Weekly Vulnerabilities Reports > December 5 to 11, 2022

Overview

417 new vulnerabilities reported during this period, including 68 critical vulnerabilities and 156 high severity vulnerabilities. This weekly summary report vulnerabilities in 391 products from 199 vendors including Google, Tenda, Debian, Neutrinolabs, and Jetbrains. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "Out-of-bounds Read", "Missing Authorization", and "OS Command Injection".

  • 285 reported vulnerabilities are remotely exploitables.
  • 128 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 211 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 85 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

68 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-09 CVE-2022-4390 Netgear Unspecified vulnerability in Netgear Ax2400 Firmware

A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers.

10.0
2022-12-08 CVE-2022-4291 Avast Out-of-bounds Write vulnerability in Avast Script Shield

The aswjsflt.dll library from Avast Antivirus windows contained a potentially exploitable heap corruption vulnerability that could enable an attacker to bypass the sandbox of the application it was loaded into, if applicable.

10.0
2022-12-05 CVE-2022-30123 Rack Project
Debian
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.
10.0
2022-12-10 CVE-2022-4399 Nodau Project SQL Injection vulnerability in Nodau Project Nodau

A vulnerability was found in TicklishHoneyBee nodau.

9.8
2022-12-10 CVE-2022-45145 Call CC OS Command Injection vulnerability in Call-Cc Chicken

egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS command execution during package installation via escape characters in a .egg file.

9.8
2022-12-09 CVE-2022-46166 Codecentric Code Injection vulnerability in Codecentric Spring Boot Admin 3.0.0

Spring boot admins is an open source administrative user interface for management of spring boot applications.

9.8
2022-12-09 CVE-2022-2993 Zephyrproject Unspecified vulnerability in Zephyrproject Zephyr

There is an error in the condition of the last if-statement in the function smp_check_keys.

9.8
2022-12-09 CVE-2022-23468 Neutrinolabs
Debian
Classic Buffer Overflow vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_login_wnd_create() function.

9.8
2022-12-09 CVE-2022-23477 Neutrinolabs
Debian
Classic Buffer Overflow vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function.

9.8
2022-12-09 CVE-2022-23478 Neutrinolabs
Debian
Out-of-bounds Write vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function.

9.8
2022-12-09 CVE-2022-23479 Neutrinolabs
Debian
Classic Buffer Overflow vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function.

9.8
2022-12-09 CVE-2022-23480 Neutrinolabs
Debian
Classic Buffer Overflow vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in devredir_proc_client_devlist_announce_req() function.

9.8
2022-12-09 CVE-2022-23484 Neutrinolabs
Debian
Integer Overflow or Wraparound vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function.

9.8
2022-12-09 CVE-2022-4170 Rxvt Unicode Project
Fedoraproject
The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
9.8
2022-12-09 CVE-2022-4375 Mingsoft SQL Injection vulnerability in Mingsoft Mcms

A vulnerability was found in Mingsoft MCMS up to 5.2.9.

9.8
2022-12-08 CVE-2022-33186 Brocade OS Command Injection vulnerability in Brocade Fabric Operating System

A vulnerability in Brocade Fabric OS software v9.1.1, v9.0.1e, v8.2.3c, v7.4.2j, and earlier versions could allow a remote unauthenticated attacker to execute on a Brocade Fabric OS switch commands capable of modifying zoning, disabling the switch, disabling ports, and modifying the switch IP address.

9.8
2022-12-08 CVE-2022-44938 Seeddms Unspecified vulnerability in Seeddms 5.1.7/6.0.20

Weak reset token generation in SeedDMS v6.0.20 and v5.1.7 allows attackers to execute a full account takeover via a brute force attack.

9.8
2022-12-08 CVE-2022-45497 Tenda OS Command Injection vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

9.8
2022-12-08 CVE-2022-45506 Tenda OS Command Injection vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E v1.0.1.25(633) was discovered to contain a command injection vulnerability via the fileNameMit parameter at /goform/delFileName.

9.8
2022-12-08 CVE-2022-4364 Flir OS Command Injection vulnerability in Flir AX8 Firmware

A vulnerability classified as critical has been found in Teledyne FLIR AX8 up to 1.46.16.

9.8
2022-12-07 CVE-2022-44351 Skycaiji Deserialization of Untrusted Data vulnerability in Skycaiji 2.5.1

Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.

9.8
2022-12-07 CVE-2022-45550 Ayacms Project Unspecified vulnerability in Ayacms Project Ayacms 3.1.2

AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE).

9.8
2022-12-07 CVE-2022-44371 Hope Boot Project Deserialization of Untrusted Data vulnerability in Hope-Boot Project Hope-Boot 1.0.0

hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).

9.8
2022-12-07 CVE-2022-42458 Shift Tech Improper Authentication vulnerability in Shift-Tech Bingo!Cms

Authentication bypass using an alternate path or channel vulnerability in bingo!CMS version1.7.4.1 and earlier allows a remote unauthenticated attacker to upload an arbitrary file.

9.8
2022-12-07 CVE-2022-46742 Paddlepaddle Code Injection vulnerability in Paddlepaddle 2.4.0

Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution.

9.8
2022-12-07 CVE-2022-45010 Simple Phone Book Directory WEB APP Project SQL Injection vulnerability in Simple Phone Book/Directory web APP Project Simple Phone Book/Directory web APP 1.0

Simple Phone Book/Directory Web App v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /PhoneBook/edit.php.

9.8
2022-12-07 CVE-2022-45025 Markdown Preview Enhanced Project OS Command Injection vulnerability in Markdown Preview Enhanced Project Markdown Preview Enhanced 0.19.6/0.6.5

Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom was discovered to contain a command injection vulnerability via the PDF file import function.

9.8
2022-12-07 CVE-2022-45026 Markdown Preview Enhanced Project OS Command Injection vulnerability in Markdown Preview Enhanced Project Markdown Preview Enhanced 0.19.6/0.6.5

An issue in Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom allows attackers to execute arbitrary commands during the GFM export process.

9.8
2022-12-06 CVE-2022-45359 Yithemes Unrestricted Upload of File with Dangerous Type vulnerability in Yithemes Yith Woocommerce Gift Cards

Unauth.

9.8
2022-12-06 CVE-2022-46161 Pdfmake Project Unspecified vulnerability in Pdfmake Project Pdfmake

pdfmake is an open source client/server side PDF printing in pure JavaScript.

9.8
2022-12-06 CVE-2022-35843 Fortinet Improper Authentication vulnerability in Fortinet Fortios and Fortiproxy

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.

9.8
2022-12-06 CVE-2020-6627 Seagate OS Command Injection vulnerability in Seagate products

The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.

9.8
2022-12-06 CVE-2022-46383 Rackn Unspecified vulnerability in Rackn Digital Rebar

RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has exposed a privileged token via a public API endpoint (Incorrect Access Control).

9.8
2022-12-06 CVE-2022-24439 Gitpython Project
Fedoraproject
Debian
Improper Input Validation vulnerability in multiple products

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command.

9.8
2022-12-06 CVE-2022-25912 Simple GIT Project OS Command Injection vulnerability in Simple-Git Project Simple-Git

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method.

9.8
2022-12-06 CVE-2022-40918 Force1Rc Out-of-bounds Write vulnerability in Force1Rc Discovery Wifi U818A Hd+ FPV Firmware 2.0.10

Buffer overflow in firmware lewei_cam binary version 2.0.10 in Force 1 Discovery Wifi U818A HD+ FPV Drone allows attacker to gain remote code execution as root user via a specially crafted UDP packet.

9.8
2022-12-05 CVE-2022-27773 Ivanti Unspecified vulnerability in Ivanti Endpoint Manager

A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.

9.8
2022-12-05 CVE-2022-32221 Haxx
Netapp
Debian
Apple
Exposure of Resource to Wrong Sphere vulnerability in multiple products

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback.

9.8
2022-12-05 CVE-2022-32224 Activerecord Project Deserialization of Untrusted Data vulnerability in Activerecord Project Activerecord

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

9.8
2022-12-05 CVE-2022-40242 AMI Improper Authentication vulnerability in AMI Megarac Sp-X 12/13

MegaRAC Default Credentials Vulnerability

9.8
2022-12-05 CVE-2022-40259 AMI Improper Authentication vulnerability in AMI Megarac Sp-X 12/13

MegaRAC Default Credentials Vulnerability

9.8
2022-12-05 CVE-2022-43549 Veeam Improper Authentication vulnerability in Veeam Backup for Google Cloud 1.0/3.0

Improper authentication in Veeam Backup for Google Cloud v1.0 and v3.0 allows attackers to bypass authentication mechanisms.

9.8
2022-12-05 CVE-2022-44039 Franklinfueling Incorrect Authorization vulnerability in Franklinfueling Colibri Firmware 1.9.22.8925

Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite.

9.8
2022-12-05 CVE-2022-45479 Beappsmobile Missing Authentication for Critical Function vulnerability in Beappsmobile PC Keyboard Wifi&Bluetooth

PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

9.8
2022-12-05 CVE-2022-45481 Lzmouse Missing Authentication for Critical Function vulnerability in Lzmouse Lazy Mouse

The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

9.8
2022-12-05 CVE-2022-46164 Nodebb Improper Initialization vulnerability in Nodebb

NodeBB is an open source Node.js based forum software.

9.8
2022-12-05 CVE-2022-46169 Cacti Incorrect Authorization vulnerability in Cacti

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users.

9.8
2022-12-05 CVE-2022-43516 Zabbix
Microsoft
A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)
9.8
2022-12-05 CVE-2022-43515 Zabbix Incorrect Authorization vulnerability in Zabbix Frontend

Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it.

9.8
2022-12-05 CVE-2022-45315 Mikrotik Out-of-bounds Read vulnerability in Mikrotik Routeros

Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process.

9.8
2022-12-05 CVE-2022-45477 Telepad APP Missing Authentication for Critical Function vulnerability in Telepad-App Telepad

Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

9.8
2022-12-05 CVE-2022-45822 Elbtide SQL Injection vulnerability in Elbtide Advanced Booking Calendar

Unauth.

9.8
2022-12-05 CVE-2022-41642 Kujirahand OS Command Injection vulnerability in Kujirahand Nadesiko3

OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.61 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.

9.8
2022-12-05 CVE-2022-42496 Kujirahand OS Command Injection vulnerability in Kujirahand Nadesiko3

OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.

9.8
2022-12-08 CVE-2022-4354 PB CMS Project Cross-site Scripting vulnerability in Pb-Cms Project Pb-Cms 2.0

A vulnerability was found in LinZhaoguan pb-cms 2.0 and classified as problematic.

9.6
2022-12-06 CVE-2022-46332 Proofpoint Cross-site Scripting vulnerability in Proofpoint Enterprise Protection

The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface.

9.6
2022-12-06 CVE-2022-41559 Tibco Open Redirect vulnerability in Tibco Nimbus 10.5.0

The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to exploit an open redirect on the affected system.

9.3
2022-12-09 CVE-2022-45290 Kbase DOC Project Path Traversal vulnerability in Kbase DOC Project Kbase DOC 1.0

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

9.1
2022-12-09 CVE-2022-23481 Neutrinolabs
Debian
Out-of-bounds Read vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function.

9.1
2022-12-09 CVE-2022-23482 Neutrinolabs
Debian
Out-of-bounds Read vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function.

9.1
2022-12-09 CVE-2022-23483 Neutrinolabs
Debian
Out-of-bounds Read vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function.

9.1
2022-12-09 CVE-2022-23493 Neutrinolabs
Debian
Out-of-bounds Read vulnerability in multiple products

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function.

9.1
2022-12-07 CVE-2022-46741 Paddlepaddle Out-of-bounds Read vulnerability in Paddlepaddle

Out-of-bounds read in gather_tree in PaddlePaddle before 2.4. 

9.1
2022-12-06 CVE-2022-41902 Google Out-of-bounds Read vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

9.1
2022-12-06 CVE-2022-41910 Google Out-of-bounds Read vulnerability in Google Tensorflow

TensorFlow is an open source platform for machine learning.

9.1
2022-12-06 CVE-2022-44900 Py7Zr Project Path Traversal vulnerability in Py7Zr Project Py7Zr

A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.

9.1
2022-12-06 CVE-2022-38337 Mobatek Use of Hard-coded Credentials vulnerability in Mobatek Mobaxterm

When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server.

9.1
2022-12-05 CVE-2022-35255 Nodejs
Siemens
Debian
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in multiple products

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc.

9.1

156 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-11 CVE-2022-4403 Canteen Management System Project SQL Injection vulnerability in Canteen Management System Project Canteen Management System

A vulnerability classified as critical was found in SourceCodester Canteen Management System.

8.8
2022-12-09 CVE-2022-23510 Cube SQL Injection vulnerability in Cube Cube.Js 0.31.23

cube-js is a headless business intelligence platform.

8.8
2022-12-09 CVE-2022-46157 Akeneo Code Injection vulnerability in Akeneo Product Information Management

Akeneo PIM is an open source Product Information Management (PIM).

8.8
2022-12-08 CVE-2022-46829 Jetbrains Improper Authentication vulnerability in Jetbrains Gateway

In JetBrains JetBrains Gateway before 2022.3 a client could connect without a valid token if the host consented.

8.8
2022-12-08 CVE-2022-46792 Hasura Incorrect Authorization vulnerability in Hasura Graphql Engine

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends.

8.8
2022-12-07 CVE-2022-44373 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-820Ap Firmware 1.01.B01

A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution.

8.8
2022-12-07 CVE-2022-43581 IBM Missing Authorization vulnerability in IBM Content Navigator

IBM Content Navigator 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, and 3.0.12 is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code.

8.8
2022-12-07 CVE-2022-40966 Buffalo Improper Authentication vulnerability in Buffalo products

Authentication bypass vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to bypass authentication and access the device.

8.8
2022-12-07 CVE-2022-41622 F5 Cross-Site Request Forgery (CSRF) vulnerability in F5 products

In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

8.8
2022-12-07 CVE-2022-43464 Unimo Unspecified vulnerability in Unimo products

Hidden functionality vulnerability in UDR-JA1604/UDR-JA1608/UDR-JA1616 firmware versions 71x10.1.107112.43A and earlier allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

8.8
2022-12-07 CVE-2022-44606 Unimo OS Command Injection vulnerability in Unimo products

OS command injection vulnerability in UDR-JA1604/UDR-JA1608/UDR-JA1616 firmware versions 71x10.1.107112.43A and earlier allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

8.8
2022-12-07 CVE-2022-44620 Unimo Improper Authentication vulnerability in Unimo products

Improper authentication vulnerability in UDR-JA1604/UDR-JA1608/UDR-JA1616 firmware versions 71x10.1.107112.43A and earlier allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

8.8
2022-12-07 CVE-2022-44849 Metinfo Cross-Site Request Forgery (CSRF) vulnerability in Metinfo 7.7

A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.

8.8
2022-12-07 CVE-2022-45915 Ilias OS Command Injection vulnerability in Ilias

ILIAS before 7.16 allows OS Command Injection.

8.8
2022-12-06 CVE-2022-42699 WP Ecommerce Code Injection vulnerability in Wp-Ecommerce Easy WP Smtp

Auth.

8.8
2022-12-06 CVE-2022-42888 Armemberplugin Improper Privilege Management vulnerability in Armemberplugin Armember

Unauth.

8.8
2022-12-06 CVE-2022-23475 Daloradius Cross-site Scripting vulnerability in Daloradius

daloRADIUS is an open source RADIUS web management application.

8.8
2022-12-06 CVE-2022-45548 Ayacms Project Unrestricted Upload of File with Dangerous Type vulnerability in Ayacms Project Ayacms 3.1.2

AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.

8.8
2022-12-06 CVE-2022-33875 Fortinet SQL Injection vulnerability in Fortinet Fortiadc

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

8.8
2022-12-06 CVE-2022-44289 Thinkphp Unrestricted Upload of File with Dangerous Type vulnerability in Thinkphp 5.0.24/5.1.41

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.

8.8
2022-12-06 CVE-2022-46382 Rackn Incorrect Default Permissions vulnerability in Rackn Digital Rebar

RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has Insecure Permissions.

8.8
2022-12-06 CVE-2022-4300 Xjd2020 Code Injection vulnerability in Xjd2020 Fastcms

A vulnerability was found in FastCMS.

8.8
2022-12-06 CVE-2022-4173 Avast Improper Privilege Management vulnerability in Avast and AVG Antivirus

A vulnerability within the malware removal functionality of Avast and AVG Antivirus allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios.

8.8
2022-12-05 CVE-2022-45020 Rukovoditel Cross-site Scripting vulnerability in Rukovoditel 3.2.1

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login.

8.8
2022-12-05 CVE-2022-43553 UI Unspecified vulnerability in UI Edgemax Edgerouter Firmware 2.0.9

A remote code execution vulnerability in EdgeRouters (Version 2.0.9-hotfix.4 and earlier) allows a malicious actor with an operator account to run arbitrary administrator commands.This vulnerability is fixed in Version 2.0.9-hotfix.5 and later.

8.8
2022-12-05 CVE-2022-45771 Pwndoc Project Unspecified vulnerability in Pwndoc Project Pwndoc 0.5.3

An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.

8.8
2022-12-05 CVE-2022-45313 Mikrotik Out-of-bounds Read vulnerability in Mikrotik Routeros

Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process.

8.8
2022-12-05 CVE-2022-4281 Facepay Project Improper Privilege Management vulnerability in Facepay Project Facepay 1.0

A vulnerability has been found in Facepay 1.0 and classified as critical.

8.8
2022-12-07 CVE-2022-41800 F5 Command Injection vulnerability in F5 products

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.

8.7
2022-12-08 CVE-2022-37916 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

Vulnerabilities in the AirWave Management Platform web-based management interface exist which expose some URLs to a lack of proper access controls.

8.1
2022-12-08 CVE-2022-37917 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

Vulnerabilities in the AirWave Management Platform web-based management interface exist which expose some URLs to a lack of proper access controls.

8.1
2022-12-08 CVE-2022-37918 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

Vulnerabilities in the AirWave Management Platform web-based management interface exist which expose some URLs to a lack of proper access controls.

8.1
2022-12-08 CVE-2022-3262 Redhat Insecure Default Initialization of Resource vulnerability in Redhat Openshift 4.9

A flaw was found in Openshift.

8.1
2022-12-07 CVE-2022-44942 Casbin Path Traversal vulnerability in Casbin Casdoor

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

8.1
2022-12-06 CVE-2022-45829 WP Ecommerce Path Traversal vulnerability in Wp-Ecommerce Easy WP Smtp

Auth.

8.1
2022-12-06 CVE-2022-38336 Mobatek Improper Authentication vulnerability in Mobatek Mobaxterm

An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP protocols without authentication.

8.1
2022-12-05 CVE-2022-43548 Nodejs
Debian
OS Command Injection vulnerability in multiple products

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

8.1
2022-12-08 CVE-2020-36610 Duxcms Project Incorrect Authorization vulnerability in Duxcms Project Duxcms 2.1

A vulnerability was found in annyshow DuxCMS 2.1.

8.0
2022-12-10 CVE-2022-4398 Radare Integer Overflow or Wraparound vulnerability in Radare Radare2

Integer Overflow or Wraparound in GitHub repository radareorg/radare2 prior to 5.8.0.

7.8
2022-12-09 CVE-2022-2752 Secomea Improper Authentication vulnerability in Secomea Gatemanager 9.6.621421014

A vulnerability in the web server of Secomea GateManager allows a local user to impersonate as the previous user under some failed login conditions. This issue affects: Secomea GateManager versions from 9.4 through 9.7.

7.8
2022-12-08 CVE-2022-46824 Jetbrains Classic Buffer Overflow vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible.

7.8
2022-12-08 CVE-2022-46828 Jetbrains Unrestricted Upload of File with Dangerous Type vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.

7.8
2022-12-08 CVE-2022-39907 Google Integer Overflow or Wraparound vulnerability in Google Android

Integer overflow vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.

7.8
2022-12-08 CVE-2022-44455 Openharmony Classic Buffer Overflow vulnerability in Openharmony 3.1/3.1.1/3.1.2

The appspawn and nwebspawn services within OpenHarmony-v3.1.2 and prior versions were found to be vulnerable to buffer overflow vulnerability due to insufficient input validation.

7.8
2022-12-08 CVE-2022-3084 GE Access of Uninitialized Pointer vulnerability in GE Cimplicity

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code.

7.8
2022-12-08 CVE-2022-3092 GE Out-of-bounds Write vulnerability in GE Cimplicity

GE CIMPICITY versions 2022 and prior is vulnerable to an out-of-bounds write, which could allow an attacker to execute arbitrary code.

7.8
2022-12-07 CVE-2022-2002 GE Untrusted Pointer Dereference vulnerability in GE Cimplicity

GE CIMPICITY versions 2022 and prior is vulnerable when data from faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.

7.8
2022-12-07 CVE-2022-2948 GE Heap-based Buffer Overflow vulnerability in GE Cimplicity

GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

7.8
2022-12-07 CVE-2022-2952 GE Access of Uninitialized Pointer vulnerability in GE Cimplicity

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.

7.8
2022-12-07 CVE-2022-43508 Omron Use After Free vulnerability in Omron Cx-Programmer

Use-after free vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-12-07 CVE-2022-43509 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

Out-of-bounds write vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-12-07 CVE-2022-43667 Omron Out-of-bounds Write vulnerability in Omron Cx-Programmer

Stack-based buffer overflow vulnerability exists in CX-Programmer v.9.77 and earlier, which may lead to information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file.

7.8
2022-12-06 CVE-2022-43867 IBM OS Command Injection vulnerability in IBM Spectrum Scale Container Native Storage Access 5.1.0.1/5.1.2.1/5.1.4.1

IBM Spectrum Scale 5.1.0.1 through 5.1.4.1 could allow a local attacker to execute arbitrary commands in the container.

7.8
2022-12-06 CVE-2022-41325 Videolan
Debian
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.

7.8
2022-12-06 CVE-2022-39090 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39091 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39092 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39093 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39094 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39095 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39096 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39097 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39098 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39099 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39100 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39101 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-39102 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-42776 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In UscAIEngine service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-42777 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In power management service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-42778 Google Missing Authorization vulnerability in Google Android 11.0

In windows manager service, there is a missing permission check.

7.8
2022-12-06 CVE-2022-45283 Gpac Out-of-bounds Write vulnerability in Gpac 2.0.0

GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.

7.8
2022-12-05 CVE-2022-35259 Ivanti XML Injection (aka Blind XPath Injection) vulnerability in Ivanti Endpoint Manager

XML Injection with Endpoint Manager 2022.

7.8
2022-12-05 CVE-2022-4292 VIM
Netapp
Use After Free vulnerability in multiple products

Use After Free in GitHub repository vim/vim prior to 9.0.0882.

7.8
2022-12-05 CVE-2022-43484 Nttdata Improper Input Validation vulnerability in Nttdata Terasoluna Global Framework 1.0.0

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC.

7.8
2022-12-11 CVE-2022-4409 Phpmyfaq Missing Encryption of Sensitive Data vulnerability in PHPmyfaq

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

7.5
2022-12-09 CVE-2022-23497 Freshrss Information Exposure vulnerability in Freshrss

FreshRSS is a free, self-hostable RSS aggregator.

7.5
2022-12-09 CVE-2022-44790 Interspire SQL Injection vulnerability in Interspire Email Marketer

Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module.

7.5
2022-12-09 CVE-2022-3724 Wireshark Use of Externally-Controlled Format String vulnerability in Wireshark

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

7.5
2022-12-08 CVE-2022-23495 Protocol Unchecked Return Value vulnerability in Protocol Go-Merkledag

go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project.

7.5
2022-12-08 CVE-2022-23496 YET Another Useragent Analyzer Project Improper Handling of Exceptional Conditions vulnerability in YET Another Useragent Analyzer Project YET Another Useragent Analyzer

Yet Another UserAgent Analyzer (Yauaa) is a java library that tries to parse and analyze the useragent string and extract as many relevant attributes as possible.

7.5
2022-12-08 CVE-2022-4366 Daloradius Missing Authorization vulnerability in Daloradius

Missing Authorization in GitHub repository lirantal/daloradius prior to master branch.

7.5
2022-12-08 CVE-2022-39902 Samsung Unspecified vulnerability in Samsung Exynos Firmware

Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call.

7.5
2022-12-08 CVE-2022-44931 Tenda Out-of-bounds Write vulnerability in Tenda A18 Firmware 15.13.07.09

Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

7.5
2022-12-08 CVE-2022-44932 Tenda Unspecified vulnerability in Tenda A18 Firmware 15.13.07.09

An access control issue in Tenda A18 v15.13.07.09 allows unauthenticated attackers to access the Telnet service.

7.5
2022-12-08 CVE-2022-45498 Tenda Unspecified vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

An issue in the component tpi_systool_handle(0) (/goform/SysToolReboot) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

7.5
2022-12-08 CVE-2022-45499 Tenda Out-of-bounds Write vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/WifiMacFilterGet.

7.5
2022-12-08 CVE-2022-45501 Tenda Out-of-bounds Write vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.

7.5
2022-12-08 CVE-2022-45503 Tenda Out-of-bounds Write vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the linkEn parameter at /goform/setAutoPing.

7.5
2022-12-08 CVE-2022-45504 Tenda Unspecified vulnerability in Tenda W6-S Firmware 1.0.0.4(510)

An issue in the component tpi_systool_handle(0) (/goform/SysToolRestoreSet) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

7.5
2022-12-08 CVE-2022-45505 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the cmdinput parameter at /goform/exeCommand.

7.5
2022-12-08 CVE-2022-45507 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the editNameMit parameter at /goform/editFileName.

7.5
2022-12-08 CVE-2022-45508 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the new_account parameter at /goform/editUserName.

7.5
2022-12-08 CVE-2022-45509 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the account parameter at /goform/addUserName.

7.5
2022-12-08 CVE-2022-45510 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the mit_ssid_index parameter at /goform/AdvSetWrlsafeset.

7.5
2022-12-08 CVE-2022-45511 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the PPPOEPassword parameter at /goform/QuickIndex.

7.5
2022-12-08 CVE-2022-45512 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/SafeEmailFilter.

7.5
2022-12-08 CVE-2022-45513 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/P2pListFilter.

7.5
2022-12-08 CVE-2022-45514 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/webExcptypemanFilter.

7.5
2022-12-08 CVE-2022-45515 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the entries parameter at /goform/addressNat.

7.5
2022-12-08 CVE-2022-45516 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/NatStaticSetting.

7.5
2022-12-08 CVE-2022-45517 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/VirtualSer.

7.5
2022-12-08 CVE-2022-45518 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/SetIpBind.

7.5
2022-12-08 CVE-2022-45519 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the Go parameter at /goform/SafeMacFilter.

7.5
2022-12-08 CVE-2022-45520 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/qossetting.

7.5
2022-12-08 CVE-2022-45521 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/SafeUrlFilter.

7.5
2022-12-08 CVE-2022-45522 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/SafeClientFilter.

7.5
2022-12-08 CVE-2022-45523 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/L7Im.

7.5
2022-12-08 CVE-2022-45524 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the opttype parameter at /goform/IPSECsave.

7.5
2022-12-08 CVE-2022-45525 Tenda Out-of-bounds Write vulnerability in Tenda W30E Firmware 1.0.1.25(633)

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the downaction parameter at /goform/CertListInfo.

7.5
2022-12-08 CVE-2022-23476 Nokogiri Unchecked Return Value vulnerability in Nokogiri 1.13.8/1.13.9

Nokogiri is an open source XML and HTML library for the Ruby programming language.

7.5
2022-12-08 CVE-2022-23492 Protocol Allocation of Resources Without Limits or Throttling vulnerability in Protocol Libp2P

go-libp2p is the offical libp2p implementation in the Go programming language.

7.5
2022-12-07 CVE-2022-23491 Certifi Project Insufficient Verification of Data Authenticity vulnerability in Certifi Project Certifi

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.

7.5
2022-12-07 CVE-2022-23486 Protocol Allocation of Resources Without Limits or Throttling vulnerability in Protocol Libp2P

libp2p-rust is the official rust language Implementation of the libp2p networking stack.

7.5
2022-12-07 CVE-2022-23487 Protocol Allocation of Resources Without Limits or Throttling vulnerability in Protocol Libp2P

js-libp2p is the official javascript Implementation of libp2p networking stack.

7.5
2022-12-07 CVE-2022-46770 Linuxfoundation Infinite Loop vulnerability in Linuxfoundation Mirage Firewall

qubes-mirage-firewall (aka Mirage firewall for QubesOS) 0.8.x through 0.8.3 allows guest OS users to cause a denial of service (CPU consumption and loss of forwarding) via a crafted multicast UDP packet (IP address range of 224.0.0.0 through 239.255.255.255).

7.5
2022-12-07 CVE-2022-41720 Golang Path Traversal vulnerability in Golang GO

On Windows, restricted files can be accessed via os.DirFS and http.Dir.

7.5
2022-12-07 CVE-2022-43468 Wordpress Popular Posts Project Improper Initialization vulnerability in Wordpress Popular Posts Project Wordpress Popular Posts

External initialization of trusted variables or data stores vulnerability exists in WordPress Popular Posts 6.0.5 and earlier, therefore the vulnerable product accepts untrusted external inputs to update certain internal variables.

7.5
2022-12-07 CVE-2022-44608 Cybozu Resource Exhaustion vulnerability in Cybozu Remote Service

Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.0.0 to 4.0.3 allows a remote authenticated attacker to consume huge storage space, which may result in a denial-of-service (DoS) condition.

7.5
2022-12-06 CVE-2022-44030 Redmine Improper Handling of Exceptional Conditions vulnerability in Redmine

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks.

7.5
2022-12-06 CVE-2022-46154 Kodcloud Path Traversal vulnerability in Kodcloud Kodexplorer

Kodexplorer is a chinese language web based file manager and browser based code editor.

7.5
2022-12-06 CVE-2022-4147 Quarkus Unspecified vulnerability in Quarkus

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed.

7.5
2022-12-06 CVE-2022-23470 Galaxyproject Path Traversal vulnerability in Galaxyproject Galaxy 22.01/22.01.1/22.05

Galaxy is an open-source platform for data analysis.

7.5
2022-12-06 CVE-2022-23472 Passeo Project Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Passeo Project Passeo

Passeo is an open source python password generator.

7.5
2022-12-06 CVE-2022-34361 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Sterling Secure Proxy 6.0.3

IBM Sterling Secure Proxy 6.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2022-12-06 CVE-2022-30305 Fortinet Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortideceptor and Fortisandbox

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.

7.5
2022-12-06 CVE-2021-39434 Zkteco Weak Password Requirements vulnerability in Zkteco Zktime 11.1.0

A default username and password for an administrator account was discovered in ZKTeco ZKTime 10.0 through 11.1.0, builds 20180901, 20190510.1, 20200309.3, 20200930, 20201231, and 20210220.

7.5
2022-12-06 CVE-2022-44009 Stackstorm Missing Authorization vulnerability in Stackstorm 3.7.0

Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information.

7.5
2022-12-05 CVE-2022-45019 Slims SQL Injection vulnerability in Slims Senayan Library Management System 9.5.0

SLiMS 9 Bulian v9.5.0 was discovered to contain a SQL injection vulnerability via the keywords parameter.

7.5
2022-12-05 CVE-2022-2827 AMI Unspecified vulnerability in AMI Megarac Sp-X 12/13

AMI MegaRAC User Enumeration Vulnerability

7.5
2022-12-05 CVE-2022-30122 Rack Project
Debian
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
7.5
2022-12-05 CVE-2022-35254 Ivanti Resource Exhaustion vulnerability in Ivanti Connect Secure and Policy Secure

An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.

7.5
2022-12-05 CVE-2022-35258 Ivanti Incorrect Calculation vulnerability in Ivanti Connect Secure and Policy Secure

An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.

7.5
2022-12-05 CVE-2022-37325 Sangoma Out-of-bounds Write vulnerability in Sangoma Asterisk

In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.

7.5
2022-12-05 CVE-2022-37783 Craftcms Insufficiently Protected Credentials vulnerability in Craftcms Craft CMS

All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens.

7.5
2022-12-05 CVE-2022-3694 Syncee Unspecified vulnerability in Syncee - Global Dropshipping

The Syncee WordPress plugin before 1.0.10 leaks the administrator token that can be used to take over the administrator's account.

7.5
2022-12-05 CVE-2022-3846 Amentotech Unspecified vulnerability in Amentotech Workreap

The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

7.5
2022-12-05 CVE-2022-3907 Clerk Information Exposure Through Discrepancy vulnerability in Clerk Clerk.Io

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

7.5
2022-12-05 CVE-2022-41777 Kujirahand Unspecified vulnerability in Kujirahand Nadesiko3

Improper check or handling of exceptional conditions vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to inject an invalid value to decodeURIComponent of nako3edit, which may lead the server to crash.

7.5
2022-12-09 CVE-2022-3259 Redhat Improper Initialization vulnerability in Redhat Openshift 4.9

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

7.4
2022-12-08 CVE-2022-39908 Google Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Google Android

TOCTOU vulnerability in Samsung decoding library for video thumbnails prior to SMR Dec-2022 Release 1 allows local attacker to perform Out-Of-Bounds Write.

7.4
2022-12-05 CVE-2022-43470 FSI Cross-Site Request Forgery (CSRF) vulnerability in FSI products

Cross-site request forgery (CSRF) vulnerability in +F FS040U software versions v2.3.4 and earlier, +F FS020W software versions v4.0.0 and earlier, +F FS030W software versions v3.3.5 and earlier, and +F FS040W software versions v1.4.1 and earlier allows an adjacent attacker to hijack the authentication of an administrator and user's unintended operations such as to reboot the product and/or reset the configuration to the initial set-up may be performed.

7.3
2022-12-11 CVE-2022-4402 Docsys Project Path Traversal vulnerability in Docsys Project Docsys

A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37.

7.2
2022-12-09 CVE-2022-44838 Automotive Shop Management System Project SQL Injection vulnerability in Automotive Shop Management System Project Automotive Shop Management System 1.0

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /services/view_service.php.

7.2
2022-12-08 CVE-2022-41948 Dhis2 Improper Privilege Management vulnerability in Dhis2 Dhis 2

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization.

7.2
2022-12-07 CVE-2022-44393 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/view_service&id=.

7.2
2022-12-07 CVE-2022-4322 Maku SQL Injection vulnerability in Maku Maku-Boot

A vulnerability, which was classified as critical, was found in maku-boot up to 2.2.0.

7.2
2022-12-07 CVE-2022-43660 Sixapart Code Injection vulnerability in Sixapart Movable Type

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command.

7.2
2022-12-07 CVE-2022-45009 Online Leave Management System Project Unrestricted Upload of File with Dangerous Type vulnerability in Online Leave Management System Project Online Leave Management System 1.0

Online Leave Management System v1.0 was discovered to contain an arbitrary file upload vulnerability at /leave_system/classes/SystemSettings.php?f=update_settings.

7.2
2022-12-06 CVE-2022-46333 Proofpoint Code Injection vulnerability in Proofpoint Enterprise Protection

The admin user interface in Proofpoint Enterprise Protection (PPS/PoD) contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope.

7.2
2022-12-06 CVE-2022-38123 Secomea Improper Input Validation vulnerability in Secomea Gatemanager 9.6.621421014

Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.

7.2
2022-12-05 CVE-2022-45912 Zimbra Unrestricted Upload of File with Dangerous Type vulnerability in Zimbra Collaboration 8.8.15/9.0.0

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0.

7.2
2022-12-05 CVE-2022-1540 Postmagthemes Unspecified vulnerability in Postmagthemes Demo Import 1.0.7

The PostmagThemes Demo Import WordPress plugin through 1.0.7 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) leading to RCE.

7.2
2022-12-05 CVE-2022-3249 WP CSV Exporter Project Unspecified vulnerability in WP CSV Exporter Project WP CSV Exporter

The WP CSV Exporter WordPress plugin before 1.3.7 does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks

7.2
2022-12-05 CVE-2022-3856 Inksplat Unspecified vulnerability in Inksplat Comic Book Management System

The Comic Book Management System WordPress plugin before 2.2.0 does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

7.2
2022-12-05 CVE-2022-3858 Premio Unspecified vulnerability in Premio Chaty

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.

7.2
2022-12-05 CVE-2022-4282 Jrecms Improper Enforcement of Message or Data Structure vulnerability in Jrecms Springbootcms

A vulnerability was found in SpringBootCMS and classified as critical.

7.2

174 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-08 CVE-2022-39911 Samsung Unspecified vulnerability in Samsung Pass 4.0.05.1

Improper check or handling of exceptional conditions vulnerability in Samsung Pass prior to version 4.0.06.1 allows attacker to access Samsung Pass.

6.8
2022-12-08 CVE-2022-4349 PWN Project Cross-Site Request Forgery (CSRF) vulnerability in PWN Project PWN

A vulnerability classified as problematic has been found in CTF-hacker pwn.

6.8
2022-12-07 CVE-2022-39044 Buffalo Unspecified vulnerability in Buffalo products

Hidden functionality vulnerability in multiple Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command.

6.8
2022-12-05 CVE-2022-32594 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In widevine, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32596 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In widevine, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32597 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In widevine, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32598 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In widevine, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32619 Google Out-of-bounds Write vulnerability in Google Android

In keyinstall, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32620 Google Out-of-bounds Write vulnerability in Google Android

In mpu, there is a possible memory corruption due to a logic error.

6.7
2022-12-05 CVE-2022-32622 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In gz, there is a possible memory corruption due to a missing bounds check.

6.7
2022-12-05 CVE-2022-32624 Google Incorrect Calculation of Buffer Size vulnerability in Google Android 11.0/12.0

In throttling, there is a possible out of bounds write due to an incorrect calculation of buffer size.

6.7
2022-12-05 CVE-2022-32625 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In display, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32626 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In display, there is a possible out of bounds write due to an incorrect bounds check.

6.7
2022-12-05 CVE-2022-32628 Google Out-of-bounds Write vulnerability in Google Android 12.0

In isp, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-12-05 CVE-2022-32629 Google Out-of-bounds Write vulnerability in Google Android 12.0

In isp, there is a possible out of bounds write due to a missing bounds check.

6.7
2022-12-05 CVE-2022-32630 Google Incorrect Calculation of Buffer Size vulnerability in Google Android 12.0/13.0

In throttling, there is a possible out of bounds write due to an incorrect calculation of buffer size.

6.7
2022-12-05 CVE-2022-32631 Google
Yoctoproject
Out-of-bounds Write vulnerability in multiple products

In Wi-Fi, there is a possible out of bounds write due to improper input validation.

6.7
2022-12-05 CVE-2022-32632 Google
Yoctoproject
Out-of-bounds Write vulnerability in multiple products

In Wi-Fi, there is a possible out of bounds write due to improper input validation.

6.7
2022-12-05 CVE-2022-32633 Google
Yoctoproject
Improper Privilege Management vulnerability in multiple products

In Wi-Fi, there is a possible memory access violation due to a logic error.

6.7
2022-12-05 CVE-2022-32634 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In ccci, there is a possible out of bounds write due to improper input validation.

6.7
2022-12-10 CVE-2022-4397 Zend Blog 2 Project Cross-Site Request Forgery (CSRF) vulnerability in Zend-Blog-2 Project Zend-Blog-2

A vulnerability was found in morontt zend-blog-number-2.

6.5
2022-12-09 CVE-2022-38765 Canon Authorization Bypass Through User-Controlled Key vulnerability in Canon Vitrea View

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls.

6.5
2022-12-08 CVE-2022-23469 Traefik Information Exposure Through Log Files vulnerability in Traefik

Traefik is an open source HTTP reverse proxy and load balancer.

6.5
2022-12-08 CVE-2022-46153 Traefik Improper Certificate Validation vulnerability in Traefik

Traefik is an open source HTTP reverse proxy and load balancer.

6.5
2022-12-08 CVE-2022-38599 Goteleport Exposure of Resource to Wrong Sphere vulnerability in Goteleport Teleport 3.2.2/3.5.6/3.6.3

Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.

6.5
2022-12-08 CVE-2022-39901 Samsung Improper Authentication vulnerability in Samsung Exynos Firmware

Improper authentication in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to disable the network traffic encryption between UE and gNodeB.

6.5
2022-12-08 CVE-2022-4261 Rapid7 Download of Code Without Integrity Check vulnerability in Rapid7 Insightvm

Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents.

6.5
2022-12-07 CVE-2022-23471 Linuxfoundation Memory Leak vulnerability in Linuxfoundation Containerd

containerd is an open source container runtime.

6.5
2022-12-07 CVE-2022-34840 Buffalo Use of Hard-coded Credentials vulnerability in Buffalo products

Use of hard-coded credentials vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to alter?configuration settings of the device.

6.5
2022-12-07 CVE-2022-45113 Sixapart Improper Input Validation vulnerability in Sixapart Movable Type

Improper validation of syntactic correctness of input vulnerability exist in Movable Type series.

6.5
2022-12-07 CVE-2022-3643 Linux
Debian
Injection vulnerability in multiple products

Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets.

6.5
2022-12-07 CVE-2022-45918 Ilias Externally Controlled Reference to a Resource in Another Sphere vulnerability in Ilias

ILIAS before 7.16 allows External Control of File Name or Path.

6.5
2022-12-06 CVE-2022-45833 WP Ecommerce Path Traversal vulnerability in Wp-Ecommerce Easy WP Smtp

Auth.

6.5
2022-12-06 CVE-2022-41560 Tibco Unspecified vulnerability in Tibco Nimbus 10.5.0

The Statement Set Upload via the Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Denial of Service Attack on the affected system.

6.5
2022-12-06 CVE-2022-33876 Fortinet Improper Input Validation vulnerability in Fortinet Fortiadc

Multiple instances of improper input validation vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to retrieve files with specific extension from the underlying Linux system via crafted HTTP requests.

6.5
2022-12-05 CVE-2022-23143 ZTE Incorrect Permission Assignment for Critical Resource vulnerability in ZTE Otcp Firmware 1.19.20.02

ZTE OTCP product is impacted by a permission and access control vulnerability.

6.5
2022-12-05 CVE-2022-35256 Nodejs
Llhttp
Siemens
Debian
HTTP Request Smuggling vulnerability in multiple products

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.

6.5
2022-12-05 CVE-2022-35260 Haxx
Netapp
Apple
Out-of-bounds Write vulnerability in multiple products

curl can be told to parse a `.netrc` file for credentials.

6.5
2022-12-05 CVE-2022-42705 Sangoma Use After Free vulnerability in Sangoma Asterisk and Certified Asterisk

A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.

6.5
2022-12-05 CVE-2022-3677 Addonspress Unspecified vulnerability in Addonspress Advanced Import

The Advanced Import WordPress plugin before 1.3.8 does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks

6.5
2022-12-05 CVE-2022-3926 WP Oauth Cross-Site Request Forgery (CSRF) vulnerability in Wp-Oauth WP Oauth Server

The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

6.5
2022-12-05 CVE-2022-45824 Elbtide Cross-Site Request Forgery (CSRF) vulnerability in Elbtide Advanced Booking Calendar

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

6.5
2022-12-05 CVE-2022-41798 Kyocera Authentication Bypass by Spoofing vulnerability in Kyocera products

Session information easily guessable vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to log in to the product by spoofing a user with guessed session information.

6.5
2022-12-05 CVE-2022-41807 Kyocera Missing Authorization vulnerability in Kyocera products

Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request.

6.5
2022-12-05 CVE-2022-32621 Google Out-of-bounds Write vulnerability in Google Android 12.0

In isp, there is a possible out of bounds write due to a race condition.

6.4
2022-12-11 CVE-2022-4407 Phpmyfaq Cross-site Scripting vulnerability in PHPmyfaq

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

6.1
2022-12-11 CVE-2022-4400 FS Blog Project Cross-site Scripting vulnerability in Fs-Blog Project Fs-Blog

A vulnerability was found in zbl1996 FS-Blog and classified as problematic.

6.1
2022-12-08 CVE-2022-23494 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

tinymce is an open source rich text editor.

6.1
2022-12-08 CVE-2022-4350 Mingsoft Improper Enforcement of Message or Data Structure vulnerability in Mingsoft Mcms 5.2.8

A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8.

6.1
2022-12-08 CVE-2022-4348 Ruoyi Improper Enforcement of Message or Data Structure vulnerability in Ruoyi Ruoyi-Cloud

A vulnerability was found in y_project RuoYi-Cloud.

6.1
2022-12-07 CVE-2022-4341 Coder Chain Gdut Project Cross-site Scripting vulnerability in Coder-Chain Gdut Project Coder-Chain Gdut

A vulnerability has been found in csliuwy coder-chain_gdut and classified as problematic.

6.1
2022-12-07 CVE-2022-41735 IBM Cross-site Scripting vulnerability in IBM Business Automation Workflow

IBM Business Process Manager 21.0.1 through 21.0.3.1, 20.0.0.1 through 20.0.0.2 19.0.0.1 through 19.0.0.3 is vulnerable to cross-site scripting.

6.1
2022-12-07 CVE-2022-43668 Typora Cross-site Scripting vulnerability in Typora

Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product.

6.1
2022-12-07 CVE-2022-45122 Sixapart Cross-site Scripting vulnerability in Sixapart Movable Type

Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2022-12-07 CVE-2022-44153 Rapidscada Cross-site Scripting vulnerability in Rapidscada Rapid Scada 5.8.4

Rapid Software LLC Rapid SCADA 5.8.4 is vulnerable to Cross Site Scripting (XSS).

6.1
2022-12-07 CVE-2022-45917 Ilias Open Redirect vulnerability in Ilias

ILIAS before 7.16 has an Open Redirect.

6.1
2022-12-06 CVE-2022-45848 Contest Gallery Cross-site Scripting vulnerability in Contest-Gallery Contest Gallery

Unauth.

6.1
2022-12-06 CVE-2022-43369 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Auto/Taxi Stand Management System 1.0

AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.

6.1
2022-12-06 CVE-2022-43363 Telegram Cross-site Scripting vulnerability in Telegram 15.3.1

Telegram Web 15.3.1 allows XSS via a certain payload derived from a Target Corporation website.

6.1
2022-12-06 CVE-2022-40209 Xylusthemes Cross-site Scripting vulnerability in Xylusthemes WP Smart Import 1.0.0/1.0.1/1.0.2

Unauth.

6.1
2022-12-06 CVE-2022-40603 Zyxel Cross-site Scripting vulnerability in Zyxel products

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload.

6.1
2022-12-06 CVE-2022-46151 Pinterest Cross-site Scripting vulnerability in Pinterest Querybook

Querybook is an open source data querying UI.

6.1
2022-12-05 CVE-2022-45769 Clicshopping Cross-site Scripting vulnerability in Clicshopping V3 3.402

A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter.

6.1
2022-12-05 CVE-2022-45990 Ecommerce Website Project Cross-site Scripting vulnerability in Ecommerce-Website Project Ecommerce-Website 1.0

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

6.1
2022-12-05 CVE-2022-43556 Concretecms Cross-site Scripting vulnerability in Concretecms Concrete CMS

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized.

6.1
2022-12-05 CVE-2022-43479 SS Proj Open Redirect vulnerability in Ss-Proj Shirasagi 1.14.4/1.15.0

Open redirect vulnerability in SHIRASAGI v1.14.4 to v1.15.0 allows a remote unauthenticated attacker to redirect users to an arbitrary web site and conduct a phishing attack.

6.1
2022-12-05 CVE-2022-43487 Salonbookingsystem Cross-site Scripting vulnerability in Salonbookingsystem Salon Booking System

Cross-site scripting vulnerability in Salon booking system versions prior to 7.9 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2022-12-05 CVE-2022-43497 Wordpress Cross-site Scripting vulnerability in Wordpress

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2022-12-05 CVE-2022-43500 Wordpress Cross-site Scripting vulnerability in Wordpress

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1
2022-12-05 CVE-2022-45478 Telepad APP Cleartext Transmission of Sensitive Information vulnerability in Telepad-App Telepad

Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext.

5.9
2022-12-09 CVE-2022-29839 Westerndigital Insufficiently Protected Credentials vulnerability in Westerndigital MY Cloud OS

Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data.

5.5
2022-12-08 CVE-2022-46826 Jetbrains Path Traversal vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.

5.5
2022-12-08 CVE-2022-46827 Jetbrains XXE vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.

5.5
2022-12-08 CVE-2022-39897 Google Information Exposure Through Log Files vulnerability in Google Android 10.0/11.0/12.0

Exposure of Sensitive Information vulnerability in kernel prior to SMR Dec-2022 Release 1 allows attackers to access the kernel address information via log.

5.5
2022-12-08 CVE-2022-39905 Google Unspecified vulnerability in Google Android

Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent.

5.5
2022-12-08 CVE-2022-39909 Samsung Insufficient Verification of Data Authenticity vulnerability in Samsung Gear Iconx PC Manager 2.1.220405.51

Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link.

5.5
2022-12-08 CVE-2022-39915 Samsung Unspecified vulnerability in Samsung Calendar 12.3.05.10000

Improper access control vulnerability in Calendar prior to versions 11.6.08.0 in Android Q(10), 12.2.11.3000 in Android R(11), 12.3.07.2000 in Android S(12), and 12.4.02.0 in Android T(13) allows attackers to access sensitive information via implicit intent.

5.5
2022-12-08 CVE-2022-45118 Openharmony Incorrect Default Permissions vulnerability in Openharmony 3.1/3.1.1/3.1.2

OpenHarmony-v3.1.2 and prior versions had a vulnerability that telephony in communication subsystem sends public events with personal data, but the permission is not set.

5.5
2022-12-07 CVE-2022-41783 TP Link Unspecified vulnerability in Tp-Link Re3000 Firmware

tdpServer of TP-Link RE300 V1 improperly processes its input, which may allow an attacker to cause a denial-of-service (DoS) condition of the product's OneMesh function.

5.5
2022-12-07 CVE-2022-42328 Linux
Debian
Improper Locking vulnerability in multiple products

Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328).

5.5
2022-12-07 CVE-2022-42329 Linux
Debian
Improper Locking vulnerability in multiple products

Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328).

5.5
2022-12-06 CVE-2022-4296 TP Link Improper Resource Shutdown or Release vulnerability in Tp-Link Tl-Wr740N Firmware

A vulnerability classified as problematic has been found in TP-Link TL-WR740N.

5.5
2022-12-06 CVE-2022-39106 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In sensor driver, there is a possible out of bounds write due to a missing bounds check.

5.5
2022-12-06 CVE-2022-39129 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In face detect driver, there is a possible out of bounds write due to a missing bounds check.

5.5
2022-12-06 CVE-2022-39130 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In face detect driver, there is a possible out of bounds write due to a missing bounds check.

5.5
2022-12-06 CVE-2022-39131 Google Improper Locking vulnerability in Google Android 10.0/11.0/12.0

In camera driver, there is a possible memory corruption due to improper locking.

5.5
2022-12-06 CVE-2022-39132 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In camera driver, there is a possible out of bounds write due to a missing bounds check.

5.5
2022-12-06 CVE-2022-39133 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42754 Google Use After Free vulnerability in Google Android 10.0/11.0/12.0

In npu driver, there is a memory corruption due to a use after free.

5.5
2022-12-06 CVE-2022-42755 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42756 Google Classic Buffer Overflow vulnerability in Google Android 10.0/11.0/12.0

In sensor driver, there is a possible buffer overflow due to a missing bounds check.

5.5
2022-12-06 CVE-2022-42759 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42760 Google Classic Buffer Overflow vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42761 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42762 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42763 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42764 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42765 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42766 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.

5.5
2022-12-06 CVE-2022-42772 Google Out-of-bounds Write vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42773 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42774 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42775 Google Improper Locking vulnerability in Google Android 10.0/11.0/12.0

In camera driver, there is a possible memory corruption due to improper locking.

5.5
2022-12-06 CVE-2022-42779 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42780 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42781 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

5.5
2022-12-06 CVE-2022-42782 Google Missing Authorization vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing permission check, This could lead to local information disclosure.

5.5
2022-12-05 CVE-2022-4293 VIM Floating Point Comparison with Incorrect Operator vulnerability in VIM

Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.

5.5
2022-12-05 CVE-2022-4269 Linux Deadlock vulnerability in Linux Kernel 4.1

A flaw was found in the Linux kernel Traffic Control (TC) subsystem.

5.5
2022-12-11 CVE-2022-4408 Phpmyfaq Cross-site Scripting vulnerability in PHPmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

5.4
2022-12-11 CVE-2022-4401 Pallidlight Online Course Selection System Project Cross-site Scripting vulnerability in Pallidlight Online Course Selection System Project Pallidlight Online Course Selection System

A vulnerability was found in pallidlight online-course-selection-system.

5.4
2022-12-10 CVE-2022-4396 Pyrdfa3 Project Cross-site Scripting vulnerability in Pyrdfa3 Project Pyrdfa3

A vulnerability was found in RDFlib pyrdfa3 and classified as problematic.

5.4
2022-12-09 CVE-2022-34297 Yiiframework Cross-site Scripting vulnerability in Yiiframework GII

Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.

5.4
2022-12-09 CVE-2022-41299 IBM Cross-site Scripting vulnerability in IBM Cloud Transformation Advisor

IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting.

5.4
2022-12-09 CVE-2022-25629 Symantec Cross-site Scripting vulnerability in Symantec Messaging Gateway

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column).

5.4
2022-12-09 CVE-2022-25630 Symantec Cross-site Scripting vulnerability in Symantec Messaging Gateway

An authenticated user can embed malicious content with XSS into the admin group policy page.

5.4
2022-12-09 CVE-2022-4336 BT Cross-site Scripting vulnerability in BT Baota

In BAOTA linux panel there exists a stored xss vulnerability attackers can use to obtain sensitive information via the log analysis feature.

5.4
2022-12-09 CVE-2022-4377 S CMS Cross-site Scripting vulnerability in S-Cms 5.0

A vulnerability was found in S-CMS 5.0 Build 20220328.

5.4
2022-12-08 CVE-2022-41947 Dhis2 Cross-site Scripting vulnerability in Dhis2 Dhis 2

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization.

5.4
2022-12-08 CVE-2022-38754 Microfocus Cross-site Scripting vulnerability in Microfocus Operations Bridge and Operations Bridge Manager

A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized.

5.4
2022-12-08 CVE-2020-36609 Duxcms Project Improper Enforcement of Message or Data Structure vulnerability in Duxcms Project Duxcms 2.1

A vulnerability was found in annyshow DuxCMS 2.1.

5.4
2022-12-08 CVE-2022-4353 PB CMS Project Cross-site Scripting vulnerability in Pb-Cms Project Pb-Cms 2.0

A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic.

5.4
2022-12-08 CVE-2022-4347 Beetl BBS Project Improper Enforcement of Message or Data Structure vulnerability in Beetl-Bbs Project Beetl-Bbs

A vulnerability was found in xiandafu beetl-bbs.

5.4
2022-12-07 CVE-2022-44361 Zzcms Cross-site Scripting vulnerability in Zzcms 2022

An issue was discovered in ZZCMS 2022.

5.4
2022-12-07 CVE-2022-45217 Book Store Management System Project Cross-site Scripting vulnerability in Book Store Management System Project Book Store Management System 1.0.0

A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module.

5.4
2022-12-07 CVE-2022-45916 Ilias Cross-site Scripting vulnerability in Ilias

ILIAS before 7.16 allows XSS.

5.4
2022-12-06 CVE-2022-45816 Dev4Press Cross-site Scripting vulnerability in Dev4Press GD Bbpress Attachments

Auth.

5.4
2022-12-06 CVE-2022-23466 Teler Project Cross-site Scripting vulnerability in Teler Project Teler 2.0.0

teler is an real-time intrusion detection and threat alert dashboard.

5.4
2022-12-06 CVE-2022-38379 Fortinet Cross-site Scripting vulnerability in Fortinet Fortisoar 7.0.0/7.0.1/7.2.0

Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.

5.4
2022-12-06 CVE-2022-40680 Fortinet Cross-site Scripting vulnerability in Fortinet Fortios

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.

5.4
2022-12-05 CVE-2022-43706 Stackstorm Cross-site Scripting vulnerability in Stackstorm

Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.

5.4
2022-12-05 CVE-2021-34181 Tomexam Cross-site Scripting vulnerability in Tomexam 3.0

Cross Site Scripting (XSS) vulnerability in TomExam 3.0 via p_name parameter to list.thtml.

5.4
2022-12-05 CVE-2022-43097 User Registration User Management System Project Cross-site Scripting vulnerability in User Registration & User Management System Project User Registration & User Management System 3.0

Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & login pages.

5.4
2022-12-05 CVE-2022-43499 SS Proj Cross-site Scripting vulnerability in Ss-Proj Shirasagi

Stored cross-site scripting vulnerability in SHIRASAGI versions prior to v1.16.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

5.4
2022-12-09 CVE-2022-45292 Funkwhale Operation on a Resource after Expiration or Release vulnerability in Funkwhale 1.2.8

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.

5.3
2022-12-08 CVE-2022-41717 Golang
Fedoraproject
Allocation of Resources Without Limits or Throttling vulnerability in multiple products

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

5.3
2022-12-08 CVE-2022-46830 Jetbrains Server-Side Request Forgery (SSRF) vulnerability in Jetbrains Teamcity 2022.10

In JetBrains TeamCity between 2022.10 and 2022.10.1 a custom STS endpoint allowed internal port scanning.

5.3
2022-12-08 CVE-2022-45877 Openharmony Cleartext Transmission of Sensitive Information vulnerability in Openharmony

OpenHarmony-v3.1.4 and prior versions had an vulnerability.

5.3
2022-12-08 CVE-2022-4122 Podman Project
Fedoraproject
Link Following vulnerability in multiple products

A vulnerability was found in buildah.

5.3
2022-12-07 CVE-2020-36565 Labstack Path Traversal vulnerability in Labstack Echo

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

5.3
2022-12-07 CVE-2022-45910 Apache Injection vulnerability in Apache Manifoldcf

Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions.

5.3
2022-12-05 CVE-2022-43557 BD Improper Authentication vulnerability in BD products

The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface.

5.3
2022-12-05 CVE-2022-43504 Wordpress Improper Authentication vulnerability in Wordpress

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature.

5.3
2022-12-09 CVE-2022-33187 Broadcom Information Exposure Through Log Files vulnerability in Broadcom Brocade Sannav

Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs.

4.9
2022-12-08 CVE-2022-46831 Jetbrains Insecure Default Initialization of Resource vulnerability in Jetbrains Teamcity 2022.10

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators.

4.9
2022-12-08 CVE-2022-40939 Secu Cleartext Transmission of Sensitive Information vulnerability in Secu Secustation Firmware

In certain Secustation products the administrator account password can be read.

4.9
2022-12-06 CVE-2022-45326 Kwoksys XXE vulnerability in Kwoksys Information Server

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

4.9
2022-12-05 CVE-2022-42706 Sangoma Path Traversal vulnerability in Sangoma Asterisk and Certified Asterisk

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1.

4.9
2022-12-09 CVE-2022-44213 Zkteco Cross-site Scripting vulnerability in Zkteco Automatic Data Master Server

ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).

4.8
2022-12-08 CVE-2022-3260 Redhat Improper Restriction of Rendered UI Layers or Frames vulnerability in Redhat Openshift 4.9

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack..

4.8
2022-12-07 CVE-2022-37406 Ricoh Cross-site Scripting vulnerability in Ricoh Aficio SP 4210N Firmware

Cross-site scripting vulnerability in Aficio SP 4210N firmware versions prior to Web Support 1.05 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

4.8
2022-12-07 CVE-2022-41994 Basercms Cross-site Scripting vulnerability in Basercms

Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

4.8
2022-12-07 CVE-2022-42486 Basercms Cross-site Scripting vulnerability in Basercms

Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

4.8
2022-12-07 CVE-2022-45008 Online Leave Management System Project Cross-site Scripting vulnerability in Online Leave Management System Project Online Leave Management System 1.0

Online Leave Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /leave_system/admin/?page=maintenance/department.

4.8
2022-12-05 CVE-2022-3426 Advanced WP Columns Project Unspecified vulnerability in Advanced WP Columns Project Advanced WP Columns 2.0.6

The Advanced WP Columns WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-05 CVE-2022-3830 Themeum Unspecified vulnerability in Themeum WP Page Builder

The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-05 CVE-2022-3837 Wpmanage Unspecified vulnerability in Wpmanage UJI Countdown

The Uji Countdown WordPress plugin before 2.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-05 CVE-2022-3838 Wpupper Share Buttons Project Cross-site Scripting vulnerability in Wpupper Share Buttons Project Wpupper Share Buttons 3.42

The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-05 CVE-2022-3892 WP Oauth Unspecified vulnerability in Wp-Oauth WP Oauth Server

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-12-05 CVE-2022-3909 ADD Comments Project Unspecified vulnerability in ADD Comments Project ADD Comments 1.0.1

The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-05 CVE-2022-41830 Kyocera Cross-site Scripting vulnerability in Kyocera products

Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script.

4.8
2022-12-06 CVE-2022-39134 Google Race Condition vulnerability in Google Android 10.0/11.0/12.0

In audio driver, there is a use after free due to a race condition.

4.7
2022-12-06 CVE-2022-42770 Google Race Condition vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a race condition, This could lead to local denial of service in wlan services.

4.7
2022-12-06 CVE-2022-42771 Google Race Condition vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a race condition, This could lead to local denial of service in wlan services.

4.7
2022-12-09 CVE-2022-29838 Westerndigital Improper Authentication vulnerability in Westerndigital MY Cloud OS

Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset.

4.6
2022-12-08 CVE-2022-39900 Google Unspecified vulnerability in Google Android 11.0/12.0/13.0

Improper access control vulnerability in Nice Catch prior to SMR Dec-2022 Release 1 allows physical attackers to access contents of all toast generated in the application installed in Secure Folder through Nice Catch.

4.6
2022-12-05 CVE-2022-23467 Openrazer Project Out-of-bounds Read vulnerability in Openrazer Project Openrazer

OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux.

4.6
2022-12-05 CVE-2022-43442 FSI Insufficiently Protected Credentials vulnerability in FSI Fs040U Firmware

Plaintext storage of a password vulnerability exists in +F FS040U software versions v2.3.4 and earlier, which may allow an attacker to obtain the login password of +F FS040U and log in to the management console.

4.6
2022-12-09 CVE-2022-4264 M Files Improper Privilege Management vulnerability in M-Files

Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration.

4.3
2022-12-08 CVE-2022-41949 Dhis2 Server-Side Request Forgery (SSRF) vulnerability in Dhis2 Dhis 2

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization.

4.3
2022-12-08 CVE-2022-46158 Prestashop Missing Authorization vulnerability in Prestashop

PrestaShop is an open-source e-commerce solution.

4.3
2022-12-08 CVE-2022-39899 Google Improper Authentication vulnerability in Google Android

Improper authentication vulnerability in Samsung WindowManagerService prior to SMR Dec-2022 Release 1 allows attacker to send the input event using S Pen gesture.

4.3
2022-12-06 CVE-2022-42768 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

4.3
2022-12-08 CVE-2022-39910 Samsung Unspecified vulnerability in Samsung Pass 4.0.05.1

Improper access control vulnerability in Samsung Pass prior to version 4.0.06.7 allow physical attackers to access data of Samsung Pass on a certain state of an unlocked device using pop-up view.

4.2

19 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-10 CVE-2022-23485 Sentry Improper Privilege Management vulnerability in Sentry

Sentry is an error tracking and performance monitoring platform.

3.7
2022-12-08 CVE-2022-46825 Jetbrains Inadequate Encryption Strength vulnerability in Jetbrains Intellij Idea

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.

3.3
2022-12-08 CVE-2022-39894 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in ContactListStartActivityHelper in Phone prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

3.3
2022-12-08 CVE-2022-39895 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerability in ContactListUtils in Phone prior to SMR Dec-2022 Release 1 allows to access contact group information via implicit intent.

3.3
2022-12-08 CVE-2022-39896 Google Unspecified vulnerability in Google Android 10.0/11.0/12.0

Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

3.3
2022-12-08 CVE-2022-39898 Google Unspecified vulnerability in Google Android

Improper access control vulnerability in IIccPhoneBook prior to SMR Dec-2022 Release 1 allows attackers to access some information of usim.

3.3
2022-12-08 CVE-2022-39903 Google Incorrect Authorization vulnerability in Google Android

Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.

3.3
2022-12-08 CVE-2022-39904 Google Information Exposure vulnerability in Google Android 10.0/11.0/12.0

Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 allows local attackers to access the Network Access Identifier via log.

3.3
2022-12-08 CVE-2022-39906 Google Unspecified vulnerability in Google Android

Improper access control vulnerability in SecTelephonyProvider prior to SMR Dec-2022 Release 1 allows attackers to access message information.

3.3
2022-12-08 CVE-2022-39912 Google Improper Handling of Exceptional Conditions vulnerability in Google Android

Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder.

3.3
2022-12-08 CVE-2022-39913 Google Incorrect Authorization vulnerability in Google Android

Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information.

3.3
2022-12-08 CVE-2022-39914 Google Incorrect Authorization vulnerability in Google Android

Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information.

3.3
2022-12-08 CVE-2022-41802 Openharmony Out-of-bounds Write vulnerability in Openharmony 3.1/3.1.1/3.1.2

Kernel subsystem within OpenHarmony-v3.1.4 and prior versions in kernel_liteos_a has a kernel stack overflow vulnerability when call SysClockGetres.

3.3
2022-12-08 CVE-2022-4123 Podman Project
Fedoraproject
Path Traversal vulnerability in multiple products

A flaw was found in Buildah.

3.3
2022-12-06 CVE-2022-42757 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

3.3
2022-12-06 CVE-2022-42758 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

3.3
2022-12-06 CVE-2022-42767 Google Integer Overflow or Wraparound vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

3.3
2022-12-06 CVE-2022-42769 Google Out-of-bounds Read vulnerability in Google Android 10.0/11.0/12.0

In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.

3.3
2022-12-06 CVE-2022-34881 Hitachi Information Exposure Through an Error Message vulnerability in Hitachi Jp1/Automatic Operation

Generation of Error Message Containing Sensitive Information vulnerability in Hitachi JP1/Automatic Operation allows local users to gain sensitive information. This issue affects JP1/Automatic Operation: from 10-00 through 10-54-03, from 11-00 before 11-51-09, from 12-00 before 12-60-01.

3.3