerability in Warehouse Management System Project Warehouse Management System

A vulnerability, which was classified as critical, has been found in FeMiner wms.

9.8
2022-12-03 CVE-2022-4273 Oretnom23 Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Human Resource Management System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Human Resource Management System 1.0.

9.8
2022-12-02 CVE-2022-2641 Hornerautomation Use of Hard-coded Cryptographic Key vulnerability in Hornerautomation Rcc972 Firmware 15.40

Horner Automation’s RCC 972 with firmware version 15.40 has a static encryption key on the device.

9.8
2022-12-02 CVE-2022-44290 Webtareas Project SQL Injection vulnerability in Webtareas Project Webtareas 2.4

webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php.

9.8
2022-12-02 CVE-2022-44291 Webtareas Project SQL Injection vulnerability in Webtareas Project Webtareas 2.4

webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.

9.8
2022-12-02 CVE-2022-44945 Rukovoditel SQL Injection vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

9.8
2022-12-02 CVE-2022-3520 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.

9.8
2022-12-02 CVE-2022-46145 Goauthentik Missing Authentication for Critical Function vulnerability in Goauthentik Authentik

authentik is an open-source identity provider.

9.8
2022-12-02 CVE-2022-44362 Tenda Out-of-bounds Write vulnerability in Tenda I21 Firmware 1.0.0.14(4656)

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/AddSysLogRule.

9.8
2022-12-02 CVE-2022-44363 Tenda Out-of-bounds Write vulnerability in Tenda I21 Firmware 1.0.0.14(4656)

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setSnmpInfo.

9.8
2022-12-02 CVE-2022-44365 Tenda Out-of-bounds Write vulnerability in Tenda I21 Firmware 1.0.0.14(4656)

Tenda i21 V1.0.0.14(4656) has a stack overflow vulnerability via /goform/setSysPwd.

9.8
2022-12-02 CVE-2022-44366 Tenda Out-of-bounds Write vulnerability in Tenda I21 Firmware 1.0.0.14(4656)

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setDiagnoseInfo.

9.8
2022-12-02 CVE-2022-44367 Tenda Out-of-bounds Write vulnerability in Tenda I21 Firmware 1.0.0.14(4656)

Tenda i21 V1.0.0.14(4656) is vulnerable to Buffer Overflow via /goform/setUplinkInfo.

9.8
2022-12-02 CVE-2022-45482 Lazy Mouse Project Weak Password Requirements vulnerability in Lazy Mouse Project Lazy Mouse

Lazy Mouse server enforces weak password requirements and doesn't implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

9.8
2022-12-02 CVE-2022-46366 Apache Deserialization of Untrusted Data vulnerability in Apache Tapestry

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution.

9.8
2022-12-02 CVE-2022-2807 Algan SQL Injection vulnerability in Algan Prens Student Information System

Algan Yazılım Prens Student Information System product has an unauthenticated SQL Injection vulnerability.

9.8
2022-12-02 CVE-2022-44929 D Link Unspecified vulnerability in D-Link Dvg-G5402Sp Firmware Ge1.03

An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.

9.8
2022-12-02 CVE-2022-44930 Dlink OS Command Injection vulnerability in Dlink Dhp-W310Av Firmware 3.10Eu

D-Link DHP-W310AV 3.10EU was discovered to contain a command injection vulnerability via the System Checks function.

9.8
2022-12-02 CVE-2022-43325 Telosalliance OS Command Injection vulnerability in Telosalliance Omnia MPX Node Firmware 1.3.35/1.3.37

An unauthenticated command injection vulnerability in the product license validation function of Telos Alliance Omnia MPX Node 1.3.* - 1.4.* allows attackers to execute arbitrary commands via a crafted payload injected into the license input.

9.8
2022-12-02 CVE-2022-44928 D Link OS Command Injection vulnerability in D-Link Dvg-G5402Sp Firmware Ge1.03

D-Link DVG-G5402SP GE_1.03 was discovered to contain a command injection vulnerability via the Maintenance function.

9.8
2022-12-01 CVE-2022-43333 Teleniasoftware Unspecified vulnerability in Teleniasoftware Tvox

Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.

9.8
2022-12-01 CVE-2022-4257 Cdatatec OS Command Injection vulnerability in Cdatatec C-Data web Management System

A vulnerability was found in C-DATA Web Management System.

9.8
2022-12-01 CVE-2022-37016 Broadcom Unspecified vulnerability in Broadcom Symantec Endpoint Protection

Symantec Endpoint Protection (Windows) agent may be susceptible to a Privilege Escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

9.8
2022-12-01 CVE-2022-30528 Isic LK Project SQL Injection vulnerability in Isic.Lk Project Isic.Lk

SQL Injection vulnerability in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to execute arbitrary commands via the username parameter to /system/user/modules/mod_users/controller.php.

9.8
2022-12-01 CVE-2022-1471 Snakeyaml Project Deserialization of Untrusted Data vulnerability in Snakeyaml Project Snakeyaml

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.

9.8
2022-12-01 CVE-2022-3270 Festo Unspecified vulnerability in Festo products

In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.

9.8
2022-12-01 CVE-2022-4221 Asus OS Command Injection vulnerability in Asus Nas-M25 Firmware

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.

9.8
2022-12-01 CVE-2022-4247 Movie Ticket Booking System Project Improper Enforcement of Message or Data Structure vulnerability in Movie Ticket Booking System Project Movie Ticket Booking System

A vulnerability classified as critical was found in Movie Ticket Booking System.

9.8
2022-12-01 CVE-2022-4248 Movie Ticket Booking System Project Improper Enforcement of Message or Data Structure vulnerability in Movie Ticket Booking System Project Movie Ticket Booking System

A vulnerability, which was classified as critical, has been found in Movie Ticket Booking System.

9.8
2022-12-01 CVE-2022-36431 Rocketsoftware Unrestricted Upload of File with Dangerous Type vulnerability in Rocketsoftware Trufusion

An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file.

9.8
2022-12-01 CVE-2022-44262 Ff4J Unspecified vulnerability in Ff4J 1.8.1

ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).

9.8
2022-11-30 CVE-2022-46162 Discourse Cross-site Scripting vulnerability in Discourse Bbcode

discourse-bbcode is the official BBCode plugin for Discourse.

9.8
2022-11-30 CVE-2022-44151 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Simple Inventory Management System v1.0 is vulnerable to SQL Injection via /ims/login.php.

9.8
2022-11-30 CVE-2022-44136 Tribalsystems Unspecified vulnerability in Tribalsystems Zenario 9.3.57186

Zenario CMS 9.3.57186 is vulnerable to Remote Code Excution (RCE).

9.8
2022-11-30 CVE-2022-4229 Book Store Management System Project Missing Authentication for Critical Function vulnerability in Book Store Management System Project Book Store Management System 1.0

A vulnerability classified as critical was found in SourceCodester Book Store Management System 1.0.

9.8
2022-11-30 CVE-2022-4232 Rinvizle Unrestricted Upload of File with Dangerous Type vulnerability in Rinvizle Event Registration System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Event Registration System 1.0.

9.8
2022-11-30 CVE-2022-4222 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System 1.0

A vulnerability was found in SourceCodester Canteen Management System.

9.8
2022-11-30 CVE-2022-44096 Sanitization Management System Project Use of Hard-coded Credentials vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.

9.8
2022-11-30 CVE-2022-44097 Book Store Management System Project Use of Hard-coded Credentials vulnerability in Book Store Management System Project Book Store Management System 1.0

Book Store Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.

9.8
2022-11-29 CVE-2022-3751 Owncast Project SQL Injection vulnerability in Owncast Project Owncast

SQL Injection in GitHub repository owncast/owncast prior to 0.0.13.

9.8
2022-11-29 CVE-2022-44354 Contec Unrestricted Upload of File with Dangerous Type vulnerability in Contec Solarview Compact Firmware 4.0/5.0

SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.

9.8
2022-11-29 CVE-2022-42109 Online Shopping System Advanced Project SQL Injection vulnerability in Online-Shopping-System-Advanced Project Online-Shopping-System-Advanced 1.0

Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.

9.8
2022-11-29 CVE-2022-44038 Russound Unspecified vulnerability in Russound Xsourceplayer 777D Firmware 06.08.03

Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.

9.8
2022-11-28 CVE-2022-44399 Poultry Farm Management System Project SQL Injection vulnerability in Poultry Farm Management System Project Poultry Farm Management System 1.0

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

9.8
2022-11-28 CVE-2022-41912 Saml Project Improper Authentication vulnerability in Saml Project Saml

The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

9.8
2022-11-28 CVE-2022-44283 Avs4You Classic Buffer Overflow vulnerability in Avs4You AVS Audio Converter 10.3

AVS Audio Converter 10.3 is vulnerable to Buffer Overflow.

9.8
2022-11-28 CVE-2022-44400 Purchase Order Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Purchase Order Management System Project Purchase Order Management System 1.0

Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.

9.8
2022-11-28 CVE-2022-44401 Online Tours Travels Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Tours & Travels Management System Project Online Tours & Travels Management System 1.0

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

9.8
2022-11-28 CVE-2022-3603 Piwebsolution Unspecified vulnerability in Piwebsolution Export Customers List CSV for Woocommerce

The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.

9.8
2022-11-28 CVE-2022-36193 School Management System Project SQL Injection vulnerability in School Management System Project School Management System 1.0

SQL injection in School Management System 1.0 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.

9.8

133 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-04 CVE-2022-46410 Veritas Unspecified vulnerability in Veritas Netbackup Flex Scale Appliance 2.1/3.0

An issue was discovered in Veritas NetBackup Flex Scale through 3.0.

8.8
2022-12-04 CVE-2022-46411 Veritas Improper Authentication vulnerability in Veritas Access Appliance and Netbackup Flex Scale Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100.

8.8
2022-12-04 CVE-2022-46412 Veritas Unspecified vulnerability in Veritas Netbackup Flex Scale Appliance 2.1/3.0

An issue was discovered in Veritas NetBackup Flex Scale through 3.0.

8.8
2022-12-04 CVE-2022-46413 Veritas Unspecified vulnerability in Veritas Access Appliance and Netbackup Flex Scale Appliance

An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100.

8.8
2022-12-02 CVE-2022-4262 Google Type Confusion vulnerability in Google Chrome

Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-12-02 CVE-2022-46167 Clastix Incorrect Authorization vulnerability in Clastix Capsule

Capsule is a multi-tenancy and policy-based framework for Kubernetes.

8.8
2022-12-02 CVE-2022-2808 Algan Authorization Bypass Through User-Controlled Key vulnerability in Algan Prens Student Information System

Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection.This issue affects Prens Student Information System: before 2.1.11.

8.8
2022-12-02 CVE-2022-45562 Telosalliance Incorrect Default Permissions vulnerability in Telosalliance Omnia MPX Node Firmware 1.0.0/1.4.9

Insecure permissions in Telos Alliance Omnia MPX Node v1.0.0 to v1.4.9 allow attackers to manipulate and access system settings with backdoor account low privilege, this can lead to change hardware settings and execute arbitrary commands in vulnerable system functions that is requires high privilege to access.

8.8
2022-12-01 CVE-2022-35120 Ixpdata Cleartext Storage of Sensitive Information vulnerability in Ixpdata Easyinstall 6.6.14725

IXPdata EasyInstall 6.6.14725 contains an access control issue.

8.8
2022-12-01 CVE-2022-3713 Sophos Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.

8.8
2022-12-01 CVE-2022-40489 Thinkcmf Cross-Site Request Forgery (CSRF) vulnerability in Thinkcmf 6.0.7

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

8.8
2022-12-01 CVE-2022-45045 Xiongmaitech OS Command Injection vulnerability in Xiongmaitech products

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019.

8.8
2022-11-30 CVE-2021-4242 Sapido OS Command Injection vulnerability in Sapido products

A vulnerability was found in Sapido BR270n, BRC76n, GR297 and RB1732 and classified as critical.

8.8
2022-11-30 CVE-2022-24441 Snyk OS Command Injection vulnerability in Snyk Security

The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project.

8.8
2022-11-30 CVE-2022-26366 Adrotate Banner Manager Project Cross-Site Request Forgery (CSRF) vulnerability in Adrotate Banner Manager Project Adrotate Banner Manager 5.9

Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress.

8.8
2022-11-30 CVE-2022-4174 Google Type Confusion vulnerability in Google Chrome

Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4175 Google Use After Free vulnerability in Google Chrome

Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4176 Google Out-of-bounds Write vulnerability in Google Chrome

Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via UI interactions.

8.8
2022-11-30 CVE-2022-4177 Google Use After Free vulnerability in Google Chrome

Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI interaction.

8.8
2022-11-30 CVE-2022-4178 Google Use After Free vulnerability in Google Chrome

Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4179 Google Use After Free vulnerability in Google Chrome

Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

8.8
2022-11-30 CVE-2022-4180 Google Use After Free vulnerability in Google Chrome

Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

8.8
2022-11-30 CVE-2022-4181 Google Use After Free vulnerability in Google Chrome

Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4190 Google Unspecified vulnerability in Google Chrome

Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4191 Google Use After Free vulnerability in Google Chrome

Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via profile destruction.

8.8
2022-11-30 CVE-2022-4192 Google Use After Free vulnerability in Google Chrome

Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI interaction.

8.8
2022-11-30 CVE-2022-4193 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page.

8.8
2022-11-30 CVE-2022-4194 Google Use After Free vulnerability in Google Chrome

Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2022-11-29 CVE-2022-36960 Solarwinds Improper Input Validation vulnerability in Solarwinds Orion Platform

SolarWinds Platform was susceptible to Improper Input Validation.

8.8
2022-11-29 CVE-2022-36964 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Orion Platform

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data.

8.8
2022-11-29 CVE-2022-46152 OP TEE Improper Validation of Array Index vulnerability in Op-Tee OS

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment.

8.8
2022-11-29 CVE-2022-44635 Apache Path Traversal vulnerability in Apache Fineract

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code.

8.8
2022-11-29 CVE-2022-46146 Prometheus Incorrect Implementation of Authentication Algorithm vulnerability in Prometheus Exporter Toolkit

Prometheus Exporter Toolkit is a utility package to build exporters.

8.8
2022-11-29 CVE-2022-4202 Gpac Numeric Errors vulnerability in Gpac 2.1Devrev490G68064E101Master

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master.

8.8
2022-11-29 CVE-2022-40799 Dlink Download of Code Without Integrity Check vulnerability in Dlink Dnr-322L Firmware

Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.

8.8
2022-11-29 CVE-2022-44037 Apsystems Unspecified vulnerability in Apsystems Ecu-C Firmware

An access control issue in APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights without authenticating allows him to perform multiple attacks, such as attacking wireless network in the product's range.

8.8
2022-11-28 CVE-2022-45442 Sinatrarb
Debian
Download of Code Without Integrity Check vulnerability in multiple products

Sinatra is a domain-specific language for creating web applications in Ruby.

8.8
2022-11-28 CVE-2022-34654 Freeamigos Cross-Site Request Forgery (CSRF) vulnerability in Freeamigos Manage Notification E-Mails

Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress.

8.8
2022-11-28 CVE-2022-38140 Squirrly Unrestricted Upload of File with Dangerous Type vulnerability in Squirrly SEO Plugin BY Squirrly SEO

Auth.

8.8
2022-11-28 CVE-2022-31877 MSI Insufficient Verification of Data Authenticity vulnerability in MSI Center 1.0.41.0

An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.

8.8
2022-11-28 CVE-2022-3768 Wpsmartcontracts SQL Injection vulnerability in Wpsmartcontracts

The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author

8.8
2022-11-28 CVE-2022-3769 Ujsoftware Unspecified vulnerability in Ujsoftware OWM Weather

The OWM Weather WordPress plugin before 5.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as contributor

8.8
2022-11-28 CVE-2022-3848 WP User Merger Project SQL Injection vulnerability in WP User Merger Project WP User Merger

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

8.8
2022-11-28 CVE-2022-3849 WP User Merger Project Unspecified vulnerability in WP User Merger Project WP User Merger

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

8.8
2022-11-28 CVE-2022-3865 WP User Merger Project Unspecified vulnerability in WP User Merger Project WP User Merger

The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin

8.8
2022-11-30 CVE-2022-41412 Perfsonar Server-Side Request Forgery (SSRF) vulnerability in Perfsonar

An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks.

8.6
2022-12-01 CVE-2022-3709 Sophos Cross-site Scripting vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.

8.4
2022-11-28 CVE-2022-4020 Acer Incorrect Default Permissions vulnerability in Acer products

Vulnerability in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices may allow an attacker with elevated privileges to modify UEFI Secure Boot settings by modifying an NVRAM variable.

8.2
2022-11-29 CVE-2022-4030 Simple Press Path Traversal vulnerability in Simple-Press Simple:Press

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion.

8.1
2022-11-29 CVE-2022-41675 Raidenmaild Improper Neutralization of Formula Elements in a CSV File vulnerability in Raidenmaild

A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website.

8.0
2022-12-03 CVE-2022-3491 VIM Heap-based Buffer Overflow vulnerability in VIM

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.

7.8
2022-12-02 CVE-2022-23465 Swiftterm Project Unspecified vulnerability in Swiftterm Project Swiftterm

SwiftTerm is a Xterm/VT100 Terminal emulator.

7.8
2022-12-02 CVE-2022-3591 VIM Use After Free vulnerability in VIM

Use After Free in GitHub repository vim/vim prior to 9.0.0789.

7.8
2022-12-01 CVE-2022-42718 NI Incorrect Default Permissions vulnerability in NI Labview Command Line Interface

Incorrect default permissions in the installation folder for NI LabVIEW Command Line Interface (CLI) may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2022-12-01 CVE-2022-29837 Westerndigital Path Traversal vulnerability in Westerndigital products

A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files.

7.8
2022-11-30 CVE-2022-45332 GNU Out-of-bounds Write vulnerability in GNU Libredwg 0.12.4.4643

LibreDWG v0.12.4.4643 was discovered to contain a heap buffer overflow via the function decode_preR13_section_hdr at decode_r11.c.

7.8
2022-11-29 CVE-2022-4034 Dwbooster Improper Neutralization of Formula Elements in a CSV File vulnerability in Dwbooster Appointment Hour Booking

The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72.

7.8
2022-11-29 CVE-2022-21126 Samtools Exposure of Resource to Wrong Sphere vulnerability in Samtools Htsjdk

The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary directory before attempting to create it.

7.8
2022-11-29 CVE-2022-45343 Gpac Use After Free vulnerability in Gpac

GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.

7.8
2022-11-29 CVE-2022-45202 Gpac Out-of-bounds Write vulnerability in Gpac

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.

7.8
2022-11-28 CVE-2022-3088 Moxa Execution with Unnecessary Privileges vulnerability in Moxa products

UC-8100A-ME-T System Image: Versions v1.0 to v1.6, UC-2100 System Image: Versions v1.0 to v1.12, UC-2100-W System Image: Versions v1.0 to v 1.12,&nbsp;UC-3100 System Image: Versions v1.0 to v1.6,&nbsp;UC-5100 System Image: Versions v1.0 to v1.4, UC-8100 System Image: Versions v3.0 to v3.5, UC-8100-ME-T System Image: Versions v3.0 and v3.1, UC-8200 System Image: v1.0 to v1.5, AIG-300 System Image: v1.0 to v1.4, UC-8410A with Debian 9 System Image: Versions v4.0.2 and v4.1.2, UC-8580 with Debian 9 System Image: Versions v2.0 and v2.1, UC-8540 with Debian 9 System Image: Versions v2.0 and v2.1, and DA-662C-16-LX (GLB) System Image: Versions v1.0.2 to v1.1.2 of Moxa's ARM-based computers have an execution with unnecessary privileges vulnerability, which could allow an attacker with user-level privileges to gain root privileges.

7.8
2022-11-28 CVE-2022-45939 GNU
Debian
Fedoraproject
OS Command Injection vulnerability in multiple products

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program.

7.8
2022-12-02 CVE-2022-3086 Moxa Command Injection vulnerability in Moxa products

Cradlepoint IBR600 NCOS versions 6.5.0.160bc2e and prior are vulnerable to shell escape, which enables local attackers with non-superuser credentials to gain full, unrestrictive shell access which may allow an attacker to execute arbitrary code.

7.6
2022-12-04 CVE-2022-46405 Joinmastodon Uncontrolled Recursion vulnerability in Joinmastodon Mastodon

Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.

7.5
2022-12-03 CVE-2022-4280 Dottech Unspecified vulnerability in Dottech Smart Campus System

A vulnerability, which was classified as problematic, has been found in Dot Tech Smart Campus System.

7.5
2022-12-02 CVE-2022-2640 Hornerautomation Inadequate Encryption Strength vulnerability in Hornerautomation Rcc972 Firmware 15.40

The Config-files of Horner Automation’s RCC 972 with firmware version 15.40 are encrypted with weak XOR encryption vulnerable to reverse engineering.

7.5
2022-12-02 CVE-2022-2642 Hornerautomation Excessive Reliance on Global Variables vulnerability in Hornerautomation Rcc972 Firmware 15.40

Horner Automation’s RCC 972 firmware version 15.40 contains global variables.

7.5
2022-12-02 CVE-2022-45641 Tenda Classic Buffer Overflow vulnerability in Tenda AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Buffer Overflow via formSetMacFilterCfg.

7.5
2022-12-02 CVE-2022-45643 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the addWifiMacFilter function.

7.5
2022-12-02 CVE-2022-45644 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the formSetClientState function.

7.5
2022-12-02 CVE-2022-45645 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceMac parameter in the addWifiMacFilter function.

7.5
2022-12-02 CVE-2022-45646 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeedUp parameter in the formSetClientState function.

7.5
2022-12-02 CVE-2022-45647 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeed parameter in the formSetClientState function.

7.5
2022-12-02 CVE-2022-45648 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the devName parameter in the formSetDeviceName function.

7.5
2022-12-02 CVE-2022-45649 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the endIp parameter in the formSetPPTPServer function.

7.5
2022-12-02 CVE-2022-45650 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the firewallEn parameter in the formSetFirewallCfg function.

7.5
2022-12-02 CVE-2022-45651 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the formSetVirtualSer function.

7.5
2022-12-02 CVE-2022-45652 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the startIp parameter in the formSetPPTPServer function.

7.5
2022-12-02 CVE-2022-45653 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the page parameter in the fromNatStaticSetting function.

7.5
2022-12-02 CVE-2022-45654 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the ssid parameter in the form_fast_setting_wifi_set function.

7.5
2022-12-02 CVE-2022-45655 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the timeZone parameter in the form_fast_setting_wifi_set function.

7.5
2022-12-02 CVE-2022-45656 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the fromSetSysTime function.

7.5
2022-12-02 CVE-2022-45657 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function.

7.5
2022-12-02 CVE-2022-45658 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the schedEndTime parameter in the setSchedWifi function.

7.5
2022-12-02 CVE-2022-45659 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.

7.5
2022-12-02 CVE-2022-45660 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the schedStartTime parameter in the setSchedWifi function.

7.5
2022-12-02 CVE-2022-45661 Tendacn Classic Buffer Overflow vulnerability in Tendacn AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the time parameter in the setSmartPowerManagement function.

7.5
2022-12-02 CVE-2022-45663 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the index parameter in the formWifiMacFilterSet function.

7.5
2022-12-02 CVE-2022-45664 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDget function.

7.5
2022-12-02 CVE-2022-45669 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the index parameter in the formWifiMacFilterGet function.

7.5
2022-12-02 CVE-2022-45670 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the ping1 parameter in the formSetAutoPing function.

7.5
2022-12-02 CVE-2022-45671 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the appData parameter in the formSetAppFilterRule function.

7.5
2022-12-02 CVE-2022-45672 Tenda Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the formWx3AuthorizeSet function.

7.5
2022-12-02 CVE-2022-43272 Offis Memory Leak vulnerability in Offis Dcmtk 3.6.7

DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Association object.

7.5
2022-12-01 CVE-2022-2969 Deltaww Path Traversal vulnerability in Deltaww Dialink 1.2.4.0/1.5.0.0

Delta Industrial Automation DIALink versions prior to v1.5.0.0 Beta 4 uses an external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory.

7.5
2022-12-01 CVE-2022-37017 Broadcom Unspecified vulnerability in Broadcom Symantec Endpoint Protection

Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls.

7.5
2022-12-01 CVE-2022-28607 Isic LK Project Unspecified vulnerability in Isic.Lk Project Isic.Lk

An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.

7.5
2022-12-01 CVE-2022-4246 Kakaocorp Improper Resource Shutdown or Release vulnerability in Kakaocorp Potplayer

A vulnerability classified as problematic has been found in Kakao PotPlayer.

7.5
2022-12-01 CVE-2022-45640 Tenda Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.19

Tenda Tenda AC6V1.0 V15.03.05.19 is affected by buffer overflow.

7.5
2022-11-30 CVE-2022-23746 Checkpoint Improper Restriction of Excessive Authentication Attempts vulnerability in Checkpoint SSL Network Extender

The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX).

7.5
2022-11-30 CVE-2022-4228 Book Store Management System Project Missing Authentication for Critical Function vulnerability in Book Store Management System Project Book Store Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester Book Store Management System 1.0.

7.5
2022-11-30 CVE-2022-45337 Tenda Out-of-bounds Write vulnerability in Tenda TX9 PRO Firmware 22.03.02.10

Tenda TX9 Pro v22.03.02.10 was discovered to contain a stack overflow via the list parameter at /goform/SetIpMacBind.

7.5
2022-11-30 CVE-2022-40265 Mitsubishielectric Improper Input Validation vulnerability in Mitsubishielectric products

Improper Input Validation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series RJ71EN71 Firmware version "65" and prior and Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120ENCPU Network Part Firmware version "65" and prior allows a remote unauthenticated attacker to cause a Denial of Service condition by sending specially crafted packets.

7.5
2022-11-29 CVE-2022-25848 Static DEV Server Project Path Traversal vulnerability in Static-Dev-Server Project Static-Dev-Server 1.0.0

This affects all versions of package static-dev-server.

7.5
2022-11-29 CVE-2022-44356 Wavlink Files or Directories Accessible to External Parties vulnerability in Wavlink Wl-Wn531G3 Firmware M31G3.V5030.200325/M31G3.V5030.201204

WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files.

7.5
2022-11-29 CVE-2022-41568 Linecorp Resource Exhaustion vulnerability in Linecorp Line

LINE client for iOS before 12.17.0 might be crashed by sharing an invalid shared key of e2ee in group chat.

7.5
2022-11-29 CVE-2022-43326 Telosalliance Authorization Bypass Through User-Controlled Key vulnerability in Telosalliance Omnia MPX Node Firmware 1.0.0/1.4.9

An Insecure Direct Object Reference (IDOR) vulnerability in the password reset function of Telos Alliance Omnia MPX Node 1.0.0-1.4.[*] allows attackers to arbitrarily change user and Administrator account passwords.

7.5
2022-11-29 CVE-2022-45329 Aerocms Project SQL Injection vulnerability in Aerocms Project Aerocms 0.0.1

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter.

7.5
2022-11-28 CVE-2022-24187 SZ Fujia Authorization Bypass Through User-Controlled Key vulnerability in Sz-Fujia Ourphoto 1.4.1

The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities.

7.5
2022-11-28 CVE-2022-24188 SZ Fujia Cleartext Storage of Sensitive Information vulnerability in Sz-Fujia Ourphoto 1.4.1

The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices.

7.5
2022-11-28 CVE-2022-24190 SZ Fujia Missing Authorization vulnerability in Sz-Fujia Ourphoto 1.4.1

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization.

7.5
2022-11-28 CVE-2022-45921 Fusionauth Path Traversal vulnerability in Fusionauth

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request.

7.5
2022-11-28 CVE-2022-41957 Muhammara Project
Hummus Project
Unchecked Return Value to NULL Pointer Dereference vulnerability in multiple products

Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron.

7.5
2022-11-28 CVE-2022-38900 Decode URI Component Project Improper Input Validation vulnerability in Decode-Uri-Component Project Decode-Uri-Component 0.2.0

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

7.5
2022-12-01 CVE-2022-44211 GL Inet Unspecified vulnerability in Gl-Inet Goodcloud

In GL.iNet Goodcloud 1.1 Incorrect access control allows a remote attacker to access/change devices' settings.

7.4
2022-11-28 CVE-2021-45036 Velneo Improper Authentication vulnerability in Velneo Vclient 28.1.3

Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims's username and hashed password to spoof the victim's id against the server.

7.4
2022-12-03 CVE-2022-4278 Oretnom23 SQL Injection vulnerability in Oretnom23 Human Resource Management System 1.0

A vulnerability was found in SourceCodester Human Resource Management System 1.0.

7.2
2022-12-02 CVE-2022-44277 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/classes/Master.php?f=delete_product.

7.2
2022-12-02 CVE-2022-44345 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=quotes/view_quote&id=.

7.2
2022-12-02 CVE-2022-44347 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=inquiries/view_inquiry&id=.

7.2
2022-12-02 CVE-2022-44348 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/update_status.php?id=.

7.2
2022-12-01 CVE-2022-3226 Sophos OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.

7.2
2022-12-01 CVE-2022-3696 Sophos Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.

7.2
2022-11-30 CVE-2022-44294 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/manage_service&id=.

7.2
2022-11-30 CVE-2022-44295 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/orders/assign_team.php?id=.

7.2
2022-11-30 CVE-2022-44296 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/quotes/manage_remark.php?id=.

7.2
2022-11-30 CVE-2022-45328 Church Management System Project SQL Injection vulnerability in Church Management System Project Church Management System 1.0

Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_members.php.

7.2
2022-11-29 CVE-2022-36962 Solarwinds Command Injection vulnerability in Solarwinds Orion Platform

SolarWinds Platform was susceptible to Command Injection.

7.2
2022-11-29 CVE-2022-3383 Ultimatemember Unspecified vulnerability in Ultimatemember Ultimate Member

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func().

7.2
2022-11-29 CVE-2022-3384 Ultimatemember Unspecified vulnerability in Ultimatemember Ultimate Member

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func().

7.2
2022-11-28 CVE-2022-3490 Themehigh Unspecified vulnerability in Themehigh Checkout Field Editor for Woocommerce

The Checkout Field Editor (Checkout Manager) for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

7.2
2022-11-28 CVE-2022-3689 Ibericode Unspecified vulnerability in Ibericode Html Forms

The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

7.2
2022-12-04 CVE-2022-35507 Proxmox Injection vulnerability in Proxmox products

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS.

7.1

159 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-30 CVE-2022-38803 Zkteco Cross-site Scripting vulnerability in Zkteco Biotime

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log.

6.8
2022-11-30 CVE-2022-3859 Trellix Uncontrolled Search Path Element vulnerability in Trellix Agent

An uncontrolled search path vulnerability exists in Trellix Agent (TA) for Windows in versions prior to 5.7.8.

6.7
2022-12-04 CVE-2022-35730 Oceanwp Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp Sticky Header

Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin <= 1.0.8 on WordPress.

6.5
2022-12-03 CVE-2021-37533 Apache
Debian
Improper Input Validation vulnerability in multiple products

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default.

6.5
2022-12-02 CVE-2022-45667 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

6.5
2022-12-02 CVE-2022-45668 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda I22 Firmware 1.0.0.3(4687)

Tenda i22 V1.0.0.3(4687) is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

6.5
2022-12-02 CVE-2022-45673 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

6.5
2022-12-02 CVE-2022-45674 Tenda Cross-Site Request Forgery (CSRF) vulnerability in Tenda AC6 Firmware 15.03.05.19

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

6.5
2022-12-01 CVE-2022-23737 Github Improper Privilege Management vulnerability in Github Enterprise Server

An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API.

6.5
2022-12-01 CVE-2022-41971 Nextcloud Exposure of Resource to Wrong Sphere vulnerability in Nextcloud Talk

Nextcould Talk android is a video and audio conferencing app for Nextcloud.

6.5
2022-12-01 CVE-2022-43900 IBM Improper Authentication vulnerability in IBM Websphere Automation for IBM Cloud PAK for Watson Aiops 1.4.2

IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps 1.4.2 could provide a weaker than expected security.

6.5
2022-12-01 CVE-2022-41297 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM products

IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.5
2022-11-30 CVE-2022-46338 G810 LED Project
Debian
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.

6.5
2022-11-30 CVE-2022-4187 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

6.5
2022-11-29 CVE-2021-31693 Vmware Unspecified vulnerability in VMWare Tools

The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data.

6.5
2022-11-29 CVE-2022-3747 Muffingroup Cross-Site Request Forgery (CSRF) vulnerability in Muffingroup Becustom 1.0.5.2

The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2.

6.5
2022-11-29 CVE-2022-3898 WP Affiliate Platform Project Cross-Site Request Forgery (CSRF) vulnerability in WP Affiliate Platform Project WP Affiliate Platform 6.3.9

The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9.

6.5
2022-11-29 CVE-2022-4144 Qemu
Fedoraproject
Redhat
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read flaw was found in the QXL display device emulation in QEMU.

6.5
2022-11-29 CVE-2022-4172 Qemu
Fedoraproject
Classic Buffer Overflow vulnerability in multiple products

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions.

6.5
2022-11-29 CVE-2022-32966 Realtek Missing Authorization vulnerability in Realtek Rtl8111Fp-Cg Firmware 3.0.0.2019090/5.0.10/5.0.23

RTL8168FP-CG Dash remote management function has missing authorization.

6.5
2022-11-28 CVE-2022-24189 SZ Fujia Incorrect Authorization vulnerability in Sz-Fujia Ourphoto 1.4.1

The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly.

6.5
2022-11-28 CVE-2022-44937 Bosscms Cross-Site Request Forgery (CSRF) vulnerability in Bosscms 2.0.0

Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module.

6.5
2022-11-28 CVE-2022-3511 Getawesomesupport Unspecified vulnerability in Getawesomesupport Awesome Support

The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector

6.5
2022-11-29 CVE-2022-46155 Airtable Cleartext Storage of Sensitive Information vulnerability in Airtable

Airtable.js is the JavaScript client for Airtable.

6.4
2022-11-30 CVE-2022-22984 Snyk OS Command Injection vulnerability in Snyk products

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342).

6.3
2022-11-28 CVE-2022-38753 Microfocus Unspecified vulnerability in Microfocus Netiq Advanced Authentication

This update resolves a multi-factor authentication bypass attack

6.3
2022-11-30 CVE-2022-38802 Zkteco Cross-site Scripting vulnerability in Zkteco Biotime

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday.

6.2
2022-12-04 CVE-2022-40968 2Kblater Cross-site Scripting vulnerability in 2Kblater 2KB Amazon Affiliates Store

Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress.

6.1
2022-12-04 CVE-2022-46391 Awstats
Debian
Fedoraproject
Cross-site Scripting vulnerability in multiple products

AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.

6.1
2022-12-03 CVE-2022-4279 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Human Resource Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester Human Resource Management System 1.0.

6.1
2022-12-02 CVE-2022-4208 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'datef' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4209 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pointsf' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4210 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dnf' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4211 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'emailf' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4212 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ipf' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4213 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4214 Kibokolabs Cross-site Scripting vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ip' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping.

6.1
2022-12-02 CVE-2022-4215 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.3 due to insufficient input sanitization and output escaping.

6.1
2022-12-01 CVE-2022-45050 Axiell Cross-site Scripting vulnerability in Axiell Iguana

A reflected XSS vulnerability has been found in Axiell Iguana CMS, allowing an attacker to execute code in a victim's browser.

6.1
2022-12-01 CVE-2022-4249 Movie Ticket Booking System Project Cross-site Scripting vulnerability in Movie Ticket Booking System Project Movie Ticket Booking System

A vulnerability, which was classified as problematic, was found in Movie Ticket Booking System.

6.1
2022-12-01 CVE-2022-4250 Movie Ticket Booking System Project Improper Enforcement of Message or Data Structure vulnerability in Movie Ticket Booking System Project Movie Ticket Booking System

A vulnerability has been found in Movie Ticket Booking System and classified as problematic.

6.1
2022-12-01 CVE-2022-4252 Canteen Management System Project Improper Enforcement of Message or Data Structure vulnerability in Canteen Management System Project Canteen Management System

A vulnerability was found in SourceCodester Canteen Management System.

6.1
2022-11-30 CVE-2022-4234 Canteen Management System Project Improper Enforcement of Message or Data Structure vulnerability in Canteen Management System Project Canteen Management System

A vulnerability was found in SourceCodester Canteen Management System.

6.1
2022-11-30 CVE-2021-31740 Seppmail Cross-site Scripting vulnerability in Seppmail

SEPPMail's web frontend, user input is not embedded correctly in the web page and therefore leads to cross-site scripting vulnerabilities (XSS).

6.1
2022-11-30 CVE-2022-4233 Rinvizle Cross-site Scripting vulnerability in Rinvizle Event Registration System 1.0

A vulnerability has been found in SourceCodester Event Registration System 1.0 and classified as problematic.

6.1
2022-11-29 CVE-2022-3896 WP Affiliate Platform Project Cross-site Scripting vulnerability in WP Affiliate Platform Project WP Affiliate Platform 6.3.9

The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping.

6.1
2022-11-29 CVE-2022-4032 Expresstech Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master

The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected.

6.1
2022-11-29 CVE-2022-4035 Dwbooster Cross-site Scripting vulnerability in Dwbooster Appointment Hour Booking

The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible.

6.1
2022-11-29 CVE-2022-44279 Garage Management System Project Cross-site Scripting vulnerability in Garage Management System Project Garage Management System 1.0

Garage Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /garage/php_action/createBrand.php.

6.1
2022-11-29 CVE-2022-44355 Contec Cross-site Scripting vulnerability in Contec Solarview Compact Firmware 7.0

SolarView Compact 7.0 is vulnerable to Cross-site Scripting (XSS) via /network_test.php.

6.1
2022-11-29 CVE-2022-36433 Amasty Cross-site Scripting vulnerability in Amasty Blog PRO

The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.

6.1
2022-11-28 CVE-2022-45214 Sanitization Management System Project Cross-site Scripting vulnerability in Sanitization Management System Project Sanitization Management System 1.0

A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.

6.1
2022-11-28 CVE-2022-41965 Apereo Open Redirect vulnerability in Apereo Opencast

Opencast is a free, open-source platform to support the management of educational audio and video content.

6.1
2022-11-28 CVE-2022-46147 Openedx Cross-site Scripting vulnerability in Openedx Xblock-Drag-And-Drop-V2

Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image.

6.1
2022-11-28 CVE-2022-2311 Find AND Replace ALL Project Unspecified vulnerability in Find and Replace ALL Project Find and Replace ALL

The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.

6.1
2022-11-28 CVE-2022-3847 Showing URL IN QR Code Project Unspecified vulnerability in Showing URL in QR Code Project Showing URL in QR Code 0.0.1

The Showing URL in QR Code WordPress plugin through 0.0.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack

6.1
2022-12-02 CVE-2022-45480 Beappsmobile Cleartext Transmission of Sensitive Information vulnerability in Beappsmobile PC Keyboard Wifi & Bluetooth

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.

5.9
2022-12-02 CVE-2022-45483 Lazy Mouse Project Cleartext Transmission of Sensitive Information vulnerability in Lazy Mouse Project Lazy Mouse

Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext.

5.9
2022-12-01 CVE-2022-44212 GL Inet Unspecified vulnerability in Gl-Inet Goodcloud

In GL.iNet Goodcloud 1.0, insecure design allows remote attacker to access devices' admin panel.

5.9
2022-12-01 CVE-2022-43901 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Websphere Automation for IBM Cloud PAK for Watson Aiops 1.4.2

IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps 1.4.3 could disclose sensitive information.

5.5
2022-11-30 CVE-2022-45869 Linux Race Condition vulnerability in Linux Kernel

A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.

5.5
2022-11-29 CVE-2022-45204 Gpac Memory Leak vulnerability in Gpac

GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a memory leak via the function dimC_box_read at isomedia/box_code_3gpp.c.

5.5
2022-11-28 CVE-2022-4127 Linux NULL Pointer Dereference vulnerability in Linux Kernel

A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc.

5.5
2022-11-28 CVE-2022-4128 Linux NULL Pointer Dereference vulnerability in Linux Mptcp Protocol

A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time.

5.5
2022-11-28 CVE-2022-4129 Linux
Fedoraproject
Improper Locking vulnerability in multiple products

A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP).

5.5
2022-11-28 CVE-2022-4104 Lepton Project Infinite Loop vulnerability in Lepton Project Lepton 1.2

A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service.

5.5
2022-11-28 CVE-2022-41732 IBM Insufficiently Protected Credentials vulnerability in IBM Maximo Application Suite 8.7/8.8

IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user.

5.5
2022-11-28 CVE-2022-43588 Callback NULL Pointer Dereference vulnerability in Callback Cbfs Filter 20.0.8317

A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317.

5.5
2022-11-28 CVE-2022-43589 Callback NULL Pointer Dereference vulnerability in Callback Cbfs Filter 20.0.8317

A null pointer dereference vulnerability exists in the handle_ioctl_8314C functionality of Callback technologies CBFS Filter 20.0.8317.

5.5
2022-11-28 CVE-2022-43590 Callback NULL Pointer Dereference vulnerability in Callback Cbfs Filter 20.0.8317

A null pointer dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer functionality of Callback technologies CBFS Filter 20.0.8317.

5.5
2022-12-02 CVE-2022-44944 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24.

5.4
2022-12-02 CVE-2022-44946 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24.

5.4
2022-12-02 CVE-2022-44947 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24.

5.4
2022-12-02 CVE-2022-44948 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups.

5.4
2022-12-02 CVE-2022-44949 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24.

5.4
2022-12-02 CVE-2022-44950 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24.

5.4
2022-12-02 CVE-2022-44951 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24.

5.4
2022-12-02 CVE-2022-44952 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application.

5.4
2022-12-02 CVE-2022-44953 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /linkedcontent/listfiles.php.

5.4
2022-12-02 CVE-2022-44954 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /contacts/listcontacts.php.

5.4
2022-12-02 CVE-2022-44955 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the Chat function.

5.4
2022-12-02 CVE-2022-44956 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /projects/listprojects.php.

5.4
2022-12-02 CVE-2022-44957 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php.

5.4
2022-12-02 CVE-2022-44959 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /meetings/listmeetings.php.

5.4
2022-12-02 CVE-2022-44960 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /general/search.php?searchtype=simple.

5.4
2022-12-02 CVE-2022-44961 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /forums/editforum.php.

5.4
2022-12-02 CVE-2022-44962 Webtareas Project Cross-site Scripting vulnerability in Webtareas Project Webtareas 2.4

webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /calendar/viewcalendar.php.

5.4
2022-12-02 CVE-2022-4271 Enhancesoft Cross-site Scripting vulnerability in Enhancesoft Osticket

Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to 1.16.4.

5.4
2022-12-02 CVE-2022-45215 Book Store Management System Project Cross-site Scripting vulnerability in Book Store Management System Project Book Store Management System 1.0

A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the Add New System User module.

5.4
2022-12-01 CVE-2022-4251 Movie Ticket Booking System Project Improper Enforcement of Message or Data Structure vulnerability in Movie Ticket Booking System Project Movie Ticket Booking System

A vulnerability was found in Movie Ticket Booking System and classified as problematic.

5.4
2022-12-01 CVE-2022-4253 Canteen Management System Project Improper Enforcement of Message or Data Structure vulnerability in Canteen Management System Project Canteen Management System

A vulnerability was found in SourceCodester Canteen Management System.

5.4
2022-12-01 CVE-2022-40849 Thinkcmf Cross-site Scripting vulnerability in Thinkcmf 6.0.7

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS).

5.4
2022-12-01 CVE-2022-40204 Digitalalertsystems Cross-site Scripting vulnerability in Digitalalertsystems products

A cross-site scripting (XSS) vulnerability exists in all current versions of Digital Alert Systems DASDEC software via the Host Header in undisclosed pages after login.

5.4
2022-11-30 CVE-2019-18265 Digitalalertsystems Cross-site Scripting vulnerability in Digitalalertsystems products

Digital Alert Systems’ DASDEC software prior to version 4.1 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the SSH username, username field of the login page, or via the HTTP host header.

5.4
2022-11-30 CVE-2022-46149 Capnproto
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

Cap'n Proto is a data interchange format and remote procedure call (RPC) system.

5.4
2022-11-30 CVE-2022-38801 Zkteco Cross-site Scripting vulnerability in Zkteco Biotime

In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting.

5.4
2022-11-30 CVE-2022-4231 Tribalsystems Session Fixation vulnerability in Tribalsystems Zenario 9.3.57595

A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595.

5.4
2022-11-29 CVE-2022-3991 Photospace Gallery Project Cross-site Scripting vulnerability in Photospace Gallery Project Photospace Gallery 2.3.5

The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping.

5.4
2022-11-29 CVE-2022-4027 Simple Press Cross-site Scripting vulnerability in Simple-Press Simple:Press

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible.

5.4
2022-11-29 CVE-2022-4028 Simple Press Cross-site Scripting vulnerability in Simple-Press Simple:Press

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible.

5.4
2022-11-29 CVE-2022-46148 Discourse Cross-site Scripting vulnerability in Discourse

Discourse is an open-source messaging platform.

5.4
2022-11-29 CVE-2022-41676 Raidenmaild Cross-site Scripting vulnerability in Raidenmaild

Raiden MAILD Mail Server website mail field has insufficient filtering for user input.

5.4
2022-11-29 CVE-2022-42099 Klik Project Cross-site Scripting vulnerability in Klik Project Klik 1.0.1

KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location Forum Subject input.

5.4
2022-11-29 CVE-2022-42100 Klik Project Cross-site Scripting vulnerability in Klik Project Klik 1.0.1

KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location input reply-form.

5.4
2022-11-28 CVE-2022-44284 Dinstar Cross-site Scripting vulnerability in Dinstar Dag2000-16O Firmware

Dinstar FXO Analog VoIP Gateway DAG2000-16O is vulnerable to Cross Site Scripting (XSS).

5.4
2022-12-01 CVE-2022-41968 Nextcloud Improper Validation of Specified Quantity in Input vulnerability in Nextcloud Server

Nextcloud Server is an open source personal cloud server.

5.3
2022-12-01 CVE-2022-41970 Nextcloud Incorrect Authorization vulnerability in Nextcloud Server

Nextcloud Server is an open source personal cloud server.

5.3
2022-11-30 CVE-2022-1911 M Files Exposure of Resource to Wrong Sphere vulnerability in M-Files Server 22.2.11051.0/22.3.11237.3

Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.

5.3
2022-11-29 CVE-2022-4033 Expresstech Improper Input Validation vulnerability in Expresstech Quiz and Survey Master

The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e.

5.3
2022-11-29 CVE-2022-4036 Dwbooster Inadequate Encryption Strength vulnerability in Dwbooster Appointment Hour Booking

The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72.

5.3
2022-11-28 CVE-2022-4169 Theme AND Plugin Translation FOR Polylang Project Missing Authorization vulnerability in Theme and Plugin Translation for Polylang Project Theme and Plugin Translation for Polylang

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function.

5.3
2022-11-29 CVE-2022-4031 Simple Press Path Traversal vulnerability in Simple-Press Simple:Press

The Simple:Press plugin for WordPress is vulnerable to arbitrary file modifications in versions up to, and including, 6.8 via the 'file' parameter which does not properly restrict files to be edited in the context of the plugin.

4.9
2022-12-02 CVE-2022-4216 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'facebook_appid' parameter in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping.

4.8
2022-12-02 CVE-2022-4217 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_key' parameter in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping.

4.8
2022-11-29 CVE-2022-3897 WP Affiliate Platform Project Cross-site Scripting vulnerability in WP Affiliate Platform Project WP Affiliate Platform 6.3.9

The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping.

4.8
2022-11-29 CVE-2022-36136 Churchcrm Cross-site Scripting vulnerability in Churchcrm 4.4.5

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

4.8
2022-11-29 CVE-2022-36137 Churchcrm Cross-site Scripting vulnerability in Churchcrm 4.4.5

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

4.8
2022-11-28 CVE-2022-45221 WEB Based Student Clearance System Project Cross-site Scripting vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in changepassword.php.

4.8
2022-11-28 CVE-2022-45223 WEB Based Student Clearance System Project Cross-site Scripting vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php.

4.8
2022-11-28 CVE-2022-45224 WEB Based Student Clearance System Project Cross-site Scripting vulnerability in Web-Based Student Clearance System Project Web-Based Student Clearance System 1.0

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in Admin/add-admin.php.

4.8
2022-11-28 CVE-2022-2983 Salat Times Project Unspecified vulnerability in Salat Times Project Salat Times

The Salat Times WordPress plugin before 3.2.2 does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8
2022-11-28 CVE-2022-3601 Image Hover Effects Css3 Project Unspecified vulnerability in Image Hover Effects Css3 Project Image Hover Effects Css3 4.5

The Image Hover Effects Css3 WordPress plugin through 4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3610 Jeeng Push Notifications Project Unspecified vulnerability in Jeeng Push Notifications Project Jeeng Push Notifications 2.0.3

The Jeeng Push Notifications WordPress plugin before 2.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-11-28 CVE-2022-3822 Tipsandtricks HQ Unspecified vulnerability in Tipsandtricks-Hq Donations VIA Paypal

The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3823 Beautiful Cookie Banner Unspecified vulnerability in Beautiful-Cookie-Banner Beautiful Cookie Consent Banner

The Beautiful Cookie Consent Banner WordPress plugin before 2.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3824 WP Admin UI Customize Project Unspecified vulnerability in WP Admin UI Customize Project WP Admin UI Customize

The WP Admin UI Customize WordPress plugin before 1.5.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3828 Video Thumbnails Project Unspecified vulnerability in Video Thumbnails Project Video Thumbnails 2.12.3

The Video Thumbnails WordPress plugin through 2.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3831 Recaptcha Project Unspecified vulnerability in Recaptcha Project Recaptcha 1.4.1/1.5/1.6

The reCAPTCHA WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3833 Thematosoup Unspecified vulnerability in Thematosoup Fancier Author BOX

The Fancier Author Box by ThematoSoup WordPress plugin through 1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3834 Google Forms Project Cross-site Scripting vulnerability in Google Forms Project Google Forms

The Google Forms WordPress plugin through 0.95 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-28 CVE-2022-3839 Analytics FOR WP Project Unspecified vulnerability in Analytics for WP Project Analytics for WP

The Analytics for WP WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-11-29 CVE-2022-4029 Simple Press Cross-site Scripting vulnerability in Simple-Press Simple:Press

The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforum_[md5 hash of the WordPress URL]' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping.

4.7
2022-12-02 CVE-2022-4218 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4.

4.3
2022-12-02 CVE-2022-4219 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4.

4.3
2022-12-02 CVE-2022-4220 Kibokolabs Unspecified vulnerability in Kibokolabs Chained Quiz

The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4.

4.3
2022-12-02 CVE-2022-46159 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse 0.9.2/2.9.0

Discourse is an open-source discussion platform.

4.3
2022-12-01 CVE-2022-3711 Sophos SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.

4.3
2022-11-30 CVE-2022-1606 M Files Improper Privilege Management vulnerability in M-Files Server 22.2.11051.0

Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects.

4.3
2022-11-30 CVE-2022-41413 Perfsonar Cross-Site Request Forgery (CSRF) vulnerability in Perfsonar

perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function.

4.3
2022-11-30 CVE-2022-4182 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass fenced frame restrictions via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4183 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4184 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass autofill restrictions via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4185 Google Unspecified vulnerability in Google Chrome

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote attacker to spoof the contents of the modal dialogue via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4186 Google Improper Input Validation vulnerability in Google Chrome

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4188 Google Injection vulnerability in Google Chrome

Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

4.3
2022-11-30 CVE-2022-4189 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

4.3
2022-11-30 CVE-2022-4195 Google Unspecified vulnerability in Google Chrome

Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file.

4.3
2022-11-29 CVE-2022-3361 Ultimatemember Path Traversal vulnerability in Ultimatemember Ultimate Member

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes.

4.3
2022-11-29 CVE-2022-3995 Standalonetech Authorization Bypass Through User-Controlled Key vulnerability in Standalonetech Terawallet

The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3.

4.3
2022-11-29 CVE-2022-46150 Discourse Information Exposure vulnerability in Discourse

Discourse is an open-source discussion platform.

4.3
2022-11-29 CVE-2022-45301 Chocolatey Incorrect Permission Assignment for Critical Resource vulnerability in Chocolatey Ruby

Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.

4.3
2022-11-29 CVE-2022-45304 Chocolatey Incorrect Permission Assignment for Critical Resource vulnerability in Chocolatey Cmder

Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.

4.3
2022-11-29 CVE-2022-45305 Chocolatey Incorrect Permission Assignment for Critical Resource vulnerability in Chocolatey Python3

Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.

4.3
2022-11-29 CVE-2022-45306 Chocolatey Incorrect Permission Assignment for Critical Resource vulnerability in Chocolatey Azure-Pipelines-Agent

Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.

4.3
2022-11-29 CVE-2022-45307 Chocolatey Incorrect Permission Assignment for Critical Resource vulnerability in Chocolatey PHP

Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.

4.3
2022-11-28 CVE-2022-41921 Discourse Allocation of Resources Without Limits or Throttling vulnerability in Discourse

Discourse is an open-source discussion platform.

4.3
2022-11-28 CVE-2022-41944 Discourse Incorrect Authorization vulnerability in Discourse

Discourse is an open-source discussion platform.

4.3
2022-11-28 CVE-2021-25059 Metagauss Unspecified vulnerability in Metagauss Download Plugin 1.6.1/1.6.2

The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.

4.3
2022-11-28 CVE-2022-3850 Find AND Replace ALL Project Unspecified vulnerability in Find and Replace ALL Project Find and Replace ALL

The Find and Replace All WordPress plugin before 1.3 does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack

4.3

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-11-30 CVE-2022-45842 Wpulike Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Wpulike WP Ulike

Unauth.

3.7
2022-11-30 CVE-2022-46156 Grafana Unspecified vulnerability in Grafana Synthetic Monitoring Agent

The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets.

3.3
2022-12-01 CVE-2022-41969 Nextcloud Weak Password Requirements vulnerability in Nextcloud Server

Nextcloud Server is an open source personal cloud server.

2.7
2022-12-01 CVE-2022-3710 Sophos SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

2.7
2022-12-02 CVE-2022-4270 M Files Improper Privilege Management vulnerability in M-Files Server 22.2.11051.0/22.3.11237.3

Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally.

2.6
2022-11-29 CVE-2022-32967 Realtek Use of Hard-coded Credentials vulnerability in Realtek Rtl8111Ep-Cg Firmware and Rtl8111Fp-Cg Firmware

RTL8111EP-CG/RTL8111FP-CG DASH function has hard-coded password.

2.1