Weekly Vulnerabilities Reports > December 26, 2022 to January 1, 2023
Overview
396 new vulnerabilities reported during this period, including 87 critical vulnerabilities and 112 high severity vulnerabilities. This weekly summary report vulnerabilities in 444 products from 177 vendors including Nvidia, Trendnet, Contest Gallery, Tenda, and Dahuasecurity. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Path Traversal", "SQL Injection", and "Cross-Site Request Forgery (CSRF)".
- 345 reported vulnerabilities are remotely exploitables.
- 153 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 257 reported vulnerabilities are exploitable by an anonymous user.
- Nvidia has the most reported vulnerabilities, with 32 reported vulnerabilities.
- Trendnet has the most reported critical vulnerabilities, with 20 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
87 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-01-01 | CVE-2021-4297 | Jobe Project | Unspecified vulnerability in Jobe Project Jobe A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic. | 9.8 |
2023-01-01 | CVE-2014-125030 | Empress Project | Use of Hard-coded Credentials vulnerability in Empress Project Empress A vulnerability, which was classified as critical, has been found in taoeffect Empress. | 9.8 |
2023-01-01 | CVE-2022-48198 | Ntpd Driver Project | Exposure of Resource to Wrong Sphere vulnerability in Ntpd Driver Project Ntpd Driver The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. | 9.8 |
2022-12-31 | CVE-2017-20160 | Flitto | Unspecified vulnerability in Flitto Express-Param A vulnerability was found in flitto express-param up to 0.x. | 9.8 |
2022-12-31 | CVE-2017-20156 | Printer Project | Command Injection vulnerability in Printer Project Printer A vulnerability was found in Exciting Printer and classified as critical. | 9.8 |
2022-12-31 | CVE-2017-20157 | Ariadne CMS | Server-Side Request Forgery (SSRF) vulnerability in Ariadne-Cms Ariadne Component Library A vulnerability was found in Ariadne Component Library up to 2.x. | 9.8 |
2022-12-31 | CVE-2022-48195 | Mellium | Improper Authentication vulnerability in Mellium Sasl 0.3.0 An issue was discovered in Mellium mellium.im/sasl before 0.3.1. | 9.8 |
2022-12-30 | CVE-2022-46580 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the user_edit_page parameter in the wifi_captive_portal function. | 9.8 |
2022-12-30 | CVE-2022-46581 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.nslookup_target parameter in the tools_nslookup function. | 9.8 |
2022-12-30 | CVE-2022-46582 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the login_name parameter in the do_graph_auth (sub_4061E0) function. | 9.8 |
2022-12-30 | CVE-2022-46583 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the reboot_type parameter in the wizard_ipv6 (sub_41C380) function. | 9.8 |
2022-12-30 | CVE-2022-46584 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the qcawifi.wifi%d_vap%d.maclist parameter in the kick_ban_wifi_mac_deny (sub_415D7C) function. | 9.8 |
2022-12-30 | CVE-2022-46585 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the REMOTE_USER parameter in the get_access (sub_45AC2C) function. | 9.8 |
2022-12-30 | CVE-2022-46586 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the qcawifi.wifi%d_vap%d.maclist parameter in the kick_ban_wifi_mac_allow (sub_415B00) function. | 9.8 |
2022-12-30 | CVE-2022-46588 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function. | 9.8 |
2022-12-30 | CVE-2022-46589 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.netstat_option parameter in the tools_netstat (sub_41E730) function. | 9.8 |
2022-12-30 | CVE-2022-46590 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.netstat_rsname parameter in the tools_netstat (sub_41E730) function. | 9.8 |
2022-12-30 | CVE-2022-46591 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the reject_url parameter in the reject (sub_41BD60) function. | 9.8 |
2022-12-30 | CVE-2022-46592 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the set_sta_enrollee_pin_5g function. | 9.8 |
2022-12-30 | CVE-2022-46593 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the do_sta_enrollee_wifi function. | 9.8 |
2022-12-30 | CVE-2022-46594 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the update_file_name parameter in the auto_up_fw (sub_420A04) function. | 9.8 |
2022-12-30 | CVE-2022-46596 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the del_num parameter in the icp_delete_img (sub_41DEDC) function. | 9.8 |
2022-12-30 | CVE-2022-46597 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function. | 9.8 |
2022-12-30 | CVE-2022-46598 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function. | 9.8 |
2022-12-30 | CVE-2022-46599 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the setlogo_num parameter in the icp_setlogo_img (sub_41DBF4) function. | 9.8 |
2022-12-30 | CVE-2022-46600 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_24g function. | 9.8 |
2022-12-30 | CVE-2022-46601 | Trendnet | Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01 TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the setbg_num parameter in the icp_setbg_img (sub_41DD68) function. | 9.8 |
2022-12-30 | CVE-2022-47115 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47117 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the security parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47118 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey1 parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47119 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the ssid parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47120 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47121 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47122 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlPwd_5g parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47123 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey3 parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47124 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47125 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlEn_5g parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47126 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlEn parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47127 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlPwd parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2022-47128 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey2 parameter at /goform/WifiBasicSet. | 9.8 |
2022-12-30 | CVE-2017-20151 | Itextpdf | XXE vulnerability in Itextpdf Rups A vulnerability classified as problematic was found in iText RUPS. | 9.8 |
2022-12-30 | CVE-2022-4860 | Kbase | SQL Injection vulnerability in Kbase Metrics A vulnerability was found in KBase Metrics. | 9.8 |
2022-12-30 | CVE-2022-44621 | Apache | Command Injection vulnerability in Apache Kylin Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | 9.8 |
2022-12-30 | CVE-2022-4855 | Lead Management System Project | SQL Injection vulnerability in Lead Management System Project Lead Management System 1.0 A vulnerability, which was classified as critical, was found in SourceCodester Lead Management System 1.0. | 9.8 |
2022-12-30 | CVE-2022-48196 | Netgear | Classic Buffer Overflow vulnerability in Netgear products Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker. | 9.8 |
2022-12-29 | CVE-2021-4295 | Healthit | XXE vulnerability in Healthit Code-Validator-Api A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. | 9.8 |
2022-12-29 | CVE-2022-4779 | Elvexys | Path Traversal vulnerability in Elvexys Streamx 6.02.01/6.04.34 StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected. | 9.8 |
2022-12-28 | CVE-2018-25057 | Mikebharris | SQL Injection vulnerability in Mikebharris Simple PHP Link Shortener A vulnerability was found in simple_php_link_shortener. | 9.8 |
2022-12-27 | CVE-2021-4290 | Fallstudie Project | SQL Injection vulnerability in Fallstudie Project Fallstudie A vulnerability was found in DHBW Fallstudie. | 9.8 |
2022-12-27 | CVE-2022-4768 | Dropbox | Injection vulnerability in Dropbox Merou A vulnerability was found in Dropbox merou. | 9.8 |
2022-12-27 | CVE-2014-125026 | Cloudflare | Out-of-bounds Write vulnerability in Cloudflare Golz4 LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input. | 9.8 |
2022-12-27 | CVE-2017-20146 | Gorillatoolkit | Origin Validation Error vulnerability in Gorillatoolkit Handlers 1.1/1.2/1.2.1 Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy. | 9.8 |
2022-12-27 | CVE-2021-4236 | WEB Project | NULL Pointer Dereference vulnerability in web Project web 1.4.0/1.5.0/1.5.1 Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. | 9.8 |
2022-12-27 | CVE-2022-45778 | Hillstonenet | Unspecified vulnerability in Hillstonenet products https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control. | 9.8 |
2022-12-27 | CVE-2022-45963 | H3C | Unspecified vulnerability in H3C products h3c firewall <= 3.10 ESS6703 has a privilege bypass vulnerability. | 9.8 |
2022-12-27 | CVE-2022-46442 | dedecms <=V5.7.102 is vulnerable to SQL Injection. | 9.8 | |
2022-12-27 | CVE-2022-4719 | Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 9.8 | |
2022-12-27 | CVE-2022-4724 | Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 9.8 | |
2022-12-27 | CVE-2022-4725 | Amazon | Server-Side Request Forgery (SSRF) vulnerability in Amazon AWS Software Development KIT A vulnerability was found in AWS SDK 2.59.0. | 9.8 |
2022-12-27 | CVE-2022-4726 | Sanitization Management System Project | SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0 A vulnerability classified as critical was found in SourceCodester Sanitization Management System 1.0. | 9.8 |
2022-12-27 | CVE-2022-4748 | Flatpress | Path Traversal vulnerability in Flatpress A vulnerability was found in FlatPress. | 9.8 |
2022-12-27 | CVE-2022-46764 | Trueconf | SQL Injection vulnerability in Trueconf Server A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution. | 9.8 |
2022-12-26 | CVE-2019-11851 | Sierrawireless | Classic Buffer Overflow vulnerability in Sierrawireless Aleos The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows remote attackers to execute arbitrary code via a buffer overflow. | 9.8 |
2022-12-26 | CVE-2020-24600 | Capexweb Project | SQL Injection vulnerability in Capexweb Project Capexweb 1.1 Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request. | 9.8 |
2022-12-26 | CVE-2020-11101 | Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges. | 9.8 | |
2022-12-26 | CVE-2021-4281 | Forthebadge | OS Command Injection vulnerability in Forthebadge for the Badge 1.0.0/1.1.0 A vulnerability was found in Brave UX for-the-badge and classified as critical. | 9.8 |
2022-12-26 | CVE-2022-4047 | Wpswings | Unspecified vulnerability in Wpswings Return Refund and Exchange for Woocommerce The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE | 9.8 |
2022-12-26 | CVE-2022-4117 | IWS GEO Form Fields Project | Unspecified vulnerability in Iws-Geo-Form-Fields Project Iws-Geo-Form-Fields 1.0 The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection. | 9.8 |
2022-12-26 | CVE-2022-4120 | Trumani | Unspecified vulnerability in Trumani Stop Spammers The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain | 9.8 |
2022-12-26 | CVE-2022-4742 | Json Pointer Project | Unspecified vulnerability in Json-Pointer Project Json-Pointer A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. | 9.8 |
2022-12-26 | CVE-2022-26969 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. | 9.8 | |
2022-12-26 | CVE-2021-45466 | Control Webpanel | Incorrect Authorization vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder. | 9.8 |
2022-12-26 | CVE-2021-45467 | Control Webpanel | Unspecified vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. | 9.8 |
2022-12-26 | CVE-2022-24116 | Certain General Electric Renewable Energy products have inadequate encryption strength. | 9.8 | |
2022-12-26 | CVE-2022-24117 | Certain General Electric Renewable Energy products download firmware without an integrity check. | 9.8 | |
2022-12-26 | CVE-2022-24119 | Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. | 9.8 | |
2022-12-29 | CVE-2022-36437 | Hazelcast | Session Fixation vulnerability in Hazelcast Hazelcast-Jet The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. | 9.1 |
2022-12-27 | CVE-2018-25046 | Cloudfoundry | Path Traversal vulnerability in Cloudfoundry Archiver Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | 9.1 |
2022-12-27 | CVE-2020-36560 | GO Unzip Project | Path Traversal vulnerability in Go-Unzip Project Go-Unzip Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | 9.1 |
2022-12-27 | CVE-2020-36561 | Unzip Project | Path Traversal vulnerability in Unzip Project Unzip Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | 9.1 |
2022-12-27 | CVE-2020-36566 | TAR Utils Project | Path Traversal vulnerability in Tar-Utils Project Tar-Utils Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | 9.1 |
2022-12-27 | CVE-2020-36569 | Digitalocean | Improper Authentication vulnerability in Digitalocean Golang-Nanoauth Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token. | 9.1 |
2022-12-27 | CVE-2021-4238 | Randomly-generated alphanumeric strings contain significantly less entropy than expected. | 9.1 | |
2022-12-26 | CVE-2022-24118 | Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration. | 9.1 | |
2023-01-01 | CVE-2022-34322 | Sage | Cross-site Scripting vulnerability in Sage Enterprise Intelligence 2021R1.1 Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. | 9.0 |
2022-12-31 | CVE-2022-4865 | Usememos | Cross-site Scripting vulnerability in Usememos Memos Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. | 9.0 |
2022-12-31 | CVE-2022-4866 | Usememos | Cross-site Scripting vulnerability in Usememos Memos Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. | 9.0 |
112 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-01-01 | CVE-2022-34324 | Sage | SQL Injection vulnerability in Sage XRT Business Exchange 12.4.302 Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History. | 8.8 |
2022-12-31 | CVE-2014-125028 | Valtech | Cross-Site Request Forgery (CSRF) vulnerability in Valtech IDP Test Clients A vulnerability was found in valtech IDP Test Client and classified as problematic. | 8.8 |
2022-12-30 | CVE-2022-34671 | Nvidia | Out-of-bounds Write vulnerability in Nvidia GPU Display Driver NVIDIA GPU Display Driver for Windows contains a vulnerability in the user-mode layer, where an unprivileged user can cause an out-of-bounds write, which may lead to code execution, information disclosure, and denial of service. | 8.8 |
2022-12-30 | CVE-2022-43396 | Apache | Unspecified vulnerability in Apache Kylin In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. | 8.8 |
2022-12-30 | CVE-2022-48194 | TP Link | Unrestricted Upload of File with Dangerous Type vulnerability in Tp-Link Tl-Wr902Ac Firmware TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate. | 8.8 |
2022-12-29 | CVE-2022-46178 | MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. | 8.8 | |
2022-12-29 | CVE-2022-4844 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | 8.8 | |
2022-12-28 | CVE-2017-20150 | Challenge Website Project | SQL Injection vulnerability in Challenge Website Project Challenge Website A vulnerability was found in challenge website. | 8.8 |
2022-12-28 | CVE-2022-4803 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 8.8 |
2022-12-28 | CVE-2022-4808 | Usememos | Unspecified vulnerability in Usememos Memos Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1. | 8.8 |
2022-12-28 | CVE-2022-4809 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | 8.8 | |
2022-12-28 | CVE-2022-23555 | Goauthentik | Improper Authentication vulnerability in Goauthentik Authentik authentik is an open-source Identity Provider focused on flexibility and versatility. | 8.8 |
2022-12-27 | CVE-2016-15005 | Golf Project | Cross-Site Request Forgery (CSRF) vulnerability in Golf Project Golf 0.1.0/0.1.1/0.2.0 CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests. | 8.8 |
2022-12-27 | CVE-2022-46763 | Trueconf | SQL Injection vulnerability in Trueconf Server A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code. | 8.8 |
2022-12-26 | CVE-2020-28191 | The console in Togglz before 2.9.4 allows CSRF. | 8.8 | |
2022-12-26 | CVE-2019-25085 | Gnome | Use After Free vulnerability in Gnome Gvariant Database A vulnerability was found in GNOME gvdb. | 8.8 |
2023-01-01 | CVE-2022-47634 | Isode | Unspecified vulnerability in Isode M-Link M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867. | 8.1 |
2022-12-28 | CVE-2022-4796 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1. | 8.1 | |
2022-12-26 | CVE-2019-9579 | Illumos Oracle | An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products. | 8.1 |
2022-12-26 | CVE-2020-10650 | Fasterxml Oracle | Deserialization of Untrusted Data vulnerability in multiple products A deserialization flaw was discovered in jackson-databind through 2.9.10.4. | 8.1 |
2022-12-26 | CVE-2021-35954 | Fastrack | Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89 fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physically proximate attackers to dump the firmware, flash custom malicious firmware, and brick the device via the Serial Wire Debug (SWD) feature. | 8.1 |
2022-12-30 | CVE-2022-42269 | Nvidia | Improper Input Validation vulnerability in Nvidia Jetson Linux NVIDIA Trusted OS contains a vulnerability in an SMC call handler, where failure to validate untrusted input may allow a highly privileged local attacker to cause information disclosure and compromise integrity. | 7.9 |
2022-12-30 | CVE-2022-34669 | Nvidia | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-34670 | Nvidia Debian | Incorrect Conversion between Numeric Types vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. | 7.8 |
2022-12-30 | CVE-2022-34672 | Nvidia | Unspecified vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA Control Panel for Windows contains a vulnerability where an unauthorized user or an unprivileged regular user can compromise the security of the software by gaining privileges, reading sensitive information, or executing commands. | 7.8 |
2022-12-30 | CVE-2022-34676 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-42254 | Nvidia | Improper Validation of Array Index vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure. | 7.8 |
2022-12-30 | CVE-2022-42255 | Nvidia | Improper Validation of Array Index vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-42256 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-42260 | Nvidia | Unspecified vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-42261 | Nvidia | Classic Buffer Overflow vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service. | 7.8 |
2022-12-30 | CVE-2022-42262 | Nvidia | Classic Buffer Overflow vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service. | 7.8 |
2022-12-30 | CVE-2022-42264 | Nvidia | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service. | 7.8 |
2022-12-30 | CVE-2022-42267 | Nvidia | Out-of-bounds Read vulnerability in Nvidia Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |
2022-12-30 | CVE-2022-42270 | Nvidia | Out-of-bounds Write vulnerability in Nvidia Jetson Linux NVIDIA distributions of Linux contain a vulnerability in nvdla_emu_task_submit, where unvalidated input may allow a local attacker to cause stack-based buffer overflow in kernel code, which may lead to escalation of privileges, compromised integrity and confidentiality, and denial of service. | 7.8 |
2022-12-30 | CVE-2022-4856 | Modbustools | Classic Buffer Overflow vulnerability in Modbustools Modbus Slave A vulnerability has been found in Modbus Tools Modbus Slave up to 7.5.1 and classified as critical. | 7.8 |
2022-12-30 | CVE-2022-4857 | Modbustools | Classic Buffer Overflow vulnerability in Modbustools Modbus Poll A vulnerability was found in Modbus Tools Modbus Poll up to 9.10.0 and classified as critical. | 7.8 |
2022-12-29 | CVE-2022-4780 | Elvexys | Use of Hard-coded Credentials vulnerability in Elvexys Isos Firmware ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change. | 7.8 |
2022-12-28 | CVE-2022-4817 | Jgit Cookbook Project | Exposure of Resource to Wrong Sphere vulnerability in Jgit-Cookbook Project Jgit-Cookbook A vulnerability was found in centic9 jgit-cookbook. | 7.8 |
2022-12-28 | CVE-2022-44564 | Huawei Aslan Children's Watch has a path traversal vulnerability. | 7.8 | |
2022-12-28 | CVE-2022-46179 | Liuos Project | Authorization Bypass Through User-Controlled Key vulnerability in Liuos Project Liuos 0.1.0 LiuOS is a small Python project meant to imitate the functions of a regular operating system. | 7.8 |
2022-12-27 | CVE-2022-4772 | Widoco Project | Path Traversal vulnerability in Widoco Project Widoco A vulnerability was found in Widoco and classified as critical. | 7.8 |
2022-12-27 | CVE-2022-3156 | Rockwellautomation | Improper Authentication vulnerability in Rockwellautomation Studio 5000 Logix Emulate 20.011/33.00 A remote code execution vulnerability exists in Rockwell Automation Studio 5000 Logix Emulate software. Users are granted elevated permissions on certain product services when the software is installed. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software. | 7.8 |
2022-12-26 | CVE-2019-19705 | Lenovo | Unquoted Search Path or Element vulnerability in Lenovo products Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other Lenovo and non-Lenovo products), mishandles DLL preloading. | 7.8 |
2022-12-26 | CVE-2020-12069 | Pilz Codesys Festo Wago | Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. | 7.8 |
2022-12-26 | CVE-2022-30260 | Emerson | Insufficient Verification of Data Authenticity vulnerability in Emerson products Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). | 7.8 |
2023-01-01 | CVE-2023-22551 | FTP Project | Unspecified vulnerability in FTP Project FTP The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. | 7.5 |
2023-01-01 | CVE-2013-10006 | Ziftrshop | Information Exposure Through Timing Discrepancy vulnerability in Ziftrshop Primecoin 0.8.4 A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1. | 7.5 |
2023-01-01 | CVE-2023-0029 | Multilaserempresas | Unspecified vulnerability in Multilaserempresas Re708 Firmware Re1200R4Gc2T2Rv3V3411Bmul029B A vulnerability was found in Multilaser RE708 RE1200R4GC-2T2R-V3_v3411b_MUL029B. | 7.5 |
2023-01-01 | CVE-2018-25062 | Elementalx | Improper Resource Shutdown or Release vulnerability in Elementalx A vulnerability classified as problematic has been found in flar2 ElementalX up to 6.x on Nexus 9. | 7.5 |
2023-01-01 | CVE-2022-37785 | Wecube Platform Project | Cleartext Storage of Sensitive Information vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2 An issue was discovered in WeCube Platform 3.2.2. | 7.5 |
2022-12-31 | CVE-2018-25061 | Rgb2Hex Project | Unspecified vulnerability in Rgb2Hex Project Rgb2Hex A vulnerability was found in rgb2hex up to 0.1.5. | 7.5 |
2022-12-30 | CVE-2017-20154 | Phoenixcoin Project | Improper Resource Shutdown or Release vulnerability in Phoenixcoin Project Phoenixcoin A vulnerability was found in ghostlander Phoenixcoin. | 7.5 |
2022-12-30 | CVE-2022-47116 | Tenda | Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13 Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the SYSPS parameter at /goform/SysToolChangePwd. | 7.5 |
2022-12-30 | CVE-2017-20152 | Imageserve Project | Path Traversal vulnerability in Imageserve Project Imageserve A vulnerability, which was classified as problematic, was found in aerouk imageserve. | 7.5 |
2022-12-30 | CVE-2018-25060 | GO Macaron | Missing Encryption of Sensitive Data vulnerability in Go-Macaron CSRF A vulnerability was found in Macaron csrf and classified as problematic. | 7.5 |
2022-12-30 | CVE-2022-4858 | M Files | Information Exposure Through Log Files vulnerability in M-Files Server 22.2.11051.0/22.3.11237.3/22.6.11534.4 Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set. | 7.5 |
2022-12-29 | CVE-2022-38203 | Esri | Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212. | 7.5 |
2022-12-29 | CVE-2022-38205 | In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content). | 7.5 | |
2022-12-29 | CVE-2022-38211 | Esri | Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212. | 7.5 |
2022-12-29 | CVE-2022-38212 | Esri | Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203. | 7.5 |
2022-12-29 | CVE-2022-4843 | Radare | NULL Pointer Dereference vulnerability in Radare Radare2 NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.8.2. | 7.5 |
2022-12-28 | CVE-2022-23553 | Alpine Project | Unspecified vulnerability in Alpine Project Alpine Alpine is a scaffolding library in Java. | 7.5 |
2022-12-28 | CVE-2022-39012 | Huawei Aslan Children's Watch has an improper input validation vulnerability. | 7.5 | |
2022-12-28 | CVE-2022-38202 | Esri | Path Traversal vulnerability in Esri Arcgis Server There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. | 7.5 |
2022-12-28 | CVE-2020-36562 | DHT Project | Reachable Assertion vulnerability in DHT Project DHT Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector. | 7.5 |
2022-12-28 | CVE-2022-3347 | GO Resolver Project | Insufficient Verification of Data Authenticity vulnerability in Go-Resolver Project Go-Resolver DNSSEC validation is not performed correctly. | 7.5 |
2022-12-28 | CVE-2022-41966 | Xstream Project | Uncontrolled Recursion vulnerability in Xstream Project Xstream XStream serializes Java objects to XML and back again. | 7.5 |
2022-12-28 | CVE-2022-41967 | Hypera | XXE vulnerability in Hypera Dragonfly 0.3.0Snapshot Dragonfly is a Java runtime dependency management library. | 7.5 |
2022-12-27 | CVE-2013-10005 | Socks5 Project | Infinite Loop vulnerability in Socks5 Project Socks5 The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow. | 7.5 |
2022-12-27 | CVE-2015-10004 | Json WEB Token Project | Exposure of Resource to Wrong Sphere vulnerability in Json web Token Project Json web Token Token validation methods are susceptible to a timing side-channel during HMAC comparison. | 7.5 |
2022-12-27 | CVE-2019-25072 | Tendermint | Resource Exhaustion vulnerability in Tendermint Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector. | 7.5 |
2022-12-27 | CVE-2019-25073 | GOA Design | Path Traversal vulnerability in Goa.Design GOA Improper path sanitization in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory. | 7.5 |
2022-12-27 | CVE-2020-36559 | Aahframework | Path Traversal vulnerability in Aahframework AAH Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read. | 7.5 |
2022-12-27 | CVE-2020-36564 | Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid. | 7.5 | |
2022-12-27 | CVE-2020-36568 | Revel | Allocation of Resources Without Limits or Throttling vulnerability in Revel Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation. | 7.5 |
2022-12-27 | CVE-2021-4239 | Noiseprotocol | Missing Encryption of Sensitive Data vulnerability in Noiseprotocol Noise The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. | 7.5 |
2022-12-27 | CVE-2022-2584 | Protocol | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Protocol Go-Codec-Dagpb The dag-pb codec can panic when decoding invalid blocks. | 7.5 |
2022-12-27 | CVE-2022-3064 | Yaml Project | Resource Exhaustion vulnerability in Yaml Project Yaml Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | 7.5 |
2022-12-27 | CVE-2020-36567 | GIN Gonic | Improper Encoding or Escaping of Output vulnerability in Gin-Gonic GIN Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines. | 7.5 |
2022-12-27 | CVE-2022-45423 | Dahuasecurity | Missing Authentication for Critical Function vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. | 7.5 |
2022-12-27 | CVE-2022-45425 | Dahuasecurity | Use of Hard-coded Credentials vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. | 7.5 |
2022-12-27 | CVE-2022-45429 | Dahuasecurity | Server-Side Request Forgery (SSRF) vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of server-side request forgery (SSRF). | 7.5 |
2022-12-27 | CVE-2022-45431 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. | 7.5 |
2022-12-27 | CVE-2022-4767 | Denial of Service in GitHub repository usememos/memos prior to 0.9.1. | 7.5 | |
2022-12-27 | CVE-2019-25089 | Muon Project | Use of Insufficiently Random Values vulnerability in Muon Project Muon 0.1.1 A vulnerability has been found in Morgawr Muon 0.1.1 and classified as problematic. | 7.5 |
2022-12-27 | CVE-2021-4286 | Pysrp Project | Information Exposure Through Discrepancy vulnerability in Pysrp Project Pysrp A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. | 7.5 |
2022-12-27 | CVE-2015-10005 | Markdown IT Project | Unspecified vulnerability in Markdown-It Project Markdown-It A vulnerability was found in markdown-it up to 2.x. | 7.5 |
2022-12-27 | CVE-2018-25049 | Email Existence Project | Unspecified vulnerability in Email-Existence Project Email-Existence A vulnerability was found in email-existence. | 7.5 |
2022-12-27 | CVE-2019-25087 | Httpserver Project | Path Traversal vulnerability in Httpserver Project Httpserver A vulnerability was found in RamseyK httpserver. | 7.5 |
2022-12-26 | CVE-2020-12067 | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password. | 7.5 | |
2022-12-26 | CVE-2022-4156 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. | 7.5 |
2022-12-26 | CVE-2022-4158 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. | 7.5 |
2022-12-26 | CVE-2021-35065 | Gulpjs | Unspecified vulnerability in Gulpjs Glob-Parent 6.0.0 The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. | 7.5 |
2022-12-26 | CVE-2021-35951 | Fastrack | Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89 fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Unauthenticated Remote attacker to send a malicious firmware update via BLE and brick the device. | 7.5 |
2022-12-26 | CVE-2021-35953 | Fastrack | Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89 fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to cause a Denial of Service (device outage) via crafted choices of the last three bytes of a characteristic value. | 7.5 |
2022-12-26 | CVE-2021-38561 | golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. | 7.5 | |
2022-12-26 | CVE-2022-26964 | Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. | 7.5 | |
2022-12-26 | CVE-2021-44758 | Heimdal Project | NULL Pointer Dereference vulnerability in Heimdal Project Heimdal Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. | 7.5 |
2022-12-30 | CVE-2022-34673 | Nvidia | Out-of-bounds Read vulnerability in Nvidia GPU Display Driver 515 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering. | 7.3 |
2022-12-30 | CVE-2022-42257 | Nvidia Debian | Integer Overflow or Wraparound vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. | 7.3 |
2022-12-30 | CVE-2022-42258 | Nvidia Debian | Integer Overflow or Wraparound vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure. | 7.3 |
2022-12-30 | CVE-2022-44137 | Sanitization Management System Project | SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0 SourceCodester Sanitization Management System 1.0 is vulnerable to SQL Injection. | 7.2 |
2022-12-27 | CVE-2022-45427 | Dahuasecurity | Unrestricted Upload of File with Dangerous Type vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unrestricted upload of file. | 7.2 |
2022-12-27 | CVE-2022-4722 | Ikus Soft | Improper Authentication vulnerability in Ikus-Soft Rdiffweb Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 7.2 |
2022-12-27 | CVE-2022-4732 | Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. | 7.2 | |
2022-12-26 | CVE-2021-24942 | Menu Item Visibility Control Project | Unspecified vulnerability in Menu Item Visibility Control Project Menu Item Visibility Control 0.5 The Menu Item Visibility Control WordPress plugin through 0.5 doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment. | 7.2 |
2022-12-26 | CVE-2022-4268 | Plugin Logic Project | Unspecified vulnerability in Plugin Logic Project Plugin Logic 1.0.7 The Plugin Logic WordPress plugin before 1.0.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | 7.2 |
2022-12-30 | CVE-2022-34677 | Nvidia Debian | Incorrect Conversion between Numeric Types vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering. | 7.1 |
2022-12-30 | CVE-2022-34684 | Nvidia | Off-by-one Error vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure. | 7.1 |
2022-12-30 | CVE-2022-42263 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure. | 7.1 |
2022-12-30 | CVE-2022-42265 | Nvidia | Integer Overflow or Wraparound vulnerability in Nvidia GPU Display Driver 515 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering. | 7.1 |
190 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-12-30 | CVE-2022-4863 | Usememos | Improper Handling of Insufficient Permissions or Privileges vulnerability in Usememos Memos Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1. | 6.5 |
2022-12-29 | CVE-2022-4846 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | 6.5 | |
2022-12-29 | CVE-2022-4847 | Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos prior to 0.9.1. | 6.5 | |
2022-12-29 | CVE-2022-4849 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | 6.5 | |
2022-12-29 | CVE-2022-4850 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | 6.5 | |
2022-12-29 | CVE-2022-4778 | Elvexys | Path Traversal vulnerability in Elvexys Streamx 6.02.01/6.04.34 StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server's filesystem. StreamX applications using StreamView HTML component with the public web server feature activated are affected. | 6.5 |
2022-12-28 | CVE-2022-41579 | Huawei | Improper Authentication vulnerability in Huawei Hota-Fara-B19 Firmware 11.1.2.40 There is an insufficient authentication vulnerability in some Huawei band products. | 6.5 |
2022-12-28 | CVE-2022-46740 | Huawei | Unspecified vulnerability in Huawei Ws7100-20 Firmware 10.0.5.33 There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition. | 6.5 |
2022-12-28 | CVE-2022-4799 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 6.5 |
2022-12-28 | CVE-2022-4800 | Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1. | 6.5 | |
2022-12-28 | CVE-2022-4812 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 6.5 |
2022-12-28 | CVE-2022-46173 | Elrond | Incorrect Resource Transfer Between Spheres vulnerability in Elrond GO Elrond-GO is a go implementation for the Elrond Network protocol. | 6.5 |
2022-12-28 | CVE-2022-3346 | GO Resolver Project | Insufficient Verification of Data Authenticity vulnerability in Go-Resolver Project Go-Resolver DNSSEC validation is not performed correctly. | 6.5 |
2022-12-27 | CVE-2022-45426 | Dahuasecurity | Files or Directories Accessible to External Parties vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unrestricted download of file. | 6.5 |
2022-12-27 | CVE-2022-4723 | Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 6.5 | |
2022-12-27 | CVE-2020-36633 | Moodle Block Sitenews Project | Cross-Site Request Forgery (CSRF) vulnerability in Moodle-Block Sitenews Project Moodle-Block Sitenews 1.0 A vulnerability was found in moodle-block_sitenews 1.0. | 6.5 |
2022-12-27 | CVE-2022-4766 | Dolibarr Project Timesheet Project | Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Project Timesheet Project Dolibarr Project Timesheet A vulnerability was found in dolibarr_project_timesheet up to 4.5.5. | 6.5 |
2022-12-27 | CVE-2021-4287 | Microsoft | Link Following vulnerability in Microsoft Binwalk A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2. | 6.5 |
2022-12-26 | CVE-2018-16135 | Opera | Unspecified vulnerability in Opera Mini 47.1.2249.129326 The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site. | 6.5 |
2022-12-26 | CVE-2019-13988 | Sierra Wireless MGOS before 3.15.2 and 4.x before 4.3 allows attackers to read log files via a Direct Request (aka Forced Browsing). | 6.5 | |
2022-12-26 | CVE-2019-18177 | In certain Citrix products, information disclosure can be achieved by an authenticated VPN user when there is a configured SSL VPN endpoint. | 6.5 | |
2022-12-26 | CVE-2022-4150 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. | 6.5 |
2022-12-26 | CVE-2022-4151 | Contest Gallery | SQL Injection vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. | 6.5 |
2022-12-26 | CVE-2022-4152 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. | 6.5 |
2022-12-26 | CVE-2022-4153 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. | 6.5 |
2022-12-26 | CVE-2022-4159 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. | 6.5 |
2022-12-26 | CVE-2022-4160 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. | 6.5 |
2022-12-26 | CVE-2022-4161 | Contest Gallery | SQL Injection vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. | 6.5 |
2022-12-26 | CVE-2022-4162 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php. | 6.5 |
2022-12-26 | CVE-2022-4163 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively. | 6.5 |
2022-12-26 | CVE-2022-4164 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. | 6.5 |
2022-12-26 | CVE-2022-4165 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. | 6.5 |
2022-12-26 | CVE-2022-4166 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. | 6.5 |
2022-12-26 | CVE-2022-4239 | Amentotech | Unspecified vulnerability in Amentotech Workreap The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id. | 6.5 |
2022-12-26 | CVE-2022-4266 | Speakdigital | Unspecified vulnerability in Speakdigital Bulk Delete Users BY Email 1.2 The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack | 6.5 |
2022-12-26 | CVE-2021-39369 | Philips | Path Traversal vulnerability in Philips Myvue, Speech and VUE Pacs In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. | 6.5 |
2022-12-28 | CVE-2022-46172 | Goauthentik | Improper Privilege Management vulnerability in Goauthentik Authentik authentik is an open-source Identity provider focused on flexibility and versatility. | 6.4 |
2023-01-01 | CVE-2022-37786 | Wecube Platform Project | Improper Neutralization of Formula Elements in a CSV File vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2 An issue was discovered in WeCube Platform 3.2.2. | 6.3 |
2023-01-01 | CVE-2010-10002 | Simplesamlphp | Cross-site Scripting vulnerability in Simplesamlphp Simplesamlphp-Module-Openid ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid. | 6.1 |
2023-01-01 | CVE-2015-10006 | Ingnovarq Project | Cross-site Scripting vulnerability in Ingnovarq Project Ingnovarq A vulnerability, which was classified as problematic, has been found in admont28 Ingnovarq. | 6.1 |
2023-01-01 | CVE-2018-25063 | Zenoss | Cross-site Scripting vulnerability in Zenoss Dashboard A vulnerability classified as problematic was found in Zenoss Dashboard up to 1.3.4. | 6.1 |
2023-01-01 | CVE-2022-37787 | Wecube Platform Project | Cross-site Scripting vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2 An issue was discovered in WeCube platform 3.2.2. | 6.1 |
2023-01-01 | CVE-2021-41823 | Kemptechnologies | Cross-site Scripting vulnerability in Kemptechnologies web Application Firewall 7.2.54.1 The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism. | 6.1 |
2022-12-31 | CVE-2014-125027 | Tbdev Project | Cross-site Scripting vulnerability in Tbdev Project Tbdev A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and classified as problematic. | 6.1 |
2022-12-31 | CVE-2017-20158 | Yii2 Fileapi Widget Project | Cross-site Scripting vulnerability in Yii2 Fileapi Widget Project Yii2 Fileapi Widget ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. | 6.1 |
2022-12-31 | CVE-2017-20159 | Keynote Project | Cross-site Scripting vulnerability in Keynote Project Keynote A vulnerability was found in rf Keynote up to 0.x on Rails. | 6.1 |
2022-12-30 | CVE-2017-20155 | Sterc | Cross-site Scripting vulnerability in Sterc Google Analytics Dashboard for Modx A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5. | 6.1 |
2022-12-30 | CVE-2022-34674 | Nvidia Debian | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak. | 6.1 |
2022-12-30 | CVE-2017-20153 | Imageserve Project | Cross-site Scripting vulnerability in Imageserve Project Imageserve A vulnerability has been found in aerouk imageserve and classified as problematic. | 6.1 |
2022-12-30 | CVE-2020-36637 | Adminserv Project | Cross-site Scripting vulnerability in Adminserv Project Adminserv ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ. | 6.1 |
2022-12-30 | CVE-2020-36638 | Adminserv Project | Cross-site Scripting vulnerability in Adminserv Project Adminserv ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ. | 6.1 |
2022-12-30 | CVE-2022-4859 | Joget | Cross-site Scripting vulnerability in Joget DX A vulnerability, which was classified as problematic, has been found in Joget up to 7.0.33. | 6.1 |
2022-12-29 | CVE-2022-30519 | Reprisesoftware | Cross-site Scripting vulnerability in Reprisesoftware Reprise License Manager 14.2Bl4 XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field. | 6.1 |
2022-12-29 | CVE-2022-38204 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis 10.7.1/10.8.1 There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. | 6.1 |
2022-12-29 | CVE-2022-38206 | There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser. | 6.1 | |
2022-12-29 | CVE-2022-38207 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis 10.7.1/10.8.1 There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser. | 6.1 |
2022-12-29 | CVE-2022-38208 | There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. | 6.1 | |
2022-12-29 | CVE-2022-38209 | There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser. | 6.1 | |
2022-12-29 | CVE-2022-38210 | Esri | Cross-site Scripting vulnerability in Esri Portal for Arcgis There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser. | 6.1 |
2022-12-29 | CVE-2021-4296 | W3 | Cross-site Scripting vulnerability in W3 Unicorn A vulnerability, which was classified as problematic, has been found in w3c Unicorn. | 6.1 |
2022-12-29 | CVE-2018-25058 | Twitter Post Fetcher Project | Unspecified vulnerability in Twitter-Post-Fetcher Project Twitter-Post-Fetcher A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. | 6.1 |
2022-12-28 | CVE-2022-4819 | Hotcrp | Cross-site Scripting vulnerability in Hotcrp A vulnerability was found in HotCRP. | 6.1 |
2022-12-28 | CVE-2022-4820 | Flatpress | Cross-site Scripting vulnerability in Flatpress A vulnerability classified as problematic has been found in FlatPress. | 6.1 |
2022-12-28 | CVE-2022-4821 | Flatpress | Cross-site Scripting vulnerability in Flatpress A vulnerability classified as problematic was found in FlatPress. | 6.1 |
2022-12-28 | CVE-2022-4822 | Flatpress | Cross-site Scripting vulnerability in Flatpress A vulnerability, which was classified as problematic, has been found in FlatPress. | 6.1 |
2022-12-28 | CVE-2018-25051 | Pomash Project | Cross-site Scripting vulnerability in Pomash Project Pomash A vulnerability, which was classified as problematic, was found in JmPotato Pomash. | 6.1 |
2022-12-28 | CVE-2018-25052 | Catalyst Plugin Session Project | Cross-site Scripting vulnerability in Catalyst-Plugin-Session Project Catalyst-Plugin-Session A vulnerability has been found in Catalyst-Plugin-Session up to 0.40 and classified as problematic. | 6.1 |
2022-12-28 | CVE-2018-25053 | Json2Html | Cross-site Scripting vulnerability in Json2Html A vulnerability was found in moappi Json2html up to 1.1.x and classified as problematic. | 6.1 |
2022-12-28 | CVE-2018-25055 | Farcry Solr PRO Project | Cross-site Scripting vulnerability in Farcry Solr PRO Project Farcry Solr PRO A vulnerability was found in FarCry Solr Pro Plugin up to 1.5.x. | 6.1 |
2022-12-28 | CVE-2018-25056 | Yola | Cross-site Scripting vulnerability in Yola Yolapi A vulnerability, which was classified as problematic, was found in yolapi. | 6.1 |
2022-12-28 | CVE-2018-25050 | Getharvest | Cross-site Scripting vulnerability in Getharvest Chosen A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6. | 6.1 |
2022-12-28 | CVE-2021-4293 | SIR | Cross-site Scripting vulnerability in SIR Youngcart5 ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in gnuboard youngcart5 up to 5.4.5.1. | 6.1 |
2022-12-28 | CVE-2022-23544 | MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. | 6.1 | |
2022-12-27 | CVE-2020-36636 | Openmrs | Cross-site Scripting vulnerability in Openmrs Admin UI Module A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x. | 6.1 |
2022-12-27 | CVE-2021-4291 | Openmrs | Cross-site Scripting vulnerability in Openmrs Admin UI Module 1.5.0 A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x. | 6.1 |
2022-12-27 | CVE-2021-4292 | Openmrs | Cross-site Scripting vulnerability in Openmrs Admin UI Module A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. | 6.1 |
2022-12-27 | CVE-2020-36626 | TRI | Cross-site Scripting vulnerability in TRI Panel Builder A vulnerability classified as critical has been found in Modern Tribe Panel Builder Plugin. | 6.1 |
2022-12-27 | CVE-2022-4720 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 6.1 | |
2022-12-27 | CVE-2022-4727 | Openmrs | Cross-site Scripting vulnerability in Openmrs Appointment Scheduling Module A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. | 6.1 |
2022-12-27 | CVE-2019-25090 | Sangoma | Cross-site Scripting vulnerability in Sangoma Freepbx A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic. | 6.1 |
2022-12-27 | CVE-2021-4288 | Openmrs | Cross-site Scripting vulnerability in Openmrs Reference Application A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. | 6.1 |
2022-12-27 | CVE-2021-4289 | Openmrs | Cross-site Scripting vulnerability in Openmrs Reference Application A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. | 6.1 |
2022-12-27 | CVE-2021-4285 | Nagios | Cross-site Scripting vulnerability in Nagios Cross Platform Agent A vulnerability classified as problematic was found in Nagios NCPA. | 6.1 |
2022-12-27 | CVE-2021-4282 | Sangoma | Cross-site Scripting vulnerability in Sangoma Voicemail A vulnerability was found in FreePBX voicemail. | 6.1 |
2022-12-27 | CVE-2021-4284 | Openmrs | Cross-site Scripting vulnerability in Openmrs Htmlformentryui A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. | 6.1 |
2022-12-27 | CVE-2022-4755 | Flatpress | Cross-site Scripting vulnerability in Flatpress A vulnerability was found in FlatPress and classified as problematic. | 6.1 |
2022-12-26 | CVE-2022-36664 | Adiscon | Cross-site Scripting vulnerability in Adiscon Password Manager for IIS 2.0 Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter. | 6.1 |
2022-12-26 | CVE-2022-4227 | Booster | Unspecified vulnerability in Booster for Woocommerce The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | 6.1 |
2022-12-26 | CVE-2022-4267 | Speakdigital | Unspecified vulnerability in Speakdigital Bulk Delete Users BY Email 1.2 The Bulk Delete Users by Email WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 6.1 |
2022-12-26 | CVE-2021-30134 | php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. | 6.1 | |
2022-12-26 | CVE-2022-37309 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. | 6.1 |
2022-12-26 | CVE-2022-37310 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. | 6.1 |
2022-12-26 | CVE-2022-37308 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. | 6.1 |
2022-12-26 | CVE-2022-31469 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. | 6.1 |
2022-12-26 | CVE-2022-37307 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. | 6.1 |
2022-12-28 | CVE-2022-4823 | Instedd | Information Exposure Through Discrepancy vulnerability in Instedd Nuntium A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium. | 5.9 |
2022-12-28 | CVE-2021-4294 | Redhat | Information Exposure Through Discrepancy vulnerability in Redhat Openshift Container Platform and Openshift Osin A vulnerability was found in OpenShift OSIN. | 5.9 |
2022-12-27 | CVE-2022-45434 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. | 5.9 |
2022-12-29 | CVE-2022-4848 | Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1. | 5.7 | |
2022-12-30 | CVE-2022-34675 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and GPU Display Driver NVIDIA Display Driver for Linux contains a vulnerability in the Virtual GPU Manager, where it does not check the return value from a null-pointer dereference, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34678 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34679 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34680 | Nvidia Debian | Incorrect Conversion between Numeric Types vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34681 | Nvidia | Improper Input Validation vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler, where improper input validation of a display-related data structure may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34682 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-34683 | Nvidia | NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a null-pointer dereference occurs, which may lead to denial of service. | 5.5 |
2022-12-30 | CVE-2022-42259 | Nvidia Debian | Integer Overflow or Wraparound vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service. | 5.5 |
2022-12-28 | CVE-2022-45874 | Huawei | Unspecified vulnerability in Huawei Aslan-Al10 Firmware Huawei Aslan Children's Watch has an improper authorization vulnerability. | 5.5 |
2022-12-27 | CVE-2021-4235 | Yaml Project | Unspecified vulnerability in Yaml Project Yaml Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. | 5.5 |
2022-12-26 | CVE-2021-43395 | Illumos Omniosce Openindiana Joyent Oracle | Improper Locking vulnerability in multiple products An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. | 5.5 |
2023-01-01 | CVE-2022-34323 | Sage | Cross-site Scripting vulnerability in Sage XRT Business Exchange 12.4.302 Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers. | 5.4 |
2023-01-01 | CVE-2023-0028 | Linagora | Cross-site Scripting vulnerability in Linagora Twake Cross-site Scripting (XSS) - Stored in GitHub repository linagora/twake prior to 2023.Q1.1200+. | 5.4 |
2022-12-30 | CVE-2022-4864 | Froxlor | Injection vulnerability in Froxlor Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | 5.4 |
2022-12-29 | CVE-2022-46181 | Gotify | Cross-site Scripting vulnerability in Gotify Server Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. | 5.4 |
2022-12-29 | CVE-2022-4839 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. | 5.4 | |
2022-12-29 | CVE-2022-4840 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. | 5.4 | |
2022-12-29 | CVE-2022-4841 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. | 5.4 | |
2022-12-28 | CVE-2022-23554 | Alpine Project | Incorrect Comparison vulnerability in Alpine Project Alpine Alpine is a scaffolding library in Java. | 5.4 |
2022-12-28 | CVE-2022-4802 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 5.4 |
2022-12-28 | CVE-2022-4811 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1. | 5.4 |
2022-12-28 | CVE-2018-25054 | Shredzone | Cross-site Scripting vulnerability in Shredzone Cilla A vulnerability was found in shred cilla. | 5.4 |
2022-12-27 | CVE-2020-36635 | Openmrs | Cross-site Scripting vulnerability in Openmrs Appointment Scheduling Module A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x. | 5.4 |
2022-12-27 | CVE-2022-47968 | Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Add application" page. | 5.4 | |
2022-12-27 | CVE-2022-4691 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0. | 5.4 | |
2022-12-27 | CVE-2022-4694 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0. | 5.4 | |
2022-12-27 | CVE-2022-4695 | Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0. | 5.4 | |
2022-12-27 | CVE-2022-4721 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5. | 5.4 | |
2022-12-27 | CVE-2022-4728 | Graphite Project | Cross-site Scripting vulnerability in Graphite Project Graphite A vulnerability has been found in Graphite Web and classified as problematic. | 5.4 |
2022-12-27 | CVE-2022-4729 | Graphite Project | Cross-site Scripting vulnerability in Graphite Project Graphite A vulnerability was found in Graphite Web and classified as problematic. | 5.4 |
2022-12-27 | CVE-2022-4730 | Graphite Project | Cross-site Scripting vulnerability in Graphite Project Graphite A vulnerability was found in Graphite Web. | 5.4 |
2022-12-27 | CVE-2020-36634 | Indeed | Cross-site Scripting vulnerability in Indeed Util A vulnerability classified as problematic has been found in Indeed Engineering util up to 1.0.33. | 5.4 |
2022-12-27 | CVE-2019-25088 | Oxidized WEB Project | Cross-site Scripting vulnerability in Oxidized web Project Oxidized web A vulnerability was found in ytti Oxidized Web. | 5.4 |
2022-12-27 | CVE-2021-4283 | Sangoma | Cross-site Scripting vulnerability in Sangoma Voicemail A vulnerability was found in FreeBPX voicemail. | 5.4 |
2022-12-27 | CVE-2019-25086 | Open | Cross-site Scripting vulnerability in Open Media Player A vulnerability was found in IET-OU Open Media Player up to 1.5.0. | 5.4 |
2022-12-26 | CVE-2021-44855 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. | 5.4 |
2022-12-26 | CVE-2022-29852 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked. | 5.4 |
2022-12-26 | CVE-2022-29853 | Open Xchange | Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6/8.2 OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message. | 5.4 |
2023-01-01 | CVE-2022-45027 | Perfsonar | Server-Side Request Forgery (SSRF) vulnerability in Perfsonar perfSONAR before 4.4.6, when performing participant discovery, incorrectly uses an HTTP request header value to determine a local address. | 5.3 |
2023-01-01 | CVE-2022-45213 | Perfsonar | Unspecified vulnerability in Perfsonar perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL. | 5.3 |
2022-12-30 | CVE-2018-25059 | Pastebinit Project | Path Traversal vulnerability in Pastebinit Project Pastebinit 0.2.2 A vulnerability was found in pastebinit up to 0.2.2 and classified as problematic. | 5.3 |
2022-12-29 | CVE-2022-4851 | Improper Handling of Values in GitHub repository usememos/memos prior to 0.9.1. | 5.3 | |
2022-12-28 | CVE-2022-4798 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 5.3 |
2022-12-28 | CVE-2022-4801 | Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1. | 5.3 | |
2022-12-28 | CVE-2022-4804 | Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | 5.3 | |
2022-12-28 | CVE-2022-4806 | Usememos | Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | 5.3 |
2022-12-28 | CVE-2020-36563 | Robotsandpencils | Improper Verification of Cryptographic Signature vulnerability in Robotsandpencils Go-Saml XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input. | 5.3 |
2022-12-27 | CVE-2019-25091 | Nsupdate | Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Nsupdate Nsupdate.Info A vulnerability classified as problematic has been found in nsupdate.info. | 5.3 |
2022-12-27 | CVE-2022-45424 | Dahuasecurity | Missing Authentication for Critical Function vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. | 5.3 |
2022-12-27 | CVE-2022-45432 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated search for devices. | 5.3 |
2022-12-26 | CVE-2019-19030 | Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. | 5.3 | |
2022-12-26 | CVE-2019-14802 | HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. | 5.3 | |
2022-12-26 | CVE-2019-9011 | In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames. | 5.3 | |
2022-12-26 | CVE-2021-35952 | Fastrack | Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89 fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to change the time, date, and month via Bluetooth LE Characteristics on handle 0x0017. | 5.3 |
2022-12-26 | CVE-2021-44856 | Mediawiki | Improper Check for Unusual or Exceptional Conditions vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. | 5.3 |
2022-12-26 | CVE-2022-41765 | Mediawiki | Information Exposure Through Discrepancy vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. | 5.3 |
2022-12-26 | CVE-2022-41767 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. | 5.3 |
2022-12-26 | CVE-2021-44854 | Mediawiki | Unspecified vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. | 5.3 |
2022-12-26 | CVE-2022-37311 | Open Xchange | Improper Validation of Specified Quantity in Input vulnerability in Open-Xchange Appsuite OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. | 5.3 |
2022-12-26 | CVE-2022-37312 | Open Xchange | Improper Validation of Specified Quantity in Input vulnerability in Open-Xchange Appsuite OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. | 5.3 |
2022-12-26 | CVE-2022-37313 | Open Xchange | Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6 OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. | 5.3 |
2022-12-30 | CVE-2022-4861 | M Files | Improper Authentication vulnerability in M-Files Client Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource. | 4.9 |
2022-12-26 | CVE-2022-4154 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. | 4.9 |
2022-12-26 | CVE-2022-4155 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. | 4.9 |
2022-12-26 | CVE-2022-4157 | Contest Gallery | Unspecified vulnerability in Contest-Gallery Contest Gallery The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. | 4.9 |
2023-01-01 | CVE-2022-40711 | Primekey | Cross-site Scripting vulnerability in Primekey Ejbca 7.9.0.2 PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. | 4.8 |
2022-12-28 | CVE-2022-3922 | Managewp | Cross-site Scripting vulnerability in Managewp Broken Link Checker The Broken Link Checker WordPress plugin before 1.11.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2022-12-28 | CVE-2019-25092 | Mellivora Project | Cross-site Scripting vulnerability in Mellivora Project Mellivora 1.0/2.0/2.1 A vulnerability classified as problematic was found in Nakiami Mellivora up to 2.1.x. | 4.8 |
2022-12-27 | CVE-2022-4733 | Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2. | 4.8 | |
2022-12-26 | CVE-2022-3835 | Kwayyinfotech | Unspecified vulnerability in Kwayyinfotech Kwayy Html Sitemap The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-3840 | WP Glogin | Unspecified vulnerability in Wp-Glogin Login for Google Apps The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4042 | Paytium | Unspecified vulnerability in Paytium 4.3.6 The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4110 | Eventify Project | Unspecified vulnerability in Eventify Project Eventify 2.1 The Eventify™ WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4197 | 10Web | Unspecified vulnerability in 10Web Slider The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4226 | Wpkube | Unspecified vulnerability in Wpkube Simple Basic Contact Form The Simple Basic Contact Form WordPress plugin before 20221201 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4242 | Ljapps | Cross-site Scripting vulnerability in Ljapps WP Google Review Slider The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-4243 | Wpscoop | Unspecified vulnerability in Wpscoop Imageinject The ImageInject WordPress plugin through 1.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2022-12-26 | CVE-2022-24120 | Certain General Electric Renewable Energy products store cleartext credentials in flash memory. | 4.6 | |
2022-12-31 | CVE-2022-4868 | Froxlor | Improper Authorization vulnerability in Froxlor Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | 4.3 |
2022-12-31 | CVE-2022-4867 | Froxlor | Cross-Site Request Forgery (CSRF) vulnerability in Froxlor Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | 4.3 |
2022-12-29 | CVE-2022-4845 | Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4818 | Talend | XXE vulnerability in Talend Open Studio for MDM A vulnerability was found in Talend Open Studio for MDM. | 4.3 |
2022-12-28 | CVE-2022-4797 | Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4805 | Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4807 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4810 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4813 | Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-28 | CVE-2022-4814 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | 4.3 | |
2022-12-27 | CVE-2022-2582 | The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. | 4.3 | |
2022-12-27 | CVE-2022-4734 | Usememos | Improper Cross-boundary Removal of Sensitive Data vulnerability in Usememos Memos Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1. | 4.3 |
2022-12-28 | CVE-2022-46174 | Amazon | Race Condition vulnerability in Amazon products efs-utils is a set of Utilities for Amazon Elastic File System (EFS). | 4.2 |
7 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2022-12-27 | CVE-2022-2583 | Gobase Project | Race Condition vulnerability in Gobase Project Gobase A race condition can cause incorrect HTTP request routing. | 3.7 |
2022-12-27 | CVE-2022-45430 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. | 3.7 |
2022-12-27 | CVE-2022-45433 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. | 3.7 |
2023-01-01 | CVE-2022-47952 | Linuxcontainers | Information Exposure Through Discrepancy vulnerability in Linuxcontainers LXC lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. | 3.3 |
2022-12-30 | CVE-2022-42266 | Nvidia | Information Exposure vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can cause exposure of sensitive information to an actor that is not explicitly authorized to have access to that information, which may lead to limited information disclosure. | 3.3 |
2022-12-28 | CVE-2022-4773 | Cloudsync Project | Path Traversal vulnerability in Cloudsync Project Cloudsync ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in cloudsync. | 3.3 |
2022-12-27 | CVE-2022-45428 | Dahuasecurity | Unspecified vulnerability in Dahuasecurity products Some Dahua software products have a vulnerability of sensitive information leakage. | 2.7 |