Weekly Vulnerabilities Reports > December 19 to 25, 2022
Overview
628 new vulnerabilities reported during this period, including 110 critical vulnerabilities and 232 high severity vulnerabilities. This weekly summary report vulnerabilities in 300 products from 162 vendors including Mozilla, IBM, Debian, Tenda, and Openimageio. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Classic Buffer Overflow", "Use After Free", and "Path Traversal".
- 565 reported vulnerabilities are remotely exploitables.
- 188 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 477 reported vulnerabilities are exploitable by an anonymous user.
- Mozilla has the most reported vulnerabilities, with 58 reported vulnerabilities.
- IP COM has the most reported critical vulnerabilities, with 15 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
110 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-12-22 | CVE-2021-4140 | It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. | 10.0 | |
2022-12-23 | CVE-2022-46641 | Dlink | Command Injection vulnerability in Dlink Dir-846 Firmware 100A43 D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the lan(0)_dhcps_staticlist parameter in the SetIpMacBindSettings function. | 9.9 |
2022-12-23 | CVE-2022-46642 | Dlink | Command Injection vulnerability in Dlink Dir-846 Firmware 100A43 D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the auto_upgrade_hour parameter in the SetAutoUpgradeInfo function. | 9.9 |
2022-12-25 | CVE-2020-36630 | Sangoma | SQL Injection vulnerability in Sangoma Freepbx A vulnerability was found in FreePBX cdr 14.0. | 9.8 |
2022-12-25 | CVE-2020-36631 | DWC Network Server Emulator Project | SQL Injection vulnerability in DWC Network Server Emulator Project DWC Network Server Emulator A vulnerability was found in barronwaffles dwc_network_server_emulator. | 9.8 |
2022-12-25 | CVE-2020-36632 | Flat Project | Unspecified vulnerability in Flat Project Flat A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. | 9.8 |
2022-12-25 | CVE-2021-4279 | Starcounter Jack | Unspecified vulnerability in Starcounter-Jack Json-Patch A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. | 9.8 |
2022-12-25 | CVE-2022-4737 | Blood Bank Management System Project | SQL Injection vulnerability in Blood Bank Management System Project Blood Bank Management System 1.0 A vulnerability was found in SourceCodester Blood Bank Management System 1.0. | 9.8 |
2022-12-25 | CVE-2022-4739 | School Dormitory Management System Project | SQL Injection vulnerability in School Dormitory Management System Project School Dormitory Management System 1.0 A vulnerability classified as critical was found in SourceCodester School Dormitory Management System 1.0. | 9.8 |
2022-12-25 | CVE-2020-36628 | Android Processing Development Environment Project | Path Traversal vulnerability in Android Processing Development Environment Project Android Processing Development Environment A vulnerability classified as critical has been found in Calsign APDE. | 9.8 |
2022-12-25 | CVE-2022-44015 | An issue was discovered in Simmeth Lieferantenmanager before 5.6. | 9.8 | |
2022-12-25 | CVE-2022-44640 | Heimdal Project Samba | Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). | 9.8 |
2022-12-25 | CVE-2022-45896 | Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. | 9.8 | |
2022-12-24 | CVE-2022-47949 | Nintendo | Classic Buffer Overflow vulnerability in Nintendo products The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. | 9.8 |
2022-12-23 | CVE-2022-47945 | Thinkphp | Path Traversal vulnerability in Thinkphp ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). | 9.8 |
2022-12-23 | CVE-2022-45706 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the hostname parameter in the formSetNetCheckTools function. | 9.8 |
2022-12-23 | CVE-2022-45707 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the rules parameter in the formAddDnsHijack function. | 9.8 |
2022-12-23 | CVE-2022-45708 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the sPortMapIndex parameter in the formDelPortMapping function. | 9.8 |
2022-12-23 | CVE-2022-45709 | IP COM | OS Command Injection vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple command injection vulnerabilities via the pEnable, pLevel, and pModule parameters in the formSetDebugCfg function. | 9.8 |
2022-12-23 | CVE-2022-45710 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple buffer overflows via the pEnable, pLevel, and pModule parameters in the formSetDebugCfg function. | 9.8 |
2022-12-23 | CVE-2022-45711 | IP COM | OS Command Injection vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the hostname parameter in the formSetNetCheckTools function. | 9.8 |
2022-12-23 | CVE-2022-45712 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the rules parameter in the formAddDnsForward function. | 9.8 |
2022-12-23 | CVE-2022-45714 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the indexSet parameter in the formQOSRuleDel function. | 9.8 |
2022-12-23 | CVE-2022-45715 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple buffer overflows via the pLanPortRange and pWanPortRange parameters in the formSetPortMapping function. | 9.8 |
2022-12-23 | CVE-2022-45716 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the indexSet parameter in the formIPMacBindDel function. | 9.8 |
2022-12-23 | CVE-2022-45717 | IP COM | OS Command Injection vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function. | 9.8 |
2022-12-23 | CVE-2022-45718 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the rules parameter in the formIPMacBindAdd function. | 9.8 |
2022-12-23 | CVE-2022-45719 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the gotoUrl parameter in the formPortalAuth function. | 9.8 |
2022-12-23 | CVE-2022-45720 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain multiple buffer overflows via the ip, mac, and remark parameters in the formIPMacBindModify function. | 9.8 |
2022-12-23 | CVE-2022-45721 | IP COM | Classic Buffer Overflow vulnerability in Ip-Com M50 Firmware 15.11.0.33 IP-COM M50 V15.11.0.33(10768) was discovered to contain a buffer overflow via the picName parameter in the formDelWewifiPic function. | 9.8 |
2022-12-23 | CVE-2022-47939 | Linux | Use After Free vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. | 9.8 |
2022-12-23 | CVE-2022-23547 | Pjsip | Heap-based Buffer Overflow vulnerability in Pjsip PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. | 9.8 |
2022-12-23 | CVE-2022-44567 | A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). | 9.8 | |
2022-12-23 | CVE-2022-4686 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0. | 9.8 |
2022-12-22 | CVE-2022-46493 | Nbnbk Project | Unrestricted Upload of File with Dangerous Type vulnerability in Nbnbk Project Nbnbk Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img. | 9.8 |
2022-12-22 | CVE-2022-38143 | Openimageio | Write-what-where Condition vulnerability in Openimageio 2.3.19.0 A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. | 9.8 |
2022-12-22 | CVE-2022-41639 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products A heap based buffer overflow vulnerability exists in tile decoding code of TIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. | 9.8 |
2022-12-22 | CVE-2022-41794 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. | 9.8 |
2022-12-22 | CVE-2022-41837 | Openimageio Debian | Return of Stack Variable Address vulnerability in multiple products An out-of-bounds write vulnerability exists in the OpenImageIO::add_exif_item_to_spec functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 9.8 |
2022-12-22 | CVE-2022-41838 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 9.8 |
2022-12-22 | CVE-2021-4127 | An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. | 9.8 | |
2022-12-22 | CVE-2021-4129 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox ESR Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94. | 9.8 |
2022-12-22 | CVE-2022-1887 | The search term could have been specified externally to trigger SQL injection. | 9.8 | |
2022-12-22 | CVE-2022-29917 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. | 9.8 |
2022-12-22 | CVE-2022-31736 | A malicious website could have learned the size of a cross-origin resource that supported Range requests. | 9.8 | |
2022-12-22 | CVE-2022-31737 | A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. | 9.8 | |
2022-12-22 | CVE-2022-31747 | Mozilla | Use After Free vulnerability in Mozilla Firefox Mozilla developers Andrew McCreight, Nicolas B. | 9.8 |
2022-12-22 | CVE-2022-31748 | Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. | 9.8 | |
2022-12-22 | CVE-2022-34470 | Session history navigations may have led to a use-after-free and potentially exploitable crash. | 9.8 | |
2022-12-22 | CVE-2022-34476 | ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1. | 9.8 | |
2022-12-22 | CVE-2022-34485 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox 101.0/101.0.1 Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. | 9.8 |
2022-12-22 | CVE-2022-36320 | Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. | 9.8 | |
2022-12-22 | CVE-2022-45406 | Mozilla | Use After Free vulnerability in Mozilla Firefox If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. | 9.8 |
2022-12-22 | CVE-2022-46882 | Mozilla | Use After Free vulnerability in Mozilla Firefox A use-after-free in WebGL extensions could have led to a potentially exploitable crash. | 9.8 |
2022-12-22 | CVE-2022-46170 | Codeigniter | Improper Authentication vulnerability in Codeigniter CodeIgniter is a PHP full-stack web framework. | 9.8 |
2022-12-22 | CVE-2022-46102 | Ayacms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Ayacms Project Ayacms 3.1.2 AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.php | 9.8 |
2022-12-22 | CVE-2022-47926 | Ayacms Project | Argument Injection or Modification vulnerability in Ayacms Project Ayacms 3.1.2 AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php | 9.8 |
2022-12-22 | CVE-2022-45966 | Classcms Project | Unrestricted Upload of File with Dangerous Type vulnerability in Classcms Project Classcms 3.5 here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5. | 9.8 |
2022-12-22 | CVE-2022-45347 | Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. | 9.8 | |
2022-12-21 | CVE-2022-3183 | Dataprobe | OS Command Injection vulnerability in Dataprobe products Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability. | 9.8 |
2022-12-21 | CVE-2022-3184 | Dataprobe | Path Traversal vulnerability in Dataprobe products Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory. | 9.8 |
2022-12-21 | CVE-2022-4639 | Sslh Project | Use of Externally-Controlled Format String vulnerability in Sslh Project Sslh 2.0 A vulnerability, which was classified as critical, has been found in sslh. | 9.8 |
2022-12-21 | CVE-2022-4643 | Search | OS Command Injection vulnerability in Search Docconv 1.0.0/1.1.0/1.2.0 A vulnerability was found in docconv up to 1.2.0. | 9.8 |
2022-12-21 | CVE-2022-40145 | Apache | Unspecified vulnerability in Apache Karaf This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 | 9.8 |
2022-12-21 | CVE-2022-47635 | Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php. | 9.8 | |
2022-12-21 | CVE-2022-24431 | Abacus EXT Cmdline Project | OS Command Injection vulnerability in Abacus-Ext-Cmdline Project Abacus-Ext-Cmdline All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization. | 9.8 |
2022-12-21 | CVE-2022-25893 | The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. | 9.8 | |
2022-12-21 | CVE-2022-38546 | A DNS misconfiguration was found in Zyxel NBG7510 firmware versions prior to V1.00(ABZY.3)C0, which could allow an unauthenticated attacker to access the DNS server when the device is switched to the AP mode. | 9.8 | |
2022-12-20 | CVE-2022-47629 | Gnupg Debian | Integer Overflow or Wraparound vulnerability in multiple products Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. | 9.8 |
2022-12-20 | CVE-2022-23542 | Openfga | Improper Authorization vulnerability in Openfga OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. | 9.8 |
2022-12-20 | CVE-2022-46316 | A thread security vulnerability exists in the authentication process. | 9.8 | |
2022-12-20 | CVE-2022-46319 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Fingerprint calibration has a vulnerability of lacking boundary judgment. | 9.8 |
2022-12-20 | CVE-2022-46320 | Huawei | Out-of-bounds Read vulnerability in Huawei Emui and Harmonyos The kernel module has an out-of-bounds read vulnerability. | 9.8 |
2022-12-20 | CVE-2022-46323 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause system service exceptions. | 9.8 |
2022-12-20 | CVE-2022-46324 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Some smartphones have the out-of-bounds write vulnerability. | 9.8 |
2022-12-20 | CVE-2022-46325 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause system service exceptions. | 9.8 |
2022-12-20 | CVE-2022-46326 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Some smartphones have the out-of-bounds write vulnerability. | 9.8 |
2022-12-20 | CVE-2022-46327 | Huawei | Unspecified vulnerability in Huawei Emui and Harmonyos Some smartphones have configuration issues. | 9.8 |
2022-12-20 | CVE-2022-23537 | Teluu Debian | Heap-based Buffer Overflow vulnerability in multiple products PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. | 9.8 |
2022-12-20 | CVE-2022-46020 | Wbce | Unrestricted Upload of File with Dangerous Type vulnerability in Wbce CMS 1.5.4 WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. | 9.8 |
2022-12-20 | CVE-2022-40624 | pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814. | 9.8 | |
2022-12-20 | CVE-2022-46538 | Tenda | OS Command Injection vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac. | 9.8 |
2022-12-20 | CVE-2022-46421 | Apache | Command Injection vulnerability in Apache Apache-Airflow-Providers-Apache-Hive Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 5.0.0. | 9.8 |
2022-12-20 | CVE-2022-25171 | P4 Project | OS Command Injection vulnerability in P4 Project P4 The package p4 before 0.0.7 are vulnerable to Command Injection via the run() function due to improper input sanitization | 9.8 |
2022-12-20 | CVE-2022-25904 | All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. | 9.8 | |
2022-12-19 | CVE-2022-44108 | Pdftojson Project | Out-of-bounds Write vulnerability in Pdftojson Project Pdftojson pdftojson commit 94204bb was discovered to contain a stack overflow via the component Object::copy(Object*):Object.cc. | 9.8 |
2022-12-19 | CVE-2022-44109 | pdftojson commit 94204bb was discovered to contain a stack overflow via the component Stream::makeFilter(char*, Stream*, Object*, int). | 9.8 | |
2022-12-19 | CVE-2022-40434 | Softr | Cross-site Scripting vulnerability in Softr 2.0 Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page. | 9.8 |
2022-12-19 | CVE-2021-33640 | Huawei Fedoraproject | Use After Free vulnerability in multiple products After tar_close(), libtar.c releases the memory pointed to by pointer t. | 9.8 |
2022-12-19 | CVE-2022-28173 | The web server of some Hikvision wireless bridge products have an access control vulnerability which can be used to obtain the admin permission. | 9.8 | |
2022-12-19 | CVE-2020-36618 | Furqansofware | Unspecified vulnerability in Furqansofware Node Whois A vulnerability classified as critical has been found in Furqan node-whois. | 9.8 |
2022-12-19 | CVE-2020-36619 | Multimon NG Project | Use of Externally-Controlled Format String vulnerability in Multimon-Ng Project Multimon-Ng A vulnerability was found in multimon-ng. | 9.8 |
2022-12-19 | CVE-2021-4259 | Phpredisadmin Project | Use of Wrong Operator in String Comparison vulnerability in PHPredisadmin Project PHPredisadmin A vulnerability was found in phpRedisAdmin up to 1.16.1. | 9.8 |
2022-12-19 | CVE-2021-4261 | Pacman Canvas Project | SQL Injection vulnerability in Pacman-Canvas Project Pacman-Canvas A vulnerability classified as critical has been found in pacman-canvas up to 1.0.5. | 9.8 |
2022-12-19 | CVE-2021-4262 | Laravel Jqgrid Project | SQL Injection vulnerability in Laravel Jqgrid Project Laravel Jqgrid A vulnerability classified as critical was found in laravel-jqgrid. | 9.8 |
2022-12-19 | CVE-2022-4050 | Beardev | Unspecified vulnerability in Beardev Joomsport The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users | 9.8 |
2022-12-19 | CVE-2022-4063 | Pluginus | Path Traversal vulnerability in Pluginus Inpost Gallery 2.1.4.1 The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. | 9.8 |
2022-12-19 | CVE-2022-4427 | Otrs | SQL Injection vulnerability in Otrs Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | 9.8 |
2022-12-19 | CVE-2022-44456 | CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request. | 9.8 | |
2022-12-23 | CVE-2021-32692 | Activity Watch is a free and open-source automated time tracker. | 9.6 | |
2022-12-22 | CVE-2022-22759 | Mozilla | Unspecified vulnerability in Mozilla Firefox If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. | 9.6 |
2022-12-22 | CVE-2022-26384 | If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. | 9.6 | |
2022-12-22 | CVE-2022-26486 | An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. | 9.6 | |
2022-12-25 | CVE-2022-44013 | Simmeth | Missing Authentication for Critical Function vulnerability in Simmeth Lieferantenmanager An issue was discovered in Simmeth Lieferantenmanager before 5.6. | 9.1 |
2022-12-25 | CVE-2022-45891 | Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList). | 9.1 | |
2022-12-23 | CVE-2022-28228 | Out-of-bounds read was discovered in YDB server. | 9.1 | |
2022-12-23 | CVE-2022-47931 | Iofinnet | Inadequate Encryption Strength vulnerability in Iofinnet Tss-Lib IO FinNet tss-lib before 2.0.0 allows a collision of hash values. | 9.1 |
2022-12-22 | CVE-2022-41649 | Openimageio Debian | Out-of-bounds Read vulnerability in multiple products A heap out of bounds read vulnerability exists in the handling of IPTC data while parsing TIFF images in OpenImageIO v2.3.19.0. | 9.1 |
2022-12-19 | CVE-2022-44940 | Patchelf Project | Out-of-bounds Read vulnerability in Patchelf Project Patchelf 0.9 Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc. | 9.1 |
2022-12-19 | CVE-2022-38708 | IBM | Server-Side Request Forgery (SSRF) vulnerability in IBM Cognos Analytics IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constructing URLs from user-controlled data. | 9.1 |
232 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-12-25 | CVE-2022-40005 | Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute. | 8.8 | |
2022-12-25 | CVE-2021-4276 | DNS Stats | SQL Injection vulnerability in Dns-Stats Hedgehog ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in dns-stats hedgehog. | 8.8 |
2022-12-25 | CVE-2022-42898 | MIT Heimdal Project Samba | Integer Overflow or Wraparound vulnerability in multiple products PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. | 8.8 |
2022-12-25 | CVE-2022-45893 | Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. | 8.8 | |
2022-12-24 | CVE-2022-46175 | Json5 Fedoraproject | JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. | 8.8 |
2022-12-23 | CVE-2022-47942 | Linux | Out-of-bounds Write vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. | 8.8 |
2022-12-23 | CVE-2022-4684 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. | 8.8 | |
2022-12-23 | CVE-2022-4688 | Improper Authorization in GitHub repository usememos/memos prior to 0.9.0. | 8.8 | |
2022-12-23 | CVE-2022-4689 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. | 8.8 | |
2022-12-23 | CVE-2022-4665 | Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6. | 8.8 | |
2022-12-22 | CVE-2020-15685 | During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session. | 8.8 | |
2022-12-22 | CVE-2022-0511 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. | 8.8 |
2022-12-22 | CVE-2022-0566 | It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message. | 8.8 | |
2022-12-22 | CVE-2022-0843 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. | 8.8 |
2022-12-22 | CVE-2022-1529 | An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. | 8.8 | |
2022-12-22 | CVE-2022-1802 | If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. | 8.8 | |
2022-12-22 | CVE-2022-22738 | Applying a CSS filter effect could have accessed out of bounds memory. | 8.8 | |
2022-12-22 | CVE-2022-22740 | Certain network request objects were freed too early when releasing a network request handle. | 8.8 | |
2022-12-22 | CVE-2022-22744 | Mozilla | Improper Encoding or Escaping of Output vulnerability in Mozilla Firefox The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. | 8.8 |
2022-12-22 | CVE-2022-22751 | Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. | 8.8 | |
2022-12-22 | CVE-2022-22752 | Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. | 8.8 | |
2022-12-22 | CVE-2022-22755 | Mozilla | Operation on a Resource after Expiration or Release vulnerability in Mozilla Firefox By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. | 8.8 |
2022-12-22 | CVE-2022-22756 | Mozilla | Unspecified vulnerability in Mozilla Firefox If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. | 8.8 |
2022-12-22 | CVE-2022-22758 | Mozilla | Cleartext Transmission of Sensitive Information vulnerability in Mozilla Firefox When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. | 8.8 |
2022-12-22 | CVE-2022-22761 | Mozilla | Unspecified vulnerability in Mozilla Firefox Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. | 8.8 |
2022-12-22 | CVE-2022-22763 | When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. | 8.8 | |
2022-12-22 | CVE-2022-22764 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. | 8.8 |
2022-12-22 | CVE-2022-26381 | An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. | 8.8 | |
2022-12-22 | CVE-2022-26485 | Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 | |
2022-12-22 | CVE-2022-28281 | If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. | 8.8 | |
2022-12-22 | CVE-2022-28284 | SVG's <code><use></code> element could have been used to load unexpected content that could have executed script in certain circumstances. | 8.8 | |
2022-12-22 | CVE-2022-28288 | Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. | 8.8 | |
2022-12-22 | CVE-2022-28289 | Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. | 8.8 | |
2022-12-22 | CVE-2022-29909 | Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. | 8.8 | |
2022-12-22 | CVE-2022-29918 | Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. | 8.8 | |
2022-12-22 | CVE-2022-2200 | If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. | 8.8 | |
2022-12-22 | CVE-2022-2505 | Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. | 8.8 | |
2022-12-22 | CVE-2022-31739 | When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. | 8.8 | |
2022-12-22 | CVE-2022-31740 | Mozilla | Unspecified vulnerability in Mozilla Firefox ESR On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. | 8.8 |
2022-12-22 | CVE-2022-31741 | Mozilla | Use of Uninitialized Resource vulnerability in Mozilla Firefox A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. | 8.8 |
2022-12-22 | CVE-2022-34468 | An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. | 8.8 | |
2022-12-22 | CVE-2022-34480 | Within the <code>lg_init()</code> function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated. | 8.8 | |
2022-12-22 | CVE-2022-34481 | In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. | 8.8 | |
2022-12-22 | CVE-2022-34482 | An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. | 8.8 | |
2022-12-22 | CVE-2022-34483 | An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. | 8.8 | |
2022-12-22 | CVE-2022-34484 | Mozilla | Use After Free vulnerability in Mozilla Firefox The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. | 8.8 |
2022-12-22 | CVE-2022-38473 | Mozilla | Improper Preservation of Permissions vulnerability in Mozilla Thunderbird A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). | 8.8 |
2022-12-22 | CVE-2022-38477 | Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. | 8.8 | |
2022-12-22 | CVE-2022-38478 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. | 8.8 |
2022-12-22 | CVE-2022-40962 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Thunderbird Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. | 8.8 |
2022-12-22 | CVE-2022-42928 | Mozilla | NULL Pointer Dereference vulnerability in Mozilla Firefox Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. | 8.8 |
2022-12-22 | CVE-2022-42932 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105 and Firefox ESR 102.3. | 8.8 |
2022-12-22 | CVE-2022-45409 | The garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and potentially exploitable crash. | 8.8 | |
2022-12-22 | CVE-2022-45412 | When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. | 8.8 | |
2022-12-22 | CVE-2022-45421 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Thunderbird 102.4. | 8.8 |
2022-12-22 | CVE-2022-46871 | Mozilla Debian | An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. | 8.8 |
2022-12-22 | CVE-2022-46873 | Mozilla | Injection vulnerability in Mozilla Firefox Because Firefox did not implement the <code>unsafe-hashes</code> CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. | 8.8 |
2022-12-22 | CVE-2022-46874 | Mozilla | Unspecified vulnerability in Mozilla Firefox A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. | 8.8 |
2022-12-22 | CVE-2022-46878 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. | 8.8 |
2022-12-22 | CVE-2022-46879 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. | 8.8 |
2022-12-22 | CVE-2022-46881 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash. *Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. | 8.8 |
2022-12-22 | CVE-2022-46883 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. | 8.8 |
2022-12-22 | CVE-2022-46885 | Mozilla developers Timothy Nikkel, Ashley Hale, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 105. | 8.8 | |
2022-12-22 | CVE-2022-46101 | Ayacms Project | Code Injection vulnerability in Ayacms Project Ayacms 3.1.2 AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code. | 8.8 |
2022-12-22 | CVE-2020-36625 | Destiny | Cross-Site Request Forgery (CSRF) vulnerability in Destiny Chat A vulnerability was found in destiny.gg chat. | 8.8 |
2022-12-21 | CVE-2021-4275 | Pyambic Pentameter Project | Cross-Site Request Forgery (CSRF) vulnerability in Pyambic-Pentameter Project Pyambic-Pentameter A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. | 8.8 |
2022-12-21 | CVE-2021-4264 | Unspecified vulnerability in Linkedin Dustjs A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. | 8.8 | |
2022-12-21 | CVE-2021-4268 | Phpredisadmin Project | Cross-Site Request Forgery (CSRF) vulnerability in PHPredisadmin Project PHPredisadmin A vulnerability, which was classified as problematic, was found in phpRedisAdmin up to 1.17.3. | 8.8 |
2022-12-21 | CVE-2022-4633 | Auto Upload Images Project | Cross-Site Request Forgery (CSRF) vulnerability in Auto Upload Images Project Auto Upload Images A vulnerability was found in Auto Upload Images up to 3.3.0 and classified as problematic. | 8.8 |
2022-12-21 | CVE-2022-4287 | Devolutions | Unspecified vulnerability in Devolutions Remote Desktop Manager Authentication bypass in local application lock feature in Devolutions Remote Desktop Manager 2022.3.26 and earlier on Windows allows malicious user to access the application. | 8.8 |
2022-12-21 | CVE-2022-38065 | Redhat | Improper Privilege Management vulnerability in Redhat Openstack A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. | 8.8 |
2022-12-20 | CVE-2022-46435 | TP Link | Unspecified vulnerability in Tp-Link products An issue in the firmware update process of TP-Link TL-WR941ND V2/V3 up to 3.13.9 and TL-WR941ND V4 up to 3.12.8 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image. | 8.8 |
2022-12-20 | CVE-2022-46910 | TP Link | Unspecified vulnerability in Tp-Link products An issue in the firmware update process of TP-Link TL-WA901ND V1 up to v3.11.2 and TL-WA901N V2 up to v3.12.16 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image. | 8.8 |
2022-12-20 | CVE-2022-46912 | TP Link | Unspecified vulnerability in Tp-Link Tl-Wr841N Firmware and Tl-Wr841Nd V7 Firmware An issue in the firmware update process of TP-Link TL-WR841N / TL-WA841ND V7 3.13.9 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image. | 8.8 |
2022-12-20 | CVE-2022-46914 | TP Link | Unspecified vulnerability in Tp-Link Tl-Wa801N Firmware and Tl-Wa801Nd V1 Firmware An issue in the firmware update process of TP-LINK TL-WA801N / TL-WA801ND V1 v3.12.16 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image. | 8.8 |
2022-12-20 | CVE-2022-44643 | A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. | 8.8 | |
2022-12-20 | CVE-2022-45942 | Baijiacms Project | OS Command Injection vulnerability in Baijiacms Project Baijiacms 4.0/4.1.4/41420170105 A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4. | 8.8 |
2022-12-19 | CVE-2022-43443 | Buffalo | OS Command Injection vulnerability in Buffalo products OS command injection vulnerability in Buffalo network devices allows an network-adjacent attacker to execute an arbitrary OS command if a specially crafted request is sent to the management page. | 8.8 |
2022-12-25 | CVE-2022-41318 | Squid Cache | Integer Overflow or Wraparound vulnerability in Squid-Cache Squid A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. | 8.6 |
2022-12-22 | CVE-2022-46872 | Mozilla | Unspecified vulnerability in Mozilla Firefox An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. | 8.6 |
2022-12-20 | CVE-2022-38733 | Netapp | Unspecified vulnerability in Netapp Oncommand Insight OnCommand Insight versions 7.3.1 through 7.3.14 are susceptible to an authentication bypass vulnerability in the Data Warehouse component. | 8.6 |
2022-12-19 | CVE-2022-46403 | Microchip | Unspecified vulnerability in Microchip products The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) mishandles reject messages. | 8.6 |
2022-12-23 | CVE-2022-41290 | IBM | Improper Privilege Management vulnerability in IBM AIX and Vios IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the rm_rlcache_file command to obtain root privileges. | 8.4 |
2022-12-21 | CVE-2022-36222 | Nokia | Use of Hard-coded Credentials vulnerability in Nokia Fastmile Firmware 3Tg00118Abad52 Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface. | 8.4 |
2022-12-23 | CVE-2022-47633 | Kyverno | Improper Authentication vulnerability in Kyverno 1.8.3/1.8.4 An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. | 8.1 |
2022-12-23 | CVE-2022-47943 | Linux | Out-of-bounds Read vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. | 8.1 |
2022-12-23 | CVE-2022-47940 | Linux | Out-of-bounds Read vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. | 8.1 |
2022-12-23 | CVE-2022-4687 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0. | 8.1 | |
2022-12-23 | CVE-2022-23539 | Auth0 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. | 8.1 |
2022-12-22 | CVE-2022-41981 | Openimageio Debian | Stack-based Buffer Overflow vulnerability in multiple products A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. | 8.1 |
2022-12-22 | CVE-2022-43597 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-43598 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-43599 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-43600 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-43601 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-43602 | Openimageio Debian | Heap-based Buffer Overflow vulnerability in multiple products Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. | 8.1 |
2022-12-22 | CVE-2022-34469 | When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. | 8.1 | |
2022-12-22 | CVE-2022-3033 | Mozilla | Cross-site Scripting vulnerability in Mozilla Thunderbird If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. | 8.1 |
2022-12-22 | CVE-2022-42927 | Mozilla | Origin Validation Error vulnerability in Mozilla Firefox A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. | 8.1 |
2022-12-22 | CVE-2022-45414 | Mozilla | Unspecified vulnerability in Mozilla Thunderbird If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. | 8.1 |
2022-12-20 | CVE-2022-46423 | Netgear | Unspecified vulnerability in Netgear Wnr2000 Firmware An exploitable firmware modification vulnerability was discovered on the Netgear WNR2000v1 router. | 8.1 |
2022-12-20 | CVE-2022-46424 | Netgear | Unspecified vulnerability in Netgear Xwn5001 Firmware 0.4.1.1 An exploitable firmware modification vulnerability was discovered on the Netgear XWN5001 Powerline 500 WiFi Access Point. | 8.1 |
2022-12-25 | CVE-2022-37706 | enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. | 7.8 | |
2022-12-25 | CVE-2021-4278 | Tree KIT Project | Unspecified vulnerability in Tree KIT Project Tree KIT A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. | 7.8 |
2022-12-24 | CVE-2022-45798 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE 2019 A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2022-12-22 | CVE-2022-0517 | Mozilla VPN can load an OpenSSL configuration file from an unsecured directory. | 7.8 | |
2022-12-22 | CVE-2022-3155 | When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. | 7.8 | |
2022-12-22 | CVE-2022-45415 | When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. | 7.8 | |
2022-12-22 | CVE-2022-47896 | In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. | 7.8 | |
2022-12-21 | CVE-2022-46334 | Proofpoint | Improper Privilege Management vulnerability in Proofpoint Enterprise Protection Proofpoint Enterprise Protection (PPS/PoD) contains a vulnerability which allows the pps user to escalate to root privileges due to unnecessary permissions. | 7.8 |
2022-12-21 | CVE-2022-38060 | Openstack | Untrusted Search Path vulnerability in Openstack Kolla A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. | 7.8 |
2022-12-21 | CVE-2022-46282 | Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file, | 7.8 | |
2022-12-21 | CVE-2022-46330 | Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. | 7.8 | |
2022-12-20 | CVE-2022-42046 | wfshbr64.sys and wfshbr32.sys specially crafted IOCTL allows arbitrary user to perform local privilege escalation | 7.8 | |
2022-12-20 | CVE-2022-4515 | Exuberant Ctags Project Debian | OS Command Injection vulnerability in multiple products A flaw was found in Exuberant Ctags in the way it handles the "-o" option. | 7.8 |
2022-12-20 | CVE-2022-47577 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Device Control Plus 10.1.2228.15 An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. | 7.8 |
2022-12-20 | CVE-2022-47578 | Zohocorp | Unspecified vulnerability in Zohocorp Manageengine Device Control Plus 10.1.2228.15 An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. | 7.8 |
2022-12-19 | CVE-2022-43289 | Entropymine | Out-of-bounds Write vulnerability in Entropymine Deark 1.6.2 Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c. | 7.8 |
2022-12-19 | CVE-2022-42945 | Autodesk | Uncontrolled Search Path Element vulnerability in Autodesk DWG Trueview 2023 DWG TrueViewTM 2023 version has a DLL Search Order Hijacking vulnerability. | 7.8 |
2022-12-19 | CVE-2022-42947 | Autodesk | Out-of-bounds Write vulnerability in Autodesk Maya 2023 A maliciously crafted X_B file when parsed through Autodesk Maya 2023 can be used to write beyond the allocated buffer. | 7.8 |
2022-12-19 | CVE-2022-38659 | Hcltech | Inadequate Encryption Strength vulnerability in Hcltech Bigfix Platform In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent. | 7.8 |
2022-12-19 | CVE-2022-44750 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Domino 9.0/9.0.1 HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. | 7.8 |
2022-12-19 | CVE-2022-44751 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Notes 10.0.1/9.0.1 HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. | 7.8 |
2022-12-19 | CVE-2022-44752 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Domino 9.0/9.0.1 HCL Domino is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. | 7.8 |
2022-12-19 | CVE-2022-44753 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Notes 10.0.1/9.0.1 HCL Notes is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. | 7.8 |
2022-12-19 | CVE-2022-44754 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Domino 9.0/9.0.1 HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. | 7.8 |
2022-12-19 | CVE-2022-44755 | Hcltech | Out-of-bounds Write vulnerability in Hcltech Notes 10.0.1/9.0.1 HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. | 7.8 |
2022-12-23 | CVE-2022-46171 | Tauri | Path Traversal vulnerability in Tauri 2.0.0 Tauri is a framework for building binaries for all major desktop platforms. | 7.7 |
2022-12-22 | CVE-2020-15679 | An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. | 7.6 | |
2022-12-22 | CVE-2022-23540 | Auth0 | Improper Verification of Cryptographic Signature vulnerability in Auth0 Jsonwebtoken In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. | 7.6 |
2022-12-25 | CVE-2020-36629 | Httpster Project | Path Traversal vulnerability in Httpster Project Httpster A vulnerability classified as critical was found in SimbCo httpster. | 7.5 |
2022-12-25 | CVE-2022-42953 | Zkteco | Forced Browsing vulnerability in Zkteco products Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. | 7.5 |
2022-12-25 | CVE-2022-44016 | An issue was discovered in Simmeth Lieferantenmanager before 5.6. | 7.5 | |
2022-12-25 | CVE-2022-44017 | An issue was discovered in Simmeth Lieferantenmanager before 5.6. | 7.5 | |
2022-12-25 | CVE-2022-45197 | Slixmpp Project | Improper Certificate Validation vulnerability in Slixmpp Project Slixmpp Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp. | 7.5 |
2022-12-24 | CVE-2022-38658 | Hcltech | Missing Encryption of Sensitive Data vulnerability in Hcltech Bigfix Server Automation BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. | 7.5 |
2022-12-23 | CVE-2022-28229 | The hash functionality in userver before 42059b6319661583b3080cab9b595d4f8ac48128 allows attackers to cause a denial of service via crafted HTTP request, involving collisions. | 7.5 | |
2022-12-23 | CVE-2022-23854 | Aveva | Path Traversal vulnerability in Aveva Intouch Access Anywhere 2020 AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server. | 7.5 |
2022-12-23 | CVE-2022-47941 | Linux | Memory Leak vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. | 7.5 |
2022-12-23 | CVE-2022-43551 | Haxx Fedoraproject Netapp Splunk | Cleartext Transmission of Sensitive Information vulnerability in multiple products A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. | 7.5 |
2022-12-23 | CVE-2022-33324 | Mitsubishi | Improper Resource Shutdown or Release vulnerability in Mitsubishi products Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU Firmware versions "29" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120PSFCPU Firmware versions "08" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V Firmware versions "17" and prior, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU Firmware versions "05" and prior and Mitsubishi Electric Corporation MELIPC Series MI5122-VW Firmware versions "07" and prior allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. | 7.5 |
2022-12-23 | CVE-2022-40898 | An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. | 7.5 | |
2022-12-23 | CVE-2022-40899 | Pythoncharmers | Unspecified vulnerability in Pythoncharmers Python-Future An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. | 7.5 |
2022-12-22 | CVE-2022-22184 | Juniper | Improper Input Validation vulnerability in Juniper Junos and Junos OS Evolved An Improper Input Validation vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker to cause a Denial of Service (DoS). | 7.5 |
2022-12-22 | CVE-2022-41988 | Openimageio Debian | Out-of-bounds Read vulnerability in multiple products An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. | 7.5 |
2022-12-22 | CVE-2022-41999 | Openimageio Debian | NULL Pointer Dereference vulnerability in multiple products A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. | 7.5 |
2022-12-22 | CVE-2020-26302 | IS JS Project | Unspecified vulnerability in Is.Js Project Is.Js is.js is a general-purpose check library. | 7.5 |
2022-12-22 | CVE-2022-3805 | Jegtheme | Unspecified vulnerability in Jegtheme JEG Elementor KIT 2.5.6 The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. | 7.5 |
2022-12-22 | CVE-2022-22461 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Security Verify Governance 10.0.1 IBM Security Verify Governance, Identity Manager 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-12-22 | CVE-2022-22737 | Mozilla | Race Condition vulnerability in Mozilla Firefox Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. | 7.5 |
2022-12-22 | CVE-2022-22741 | When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. | 7.5 | |
2022-12-22 | CVE-2022-26387 | When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. | 7.5 | |
2022-12-22 | CVE-2022-34477 | The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks. | 7.5 | |
2022-12-22 | CVE-2022-36319 | When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. | 7.5 | |
2022-12-22 | CVE-2022-38476 | A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability. | 7.5 | |
2022-12-22 | CVE-2022-45407 | If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. | 7.5 | |
2022-12-22 | CVE-2022-23556 | Codeigniter | Insufficient Verification of Data Authenticity vulnerability in Codeigniter CodeIgniter is a PHP full-stack web framework. | 7.5 |
2022-12-22 | CVE-2022-47895 | In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. | 7.5 | |
2022-12-21 | CVE-2022-3186 | Dataprobe | Unspecified vulnerability in Dataprobe products Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. | 7.5 |
2022-12-21 | CVE-2020-36620 | Enumstringvalues Project | Resource Exhaustion vulnerability in Enumstringvalues Project Enumstringvalues A vulnerability was found in Brondahl EnumStringValues up to 4.0.0. | 7.5 |
2022-12-21 | CVE-2022-47581 | Isode M-Vault 16.0v0 through 17.x before 17.0v24 can crash upon an LDAP v1 bind request. | 7.5 | |
2022-12-21 | CVE-2022-25895 | Lite DEV Server Project | Path Traversal vulnerability in Lite-Dev-Server Project Lite-Dev-Server All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code. | 7.5 |
2022-12-21 | CVE-2022-42949 | Silverstripe silverstripe/subsites through 2.6.0 has Insecure Permissions. | 7.5 | |
2022-12-20 | CVE-2021-46856 | Huawei | Path Traversal vulnerability in Huawei Emui and Harmonyos The multi-screen collaboration module has a path traversal vulnerability. | 7.5 |
2022-12-20 | CVE-2022-38391 | IBM | Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Spectrum Control 5.4.0.0 IBM Spectrum Control 5.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 7.5 |
2022-12-20 | CVE-2022-41591 | Huawei | Path Traversal vulnerability in Huawei Emui and Harmonyos The backup module has a path traversal vulnerability. | 7.5 |
2022-12-20 | CVE-2022-41596 | Huawei | Deserialization of Untrusted Data vulnerability in Huawei Emui 11.0.1/12.0.0/12.0.1 The system tool has inconsistent serialization and deserialization. | 7.5 |
2022-12-20 | CVE-2022-41599 | Huawei | Unspecified vulnerability in Huawei Emui 11.0.1/12.0.0/12.0.1 The system service has a vulnerability that causes incorrect return values. | 7.5 |
2022-12-20 | CVE-2022-46310 | The TelephonyProvider module has a vulnerability in obtaining values.Successful exploitation of this vulnerability may affect data confidentiality. | 7.5 | |
2022-12-20 | CVE-2022-46311 | Huawei | Use After Free vulnerability in Huawei Harmonyos The contacts component has a free (undefined) provider vulnerability. | 7.5 |
2022-12-20 | CVE-2022-46312 | Huawei | Unspecified vulnerability in Huawei Emui 11.0.1/12.0.0/12.0.1 The application management module has a vulnerability in permission verification. | 7.5 |
2022-12-20 | CVE-2022-46314 | The IPC module has defects introduced in the design process. | 7.5 | |
2022-12-20 | CVE-2022-46315 | Huawei | Unspecified vulnerability in Huawei Harmonyos 2.0/2.0.0/2.0.1 The ProfileSDK has defects introduced in the design process. | 7.5 |
2022-12-20 | CVE-2022-46317 | Huawei | Out-of-bounds Read vulnerability in Huawei Emui 11.0.1/12.0.0/12.0.1 The power consumption module has an out-of-bounds read vulnerability. | 7.5 |
2022-12-20 | CVE-2022-46321 | Huawei | Unspecified vulnerability in Huawei Emui 11.0.1/12.0.0/12.0.1 The Wi-Fi module has a vulnerability in permission verification. | 7.5 |
2022-12-20 | CVE-2022-46322 | Huawei | Out-of-bounds Write vulnerability in Huawei Emui and Harmonyos Some smartphones have the out-of-bounds write vulnerability. | 7.5 |
2022-12-20 | CVE-2022-46328 | Huawei | Improper Input Validation vulnerability in Huawei Emui 12.0.0 Some smartphones have the input validation vulnerability. | 7.5 |
2022-12-20 | CVE-2022-38873 | Dlink | Unspecified vulnerability in Dlink Dap-2695 Firmware and Dap-3320 Firmware D-Link devices DAP-2310 v2.10rc036 and earlier, DAP-2330 v1.06rc020 and earlier, DAP-2360 v2.10rc050 and earlier, DAP-2553 v3.10rc031 and earlier, DAP-2660 v1.15rc093 and earlier, DAP-2690 v3.20rc106 and earlier, DAP-2695 v1.20rc119_beta31 and earlier, DAP-3320 v1.05rc027 beta and earlier, DAP-3662 v1.05rc047 and earlier allows attackers to cause a Denial of Service (DoS) via uploading a crafted firmware after modifying the firmware header. | 7.5 |
2022-12-20 | CVE-2022-46432 | TP Link | Unspecified vulnerability in Tp-Link Tl-Wr743Nd V1 Firmware An exploitable firmware modification vulnerability was discovered on TP-Link TL-WR743ND V1. | 7.5 |
2022-12-20 | CVE-2022-46434 | TP Link | Unspecified vulnerability in Tp-Link Tl-Wa7510N V1 Firmware An issue in the firmware update process of TP-Link TL-WA7510N v1 v3.12.6 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image. | 7.5 |
2022-12-20 | CVE-2022-46076 | Dlink | Incorrect Authorization vulnerability in Dlink Dir-869 Firmware and Dir-869Ax Firmware D-Link DIR-869 DIR869Ax_FW102B15 is vulnerable to Authentication Bypass via phpcgi. | 7.5 |
2022-12-20 | CVE-2022-45665 | Tenda | Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687) Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the funcpara1 parameter in the formSetCfm function. | 7.5 |
2022-12-20 | CVE-2022-45666 | Tenda | Classic Buffer Overflow vulnerability in Tenda I22 Firmware 1.0.0.3(4687) Tenda i22 V1.0.0.3(4687) was discovered to contain a buffer overflow via the list parameter in the formwrlSSIDset function. | 7.5 |
2022-12-20 | CVE-2022-46530 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the mac parameter at /goform/GetParentControlInfo. | 7.5 |
2022-12-20 | CVE-2022-46531 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/addWifiMacFilter. | 7.5 |
2022-12-20 | CVE-2022-46532 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceMac parameter at /goform/addWifiMacFilter. | 7.5 |
2022-12-20 | CVE-2022-46533 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the limitSpeed parameter at /goform/SetClientState. | 7.5 |
2022-12-20 | CVE-2022-46534 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the speed_dir parameter at /goform/SetSpeedWan. | 7.5 |
2022-12-20 | CVE-2022-46535 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/SetClientState. | 7.5 |
2022-12-20 | CVE-2022-46536 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the limitSpeedUp parameter at /goform/SetClientState. | 7.5 |
2022-12-20 | CVE-2022-46537 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the security parameter at /goform/WifiBasicSet. | 7.5 |
2022-12-20 | CVE-2022-46539 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the security_5g parameter at /goform/WifiBasicSet. | 7.5 |
2022-12-20 | CVE-2022-46540 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the entrys parameter at /goform/addressNat. | 7.5 |
2022-12-20 | CVE-2022-46541 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the ssid parameter at /goform/fast_setting_wifi_set. | 7.5 |
2022-12-20 | CVE-2022-46542 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/addressNat. | 7.5 |
2022-12-20 | CVE-2022-46543 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the mitInterface parameter at /goform/addressNat. | 7.5 |
2022-12-20 | CVE-2022-46544 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the cmdinput parameter at /goform/exeCommand. | 7.5 |
2022-12-20 | CVE-2022-46545 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/NatStaticSetting. | 7.5 |
2022-12-20 | CVE-2022-46546 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the entrys parameter at /goform/RouteStatic. | 7.5 |
2022-12-20 | CVE-2022-46547 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/VirtualSer. | 7.5 |
2022-12-20 | CVE-2022-46548 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the page parameter at /goform/DhcpListClient. | 7.5 |
2022-12-20 | CVE-2022-46549 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the deviceId parameter at /goform/saveParentControlInfo. | 7.5 |
2022-12-20 | CVE-2022-46550 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the urls parameter at /goform/saveParentControlInfo. | 7.5 |
2022-12-20 | CVE-2022-46551 | Tenda | Classic Buffer Overflow vulnerability in Tenda F1203 Firmware 2.0.1.6 Tenda F1203 V2.0.1.6 was discovered to contain a buffer overflow via the time parameter at /goform/saveParentControlInfo. | 7.5 |
2022-12-20 | CVE-2022-25931 | Easy Static Server Project | Path Traversal vulnerability in Easy-Static-Server Project Easy-Static-Server All versions of package easy-static-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code. | 7.5 |
2022-12-20 | CVE-2022-25940 | Lite Server Project | Unspecified vulnerability in Lite-Server Project Lite-Server All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse. | 7.5 |
2022-12-19 | CVE-2022-3752 | Rockwellautomation | Unspecified vulnerability in Rockwellautomation products An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition in Rockwell Automation Logix controllers resulting in a major non-recoverable fault. | 7.5 |
2022-12-19 | CVE-2022-46399 | Microchip | Unspecified vulnerability in Microchip products The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) is unresponsive with ConReqTimeoutZero. | 7.5 |
2022-12-19 | CVE-2022-43883 | IBM | Improper Encoding or Escaping of Output vulnerability in IBM Cognos Analytics IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to a Log Injection attack by constructing URLs from user-controlled data. | 7.5 |
2022-12-19 | CVE-2022-45041 | SQL Injection exits in xinhu < 2.5.0 | 7.5 | |
2022-12-19 | CVE-2021-4258 | Whohas Project | Cleartext Transmission of Sensitive Information vulnerability in Whohas Project Whohas A vulnerability was found in whohas. | 7.5 |
2022-12-19 | CVE-2022-4061 | Ultimatemember | Unspecified vulnerability in Ultimatemember Jobboardwp The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. | 7.5 |
2022-12-19 | CVE-2022-4106 | Cedcommerce | Files or Directories Accessible to External Parties vulnerability in Cedcommerce Wholesale Market for Woocommerce The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. | 7.5 |
2022-12-19 | CVE-2022-32749 | Apache | Improper Check for Unusual or Exceptional Conditions vulnerability in Apache Traffic Server Improper Check for Unusual or Exceptional Conditions vulnerability handling requests in Apache Traffic Server allows an attacker to crash the server under certain conditions. This issue affects Apache Traffic Server: from 8.0.0 through 9.1.3. | 7.5 |
2022-12-19 | CVE-2022-3875 | Clickstudios | Improper Authentication vulnerability in Clickstudios Passwordstate A vulnerability classified as critical was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. | 7.5 |
2022-12-19 | CVE-2016-20018 | Knexjs | SQL Injection vulnerability in Knexjs Knex Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. | 7.5 |
2022-12-25 | CVE-2022-45889 | Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter). | 7.2 | |
2022-12-23 | CVE-2022-46560 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Password parameter in the SetWan2Settings module. | 7.2 |
2022-12-23 | CVE-2022-46561 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Password parameter in the SetWanSettings module. | 7.2 |
2022-12-23 | CVE-2022-46562 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the PSK parameter in the SetQuickVPNSettings module. | 7.2 |
2022-12-23 | CVE-2022-46563 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Password parameter in the SetDynamicDNSSettings module. | 7.2 |
2022-12-23 | CVE-2022-46566 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Password parameter in the SetQuickVPNSettings module. | 7.2 |
2022-12-23 | CVE-2022-46568 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the AccountPassword parameter in the SetSysEmailSettings module. | 7.2 |
2022-12-23 | CVE-2022-46569 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Key parameter in the SetWLanRadioSecurity module. | 7.2 |
2022-12-23 | CVE-2022-46570 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06, DIR-878 DIR_878_FW1.30B08 was discovered to contain a stack overflow via the Password parameter in the SetWan3Settings module. | 7.2 |
2022-12-23 | CVE-2022-38757 | Microfocus | Improper Privilege Management vulnerability in Microfocus Zenworks 2020 A vulnerability has been identified in Micro Focus ZENworks 2020 Update 3a and prior versions. | 7.2 |
2022-12-19 | CVE-2022-41418 | Blogengine | Path Traversal vulnerability in Blogengine Blogengine.Net 3.3.8.0 An issue in the component BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs of BlogEngine.NET v3.3.8.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | 7.2 |
2022-12-22 | CVE-2022-22753 | Mozilla | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Mozilla Firefox A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. | 7.1 |
2022-12-22 | CVE-2022-42930 | Mozilla | Race Condition vulnerability in Mozilla Firefox If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the `ThirdPartyUtil` component. | 7.1 |
2022-12-19 | CVE-2022-3775 | GNU Redhat | Out-of-bounds Write vulnerability in multiple products When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. | 7.1 |
2022-12-19 | CVE-2022-42946 | Autodesk | Out-of-bounds Read vulnerability in Autodesk Maya 2023 Parsing a maliciously crafted X_B and PRT file can force Autodesk Maya 2023 to read beyond allocated buffer. | 7.1 |
2022-12-22 | CVE-2022-22736 | Mozilla | Uncontrolled Search Path Element vulnerability in Mozilla Firefox If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. | 7.0 |
284 Medium Vulnerabilities
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-12-22 | CVE-2022-41977 | Openimageio | Out-of-bounds Read vulnerability in Openimageio 2.3.19.0 An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. | 3.3 |
2022-12-22 | CVE-2022-42931 | Mozilla | Cleartext Storage of Sensitive Information vulnerability in Mozilla Firefox Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. | 3.3 |