Weekly Vulnerabilities Reports > December 26, 2022 to January 1, 2023

Overview

396 new vulnerabilities reported during this period, including 87 critical vulnerabilities and 112 high severity vulnerabilities. This weekly summary report vulnerabilities in 444 products from 177 vendors including Nvidia, Trendnet, Contest Gallery, Tenda, and Dahuasecurity. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "Path Traversal", "SQL Injection", and "Cross-Site Request Forgery (CSRF)".

  • 345 reported vulnerabilities are remotely exploitables.
  • 153 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 257 reported vulnerabilities are exploitable by an anonymous user.
  • Nvidia has the most reported vulnerabilities, with 32 reported vulnerabilities.
  • Trendnet has the most reported critical vulnerabilities, with 20 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

87 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-01 CVE-2021-4297 Jobe Project Unspecified vulnerability in Jobe Project Jobe

A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic.

9.8
2023-01-01 CVE-2014-125030 Empress Project Use of Hard-coded Credentials vulnerability in Empress Project Empress

A vulnerability, which was classified as critical, has been found in taoeffect Empress.

9.8
2023-01-01 CVE-2022-48198 Ntpd Driver Project Exposure of Resource to Wrong Sphere vulnerability in Ntpd Driver Project Ntpd Driver

The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior.

9.8
2022-12-31 CVE-2017-20160 Flitto Unspecified vulnerability in Flitto Express-Param

A vulnerability was found in flitto express-param up to 0.x.

9.8
2022-12-31 CVE-2017-20156 Printer Project Command Injection vulnerability in Printer Project Printer

A vulnerability was found in Exciting Printer and classified as critical.

9.8
2022-12-31 CVE-2017-20157 Ariadne CMS Server-Side Request Forgery (SSRF) vulnerability in Ariadne-Cms Ariadne Component Library

A vulnerability was found in Ariadne Component Library up to 2.x.

9.8
2022-12-31 CVE-2022-48195 Mellium Improper Authentication vulnerability in Mellium Sasl 0.3.0

An issue was discovered in Mellium mellium.im/sasl before 0.3.1.

9.8
2022-12-30 CVE-2022-46580 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the user_edit_page parameter in the wifi_captive_portal function.

9.8
2022-12-30 CVE-2022-46581 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.nslookup_target parameter in the tools_nslookup function.

9.8
2022-12-30 CVE-2022-46582 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the login_name parameter in the do_graph_auth (sub_4061E0) function.

9.8
2022-12-30 CVE-2022-46583 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the reboot_type parameter in the wizard_ipv6 (sub_41C380) function.

9.8
2022-12-30 CVE-2022-46584 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the qcawifi.wifi%d_vap%d.maclist parameter in the kick_ban_wifi_mac_deny (sub_415D7C) function.

9.8
2022-12-30 CVE-2022-46585 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the REMOTE_USER parameter in the get_access (sub_45AC2C) function.

9.8
2022-12-30 CVE-2022-46586 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the qcawifi.wifi%d_vap%d.maclist parameter in the kick_ban_wifi_mac_allow (sub_415B00) function.

9.8
2022-12-30 CVE-2022-46588 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function.

9.8
2022-12-30 CVE-2022-46589 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.netstat_option parameter in the tools_netstat (sub_41E730) function.

9.8
2022-12-30 CVE-2022-46590 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the cameo.cameo.netstat_rsname parameter in the tools_netstat (sub_41E730) function.

9.8
2022-12-30 CVE-2022-46591 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the reject_url parameter in the reject (sub_41BD60) function.

9.8
2022-12-30 CVE-2022-46592 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the set_sta_enrollee_pin_5g function.

9.8
2022-12-30 CVE-2022-46593 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the do_sta_enrollee_wifi function.

9.8
2022-12-30 CVE-2022-46594 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the update_file_name parameter in the auto_up_fw (sub_420A04) function.

9.8
2022-12-30 CVE-2022-46596 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the del_num parameter in the icp_delete_img (sub_41DEDC) function.

9.8
2022-12-30 CVE-2022-46597 Trendnet OS Command Injection vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function.

9.8
2022-12-30 CVE-2022-46598 Trendnet OS Command Injection vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function.

9.8
2022-12-30 CVE-2022-46599 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the setlogo_num parameter in the icp_setlogo_img (sub_41DBF4) function.

9.8
2022-12-30 CVE-2022-46600 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_24g function.

9.8
2022-12-30 CVE-2022-46601 Trendnet Out-of-bounds Write vulnerability in Trendnet Tew-755Ap Firmware 1.13B01

TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the setbg_num parameter in the icp_setbg_img (sub_41DD68) function.

9.8
2022-12-30 CVE-2022-47115 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47117 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the security parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47118 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey1 parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47119 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the ssid parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47120 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47121 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47122 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlPwd_5g parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47123 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey3 parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47124 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47125 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlEn_5g parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47126 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlEn parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47127 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wrlPwd parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2022-47128 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the wepkey2 parameter at /goform/WifiBasicSet.

9.8
2022-12-30 CVE-2017-20151 Itextpdf XXE vulnerability in Itextpdf Rups

A vulnerability classified as problematic was found in iText RUPS.

9.8
2022-12-30 CVE-2022-4860 Kbase SQL Injection vulnerability in Kbase Metrics

A vulnerability was found in KBase Metrics.

9.8
2022-12-30 CVE-2022-44621 Apache Command Injection vulnerability in Apache Kylin

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

9.8
2022-12-30 CVE-2022-4855 Lead Management System Project SQL Injection vulnerability in Lead Management System Project Lead Management System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Lead Management System 1.0.

9.8
2022-12-30 CVE-2022-48196 Netgear Classic Buffer Overflow vulnerability in Netgear products

Certain NETGEAR devices are affected by a buffer overflow by an unauthenticated attacker.

9.8
2022-12-29 CVE-2021-4295 Healthit XXE vulnerability in Healthit Code-Validator-Api

A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30.

9.8
2022-12-29 CVE-2022-4779 Elvexys Path Traversal vulnerability in Elvexys Streamx 6.02.01/6.04.34

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

9.8
2022-12-28 CVE-2018-25057 Mikebharris SQL Injection vulnerability in Mikebharris Simple PHP Link Shortener

A vulnerability was found in simple_php_link_shortener.

9.8
2022-12-27 CVE-2021-4290 Fallstudie Project SQL Injection vulnerability in Fallstudie Project Fallstudie

A vulnerability was found in DHBW Fallstudie.

9.8
2022-12-27 CVE-2022-4768 Dropbox Injection vulnerability in Dropbox Merou

A vulnerability was found in Dropbox merou.

9.8
2022-12-27 CVE-2014-125026 Cloudflare Out-of-bounds Write vulnerability in Cloudflare Golz4

LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.

9.8
2022-12-27 CVE-2017-20146 Gorillatoolkit Origin Validation Error vulnerability in Gorillatoolkit Handlers 1.1/1.2/1.2.1

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

9.8
2022-12-27 CVE-2021-4236 WEB Project NULL Pointer Dereference vulnerability in web Project web 1.4.0/1.5.0/1.5.1

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass.

9.8
2022-12-27 CVE-2022-45778 Hillstonenet Unspecified vulnerability in Hillstonenet products

https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control.

9.8
2022-12-27 CVE-2022-45963 H3C Unspecified vulnerability in H3C products

h3c firewall <= 3.10 ESS6703 has a privilege bypass vulnerability.

9.8
2022-12-27 CVE-2022-46442 dedecms <=V5.7.102 is vulnerable to SQL Injection.
9.8
2022-12-27 CVE-2022-4719 Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.
9.8
2022-12-27 CVE-2022-4724 Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.
9.8
2022-12-27 CVE-2022-4725 Amazon Server-Side Request Forgery (SSRF) vulnerability in Amazon AWS Software Development KIT

A vulnerability was found in AWS SDK 2.59.0.

9.8
2022-12-27 CVE-2022-4726 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

A vulnerability classified as critical was found in SourceCodester Sanitization Management System 1.0.

9.8
2022-12-27 CVE-2022-4748 Flatpress Path Traversal vulnerability in Flatpress

A vulnerability was found in FlatPress.

9.8
2022-12-27 CVE-2022-46764 Trueconf SQL Injection vulnerability in Trueconf Server

A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution.

9.8
2022-12-26 CVE-2019-11851 Sierrawireless Classic Buffer Overflow vulnerability in Sierrawireless Aleos

The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows remote attackers to execute arbitrary code via a buffer overflow.

9.8
2022-12-26 CVE-2020-24600 Capexweb Project SQL Injection vulnerability in Capexweb Project Capexweb 1.1

Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.

9.8
2022-12-26 CVE-2020-11101 Sierra Wireless AirLink Mobility Manager (AMM) before 2.17 mishandles sessions and thus an unauthenticated attacker can obtain a login session with administrator privileges.
9.8
2022-12-26 CVE-2021-4281 Forthebadge OS Command Injection vulnerability in Forthebadge for the Badge 1.0.0/1.1.0

A vulnerability was found in Brave UX for-the-badge and classified as critical.

9.8
2022-12-26 CVE-2022-4047 Wpswings Unspecified vulnerability in Wpswings Return Refund and Exchange for Woocommerce

The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE

9.8
2022-12-26 CVE-2022-4117 IWS GEO Form Fields Project Unspecified vulnerability in Iws-Geo-Form-Fields Project Iws-Geo-Form-Fields 1.0

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

9.8
2022-12-26 CVE-2022-4120 Trumani Unspecified vulnerability in Trumani Stop Spammers

The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain

9.8
2022-12-26 CVE-2022-4742 Json Pointer Project Unspecified vulnerability in Json-Pointer Project Json-Pointer

A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1.

9.8
2022-12-26 CVE-2022-26969 In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
9.8
2022-12-26 CVE-2021-45466 Control Webpanel Incorrect Authorization vulnerability in Control-Webpanel Webpanel

In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.

9.8
2022-12-26 CVE-2021-45467 Control Webpanel Unspecified vulnerability in Control-Webpanel Webpanel

In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI.

9.8
2022-12-26 CVE-2022-24116 Certain General Electric Renewable Energy products have inadequate encryption strength.
9.8
2022-12-26 CVE-2022-24117 Certain General Electric Renewable Energy products download firmware without an integrity check.
9.8
2022-12-26 CVE-2022-24119 Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell.
9.8
2022-12-29 CVE-2022-36437 Hazelcast Session Fixation vulnerability in Hazelcast Hazelcast-Jet

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection.

9.1
2022-12-27 CVE-2018-25046 Cloudfoundry Path Traversal vulnerability in Cloudfoundry Archiver

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

9.1
2022-12-27 CVE-2020-36560 GO Unzip Project Path Traversal vulnerability in Go-Unzip Project Go-Unzip

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

9.1
2022-12-27 CVE-2020-36561 Unzip Project Path Traversal vulnerability in Unzip Project Unzip

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

9.1
2022-12-27 CVE-2020-36566 TAR Utils Project Path Traversal vulnerability in Tar-Utils Project Tar-Utils

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

9.1
2022-12-27 CVE-2020-36569 Digitalocean Improper Authentication vulnerability in Digitalocean Golang-Nanoauth

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

9.1
2022-12-27 CVE-2021-4238 Randomly-generated alphanumeric strings contain significantly less entropy than expected.
9.1
2022-12-26 CVE-2022-24118 Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration.
9.1
2023-01-01 CVE-2022-34322 Sage Cross-site Scripting vulnerability in Sage Enterprise Intelligence 2021R1.1

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers.

9.0
2022-12-31 CVE-2022-4865 Usememos Cross-site Scripting vulnerability in Usememos Memos

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

9.0
2022-12-31 CVE-2022-4866 Usememos Cross-site Scripting vulnerability in Usememos Memos

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

9.0

112 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-01-01 CVE-2022-34324 Sage SQL Injection vulnerability in Sage XRT Business Exchange 12.4.302

Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.

8.8
2022-12-31 CVE-2014-125028 Valtech Cross-Site Request Forgery (CSRF) vulnerability in Valtech IDP Test Clients

A vulnerability was found in valtech IDP Test Client and classified as problematic.

8.8
2022-12-30 CVE-2022-34671 Nvidia Out-of-bounds Write vulnerability in Nvidia GPU Display Driver

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user-mode layer, where an unprivileged user can cause an out-of-bounds write, which may lead to code execution, information disclosure, and denial of service.

8.8
2022-12-30 CVE-2022-43396 Apache Unspecified vulnerability in Apache Kylin

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands.

8.8
2022-12-30 CVE-2022-48194 TP Link Unrestricted Upload of File with Dangerous Type vulnerability in Tp-Link Tl-Wr902Ac Firmware

TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.

8.8
2022-12-29 CVE-2022-46178 MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing.
8.8
2022-12-29 CVE-2022-4844 Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
8.8
2022-12-28 CVE-2017-20150 Challenge Website Project SQL Injection vulnerability in Challenge Website Project Challenge Website

A vulnerability was found in challenge website.

8.8
2022-12-28 CVE-2022-4803 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

8.8
2022-12-28 CVE-2022-4808 Usememos Unspecified vulnerability in Usememos Memos

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.

8.8
2022-12-28 CVE-2022-4809 Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
8.8
2022-12-28 CVE-2022-23555 Goauthentik Improper Authentication vulnerability in Goauthentik Authentik

authentik is an open-source Identity Provider focused on flexibility and versatility.

8.8
2022-12-27 CVE-2016-15005 Golf Project Cross-Site Request Forgery (CSRF) vulnerability in Golf Project Golf 0.1.0/0.1.1/0.2.0

CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.

8.8
2022-12-27 CVE-2022-46763 Trueconf SQL Injection vulnerability in Trueconf Server

A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code.

8.8
2022-12-26 CVE-2020-28191 The console in Togglz before 2.9.4 allows CSRF.
8.8
2022-12-26 CVE-2019-25085 Gnome Use After Free vulnerability in Gnome Gvariant Database

A vulnerability was found in GNOME gvdb.

8.8
2023-01-01 CVE-2022-47634 Isode Unspecified vulnerability in Isode M-Link

M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867.

8.1
2022-12-28 CVE-2022-4796 Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
8.1
2022-12-26 CVE-2019-9579 Illumos
Oracle
An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products.
8.1
2022-12-26 CVE-2020-10650 Fasterxml
Oracle
Deserialization of Untrusted Data vulnerability in multiple products

A deserialization flaw was discovered in jackson-databind through 2.9.10.4.

8.1
2022-12-26 CVE-2021-35954 Fastrack Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows physically proximate attackers to dump the firmware, flash custom malicious firmware, and brick the device via the Serial Wire Debug (SWD) feature.

8.1
2022-12-30 CVE-2022-42269 Nvidia Improper Input Validation vulnerability in Nvidia Jetson Linux

NVIDIA Trusted OS contains a vulnerability in an SMC call handler, where failure to validate untrusted input may allow a highly privileged local attacker to cause information disclosure and compromise integrity.

7.9
2022-12-30 CVE-2022-34669 Nvidia Externally Controlled Reference to a Resource in Another Sphere vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-34670 Nvidia
Debian
Incorrect Conversion between Numeric Types vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.

7.8
2022-12-30 CVE-2022-34672 Nvidia Unspecified vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA Control Panel for Windows contains a vulnerability where an unauthorized user or an unprivileged regular user can compromise the security of the software by gaining privileges, reading sensitive information, or executing commands.

7.8
2022-12-30 CVE-2022-34676 Nvidia Out-of-bounds Read vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-42254 Nvidia Improper Validation of Array Index vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.

7.8
2022-12-30 CVE-2022-42255 Nvidia Improper Validation of Array Index vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-42256 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-42260 Nvidia Unspecified vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-42261 Nvidia Classic Buffer Overflow vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service.

7.8
2022-12-30 CVE-2022-42262 Nvidia Classic Buffer Overflow vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where an input index is not validated, which may lead to buffer overrun, which in turn may cause data tampering, information disclosure, or denial of service.

7.8
2022-12-30 CVE-2022-42264 Nvidia Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.

7.8
2022-12-30 CVE-2022-42267 Nvidia Out-of-bounds Read vulnerability in Nvidia Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability where a regular user can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8
2022-12-30 CVE-2022-42270 Nvidia Out-of-bounds Write vulnerability in Nvidia Jetson Linux

NVIDIA distributions of Linux contain a vulnerability in nvdla_emu_task_submit, where unvalidated input may allow a local attacker to cause stack-based buffer overflow in kernel code, which may lead to escalation of privileges, compromised integrity and confidentiality, and denial of service.

7.8
2022-12-30 CVE-2022-4856 Modbustools Classic Buffer Overflow vulnerability in Modbustools Modbus Slave

A vulnerability has been found in Modbus Tools Modbus Slave up to 7.5.1 and classified as critical.

7.8
2022-12-30 CVE-2022-4857 Modbustools Classic Buffer Overflow vulnerability in Modbustools Modbus Poll

A vulnerability was found in Modbus Tools Modbus Poll up to 9.10.0 and classified as critical.

7.8
2022-12-29 CVE-2022-4780 Elvexys Use of Hard-coded Credentials vulnerability in Elvexys Isos Firmware

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

7.8
2022-12-28 CVE-2022-4817 Jgit Cookbook Project Exposure of Resource to Wrong Sphere vulnerability in Jgit-Cookbook Project Jgit-Cookbook

A vulnerability was found in centic9 jgit-cookbook.

7.8
2022-12-28 CVE-2022-44564 Huawei Aslan Children's Watch has a path traversal vulnerability.
7.8
2022-12-28 CVE-2022-46179 Liuos Project Authorization Bypass Through User-Controlled Key vulnerability in Liuos Project Liuos 0.1.0

LiuOS is a small Python project meant to imitate the functions of a regular operating system.

7.8
2022-12-27 CVE-2022-4772 Widoco Project Path Traversal vulnerability in Widoco Project Widoco

A vulnerability was found in Widoco and classified as critical.

7.8
2022-12-27 CVE-2022-3156 Rockwellautomation Improper Authentication vulnerability in Rockwellautomation Studio 5000 Logix Emulate 20.011/33.00

A remote code execution vulnerability exists in Rockwell Automation Studio 5000 Logix Emulate software.  Users are granted elevated permissions on certain product services when the software is installed. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

7.8
2022-12-26 CVE-2019-19705 Lenovo Unquoted Search Path or Element vulnerability in Lenovo products

Realtek Audio Drivers for Windows, as used on the Lenovo ThinkPad X1 Carbon 20A7, 20A8, 20BS, and 20BT before 6.0.8882.1 and 20KH and 20KG before 6.0.8907.1 (and on many other Lenovo and non-Lenovo products), mishandles DLL preloading.

7.8
2022-12-26 CVE-2020-12069 Pilz
Codesys
Festo
Wago
Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm.

7.8
2022-12-26 CVE-2022-30260 Emerson Insufficient Verification of Data Authenticity vulnerability in Emerson products

Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature).

7.8
2023-01-01 CVE-2023-22551 FTP Project Unspecified vulnerability in FTP Project FTP

The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection.

7.5
2023-01-01 CVE-2013-10006 Ziftrshop Information Exposure Through Timing Discrepancy vulnerability in Ziftrshop Primecoin 0.8.4

A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1.

7.5
2023-01-01 CVE-2023-0029 Multilaserempresas Unspecified vulnerability in Multilaserempresas Re708 Firmware Re1200R4Gc2T2Rv3V3411Bmul029B

A vulnerability was found in Multilaser RE708 RE1200R4GC-2T2R-V3_v3411b_MUL029B.

7.5
2023-01-01 CVE-2018-25062 Elementalx Improper Resource Shutdown or Release vulnerability in Elementalx

A vulnerability classified as problematic has been found in flar2 ElementalX up to 6.x on Nexus 9.

7.5
2023-01-01 CVE-2022-37785 Wecube Platform Project Cleartext Storage of Sensitive Information vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2

An issue was discovered in WeCube Platform 3.2.2.

7.5
2022-12-31 CVE-2018-25061 Rgb2Hex Project Unspecified vulnerability in Rgb2Hex Project Rgb2Hex

A vulnerability was found in rgb2hex up to 0.1.5.

7.5
2022-12-30 CVE-2017-20154 Phoenixcoin Project Improper Resource Shutdown or Release vulnerability in Phoenixcoin Project Phoenixcoin

A vulnerability was found in ghostlander Phoenixcoin.

7.5
2022-12-30 CVE-2022-47116 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via the SYSPS parameter at /goform/SysToolChangePwd.

7.5
2022-12-30 CVE-2017-20152 Imageserve Project Path Traversal vulnerability in Imageserve Project Imageserve

A vulnerability, which was classified as problematic, was found in aerouk imageserve.

7.5
2022-12-30 CVE-2018-25060 GO Macaron Missing Encryption of Sensitive Data vulnerability in Go-Macaron CSRF

A vulnerability was found in Macaron csrf and classified as problematic.

7.5
2022-12-30 CVE-2022-4858 M Files Information Exposure Through Log Files vulnerability in M-Files Server 22.2.11051.0/22.3.11237.3/22.6.11534.4

Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set.

7.5
2022-12-29 CVE-2022-38203 Esri Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

7.5
2022-12-29 CVE-2022-38205 In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).
7.5
2022-12-29 CVE-2022-38211 Esri Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

7.5
2022-12-29 CVE-2022-38212 Esri Server-Side Request Forgery (SSRF) vulnerability in Esri Portal for Arcgis

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

7.5
2022-12-29 CVE-2022-4843 Radare NULL Pointer Dereference vulnerability in Radare Radare2

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.8.2.

7.5
2022-12-28 CVE-2022-23553 Alpine Project Unspecified vulnerability in Alpine Project Alpine

Alpine is a scaffolding library in Java.

7.5
2022-12-28 CVE-2022-39012 Huawei Aslan Children's Watch has an improper input validation vulnerability.
7.5
2022-12-28 CVE-2022-38202 Esri Path Traversal vulnerability in Esri Arcgis Server

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below.

7.5
2022-12-28 CVE-2020-36562 DHT Project Reachable Assertion vulnerability in DHT Project DHT

Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector.

7.5
2022-12-28 CVE-2022-3347 GO Resolver Project Insufficient Verification of Data Authenticity vulnerability in Go-Resolver Project Go-Resolver

DNSSEC validation is not performed correctly.

7.5
2022-12-28 CVE-2022-41966 Xstream Project Uncontrolled Recursion vulnerability in Xstream Project Xstream

XStream serializes Java objects to XML and back again.

7.5
2022-12-28 CVE-2022-41967 Hypera XXE vulnerability in Hypera Dragonfly 0.3.0Snapshot

Dragonfly is a Java runtime dependency management library.

7.5
2022-12-27 CVE-2013-10005 Socks5 Project Infinite Loop vulnerability in Socks5 Project Socks5

The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.

7.5
2022-12-27 CVE-2015-10004 Json WEB Token Project Exposure of Resource to Wrong Sphere vulnerability in Json web Token Project Json web Token

Token validation methods are susceptible to a timing side-channel during HMAC comparison.

7.5
2022-12-27 CVE-2019-25072 Tendermint Resource Exhaustion vulnerability in Tendermint

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

7.5
2022-12-27 CVE-2019-25073 GOA Design Path Traversal vulnerability in Goa.Design GOA

Improper path sanitization in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory.

7.5
2022-12-27 CVE-2020-36559 Aahframework Path Traversal vulnerability in Aahframework AAH

Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

7.5
2022-12-27 CVE-2020-36564 Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
7.5
2022-12-27 CVE-2020-36568 Revel Allocation of Resources Without Limits or Throttling vulnerability in Revel

Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.

7.5
2022-12-27 CVE-2021-4239 Noiseprotocol Missing Encryption of Sensitive Data vulnerability in Noiseprotocol Noise

The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack.

7.5
2022-12-27 CVE-2022-2584 Protocol Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Protocol Go-Codec-Dagpb

The dag-pb codec can panic when decoding invalid blocks.

7.5
2022-12-27 CVE-2022-3064 Yaml Project Resource Exhaustion vulnerability in Yaml Project Yaml

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

7.5
2022-12-27 CVE-2020-36567 GIN Gonic Improper Encoding or Escaping of Output vulnerability in Gin-Gonic GIN

Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines.

7.5
2022-12-27 CVE-2022-45423 Dahuasecurity Missing Authentication for Critical Function vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials.

7.5
2022-12-27 CVE-2022-45425 Dahuasecurity Use of Hard-coded Credentials vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key.

7.5
2022-12-27 CVE-2022-45429 Dahuasecurity Server-Side Request Forgery (SSRF) vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of server-side request forgery (SSRF).

7.5
2022-12-27 CVE-2022-45431 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server.

7.5
2022-12-27 CVE-2022-4767 Denial of Service in GitHub repository usememos/memos prior to 0.9.1.
7.5
2022-12-27 CVE-2019-25089 Muon Project Use of Insufficiently Random Values vulnerability in Muon Project Muon 0.1.1

A vulnerability has been found in Morgawr Muon 0.1.1 and classified as problematic.

7.5
2022-12-27 CVE-2021-4286 Pysrp Project Information Exposure Through Discrepancy vulnerability in Pysrp Project Pysrp

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16.

7.5
2022-12-27 CVE-2015-10005 Markdown IT Project Unspecified vulnerability in Markdown-It Project Markdown-It

A vulnerability was found in markdown-it up to 2.x.

7.5
2022-12-27 CVE-2018-25049 Email Existence Project Unspecified vulnerability in Email-Existence Project Email-Existence

A vulnerability was found in email-existence.

7.5
2022-12-27 CVE-2019-25087 Httpserver Project Path Traversal vulnerability in Httpserver Project Httpserver

A vulnerability was found in RamseyK httpserver.

7.5
2022-12-26 CVE-2020-12067 In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user's password may be changed by an attacker without knowledge of the current password.
7.5
2022-12-26 CVE-2022-4156 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php.

7.5
2022-12-26 CVE-2022-4158 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php.

7.5
2022-12-26 CVE-2021-35065 Gulpjs Unspecified vulnerability in Gulpjs Glob-Parent 6.0.0

The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

7.5
2022-12-26 CVE-2021-35951 Fastrack Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows an Unauthenticated Remote attacker to send a malicious firmware update via BLE and brick the device.

7.5
2022-12-26 CVE-2021-35953 Fastrack Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to cause a Denial of Service (device outage) via crafted choices of the last three bytes of a characteristic value.

7.5
2022-12-26 CVE-2021-38561 golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing.
7.5
2022-12-26 CVE-2022-26964 Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack.
7.5
2022-12-26 CVE-2021-44758 Heimdal Project NULL Pointer Dereference vulnerability in Heimdal Project Heimdal

Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.

7.5
2022-12-30 CVE-2022-34673 Nvidia Out-of-bounds Read vulnerability in Nvidia GPU Display Driver 515

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.

7.3
2022-12-30 CVE-2022-42257 Nvidia
Debian
Integer Overflow or Wraparound vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.

7.3
2022-12-30 CVE-2022-42258 Nvidia
Debian
Integer Overflow or Wraparound vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.

7.3
2022-12-30 CVE-2022-44137 Sanitization Management System Project SQL Injection vulnerability in Sanitization Management System Project Sanitization Management System 1.0

SourceCodester Sanitization Management System 1.0 is vulnerable to SQL Injection.

7.2
2022-12-27 CVE-2022-45427 Dahuasecurity Unrestricted Upload of File with Dangerous Type vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unrestricted upload of file.

7.2
2022-12-27 CVE-2022-4722 Ikus Soft Improper Authentication vulnerability in Ikus-Soft Rdiffweb

Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.

7.2
2022-12-27 CVE-2022-4732 Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
7.2
2022-12-26 CVE-2021-24942 Menu Item Visibility Control Project Unspecified vulnerability in Menu Item Visibility Control Project Menu Item Visibility Control 0.5

The Menu Item Visibility Control WordPress plugin through 0.5 doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment.

7.2
2022-12-26 CVE-2022-4268 Plugin Logic Project Unspecified vulnerability in Plugin Logic Project Plugin Logic 1.0.7

The Plugin Logic WordPress plugin before 1.0.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

7.2
2022-12-30 CVE-2022-34677 Nvidia
Debian
Incorrect Conversion between Numeric Types vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.

7.1
2022-12-30 CVE-2022-34684 Nvidia Off-by-one Error vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.

7.1
2022-12-30 CVE-2022-42263 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia Cloud Gaming, GPU Display Driver and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.

7.1
2022-12-30 CVE-2022-42265 Nvidia Integer Overflow or Wraparound vulnerability in Nvidia GPU Display Driver 515

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.

7.1

190 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-30 CVE-2022-4863 Usememos Improper Handling of Insufficient Permissions or Privileges vulnerability in Usememos Memos

Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.

6.5
2022-12-29 CVE-2022-4846 Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
6.5
2022-12-29 CVE-2022-4847 Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
6.5
2022-12-29 CVE-2022-4849 Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
6.5
2022-12-29 CVE-2022-4850 Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
6.5
2022-12-29 CVE-2022-4778 Elvexys Path Traversal vulnerability in Elvexys Streamx 6.02.01/6.04.34

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a path traversal vulnerability that allows authenticated users to get unauthorized access to files on the server's filesystem. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

6.5
2022-12-28 CVE-2022-41579 Huawei Improper Authentication vulnerability in Huawei Hota-Fara-B19 Firmware 11.1.2.40

There is an insufficient authentication vulnerability in some Huawei band products.

6.5
2022-12-28 CVE-2022-46740 Huawei Unspecified vulnerability in Huawei Ws7100-20 Firmware 10.0.5.33

There is a denial of service vulnerability in the Wi-Fi module of the HUAWEI WS7100-20 Smart WiFi Router.Successful exploit could cause a denial of service (DoS) condition.

6.5
2022-12-28 CVE-2022-4799 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

6.5
2022-12-28 CVE-2022-4800 Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
6.5
2022-12-28 CVE-2022-4812 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

6.5
2022-12-28 CVE-2022-46173 Elrond Incorrect Resource Transfer Between Spheres vulnerability in Elrond GO

Elrond-GO is a go implementation for the Elrond Network protocol.

6.5
2022-12-28 CVE-2022-3346 GO Resolver Project Insufficient Verification of Data Authenticity vulnerability in Go-Resolver Project Go-Resolver

DNSSEC validation is not performed correctly.

6.5
2022-12-27 CVE-2022-45426 Dahuasecurity Files or Directories Accessible to External Parties vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unrestricted download of file.

6.5
2022-12-27 CVE-2022-4723 Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.
6.5
2022-12-27 CVE-2020-36633 Moodle Block Sitenews Project Cross-Site Request Forgery (CSRF) vulnerability in Moodle-Block Sitenews Project Moodle-Block Sitenews 1.0

A vulnerability was found in moodle-block_sitenews 1.0.

6.5
2022-12-27 CVE-2022-4766 Dolibarr Project Timesheet Project Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr Project Timesheet Project Dolibarr Project Timesheet

A vulnerability was found in dolibarr_project_timesheet up to 4.5.5.

6.5
2022-12-27 CVE-2021-4287 Microsoft Link Following vulnerability in Microsoft Binwalk

A vulnerability, which was classified as problematic, was found in ReFirm Labs binwalk up to 2.3.2.

6.5
2022-12-26 CVE-2018-16135 Opera Unspecified vulnerability in Opera Mini 47.1.2249.129326

The Opera Mini application 47.1.2249.129326 for Android allows remote attackers to spoof the Location Permission dialog via a crafted web site.

6.5
2022-12-26 CVE-2019-13988 Sierra Wireless MGOS before 3.15.2 and 4.x before 4.3 allows attackers to read log files via a Direct Request (aka Forced Browsing).
6.5
2022-12-26 CVE-2019-18177 In certain Citrix products, information disclosure can be achieved by an authenticated VPN user when there is a configured SSL VPN endpoint.
6.5
2022-12-26 CVE-2022-4150 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php.

6.5
2022-12-26 CVE-2022-4151 Contest Gallery SQL Injection vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php.

6.5
2022-12-26 CVE-2022-4152 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php.

6.5
2022-12-26 CVE-2022-4153 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php.

6.5
2022-12-26 CVE-2022-4159 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php.

6.5
2022-12-26 CVE-2022-4160 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php.

6.5
2022-12-26 CVE-2022-4161 Contest Gallery SQL Injection vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php.

6.5
2022-12-26 CVE-2022-4162 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php.

6.5
2022-12-26 CVE-2022-4163 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively.

6.5
2022-12-26 CVE-2022-4164 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php.

6.5
2022-12-26 CVE-2022-4165 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php.

6.5
2022-12-26 CVE-2022-4166 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php.

6.5
2022-12-26 CVE-2022-4239 Amentotech Unspecified vulnerability in Amentotech Workreap

The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.

6.5
2022-12-26 CVE-2022-4266 Speakdigital Unspecified vulnerability in Speakdigital Bulk Delete Users BY Email 1.2

The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack

6.5
2022-12-26 CVE-2021-39369 Philips Path Traversal vulnerability in Philips Myvue, Speech and VUE Pacs

In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root.

6.5
2022-12-28 CVE-2022-46172 Goauthentik Improper Privilege Management vulnerability in Goauthentik Authentik

authentik is an open-source Identity provider focused on flexibility and versatility.

6.4
2023-01-01 CVE-2022-37786 Wecube Platform Project Improper Neutralization of Formula Elements in a CSV File vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2

An issue was discovered in WeCube Platform 3.2.2.

6.3
2023-01-01 CVE-2010-10002 Simplesamlphp Cross-site Scripting vulnerability in Simplesamlphp Simplesamlphp-Module-Openid

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid.

6.1
2023-01-01 CVE-2015-10006 Ingnovarq Project Cross-site Scripting vulnerability in Ingnovarq Project Ingnovarq

A vulnerability, which was classified as problematic, has been found in admont28 Ingnovarq.

6.1
2023-01-01 CVE-2018-25063 Zenoss Cross-site Scripting vulnerability in Zenoss Dashboard

A vulnerability classified as problematic was found in Zenoss Dashboard up to 1.3.4.

6.1
2023-01-01 CVE-2022-37787 Wecube Platform Project Cross-site Scripting vulnerability in Wecube-Platform Project Wecube-Platform 3.2.2

An issue was discovered in WeCube platform 3.2.2.

6.1
2023-01-01 CVE-2021-41823 Kemptechnologies Cross-site Scripting vulnerability in Kemptechnologies web Application Firewall 7.2.54.1

The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.

6.1
2022-12-31 CVE-2014-125027 Tbdev Project Cross-site Scripting vulnerability in Tbdev Project Tbdev

A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and classified as problematic.

6.1
2022-12-31 CVE-2017-20158 Yii2 Fileapi Widget Project Cross-site Scripting vulnerability in Yii2 Fileapi Widget Project Yii2 Fileapi Widget

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8.

6.1
2022-12-31 CVE-2017-20159 Keynote Project Cross-site Scripting vulnerability in Keynote Project Keynote

A vulnerability was found in rf Keynote up to 0.x on Rails.

6.1
2022-12-30 CVE-2017-20155 Sterc Cross-site Scripting vulnerability in Sterc Google Analytics Dashboard for Modx

A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5.

6.1
2022-12-30 CVE-2022-34674 Nvidia
Debian
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.
6.1
2022-12-30 CVE-2017-20153 Imageserve Project Cross-site Scripting vulnerability in Imageserve Project Imageserve

A vulnerability has been found in aerouk imageserve and classified as problematic.

6.1
2022-12-30 CVE-2020-36637 Adminserv Project Cross-site Scripting vulnerability in Adminserv Project Adminserv

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ.

6.1
2022-12-30 CVE-2020-36638 Adminserv Project Cross-site Scripting vulnerability in Adminserv Project Adminserv

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ.

6.1
2022-12-30 CVE-2022-4859 Joget Cross-site Scripting vulnerability in Joget DX

A vulnerability, which was classified as problematic, has been found in Joget up to 7.0.33.

6.1
2022-12-29 CVE-2022-30519 Reprisesoftware Cross-site Scripting vulnerability in Reprisesoftware Reprise License Manager 14.2Bl4

XSS in signing form in Reprise Software RLM License Administration v14.2BL4 allows remote attacker to inject arbitrary code via password field.

6.1
2022-12-29 CVE-2022-38204 Esri Cross-site Scripting vulnerability in Esri Portal for Arcgis 10.7.1/10.8.1

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

6.1
2022-12-29 CVE-2022-38206 There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.
6.1
2022-12-29 CVE-2022-38207 Esri Cross-site Scripting vulnerability in Esri Portal for Arcgis 10.7.1/10.8.1

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote, unauthenticated attacker to create a crafted link which when clicked which could execute arbitrary JavaScript code in the victim’s browser.

6.1
2022-12-29 CVE-2022-38208 There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
6.1
2022-12-29 CVE-2022-38209 There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could execute arbitrary JavaScript code in the victim’s browser.
6.1
2022-12-29 CVE-2022-38210 Esri Cross-site Scripting vulnerability in Esri Portal for Arcgis

There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.

6.1
2022-12-29 CVE-2021-4296 W3 Cross-site Scripting vulnerability in W3 Unicorn

A vulnerability, which was classified as problematic, has been found in w3c Unicorn.

6.1
2022-12-29 CVE-2018-25058 Twitter Post Fetcher Project Unspecified vulnerability in Twitter-Post-Fetcher Project Twitter-Post-Fetcher

A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x.

6.1
2022-12-28 CVE-2022-4819 Hotcrp Cross-site Scripting vulnerability in Hotcrp

A vulnerability was found in HotCRP.

6.1
2022-12-28 CVE-2022-4820 Flatpress Cross-site Scripting vulnerability in Flatpress

A vulnerability classified as problematic has been found in FlatPress.

6.1
2022-12-28 CVE-2022-4821 Flatpress Cross-site Scripting vulnerability in Flatpress

A vulnerability classified as problematic was found in FlatPress.

6.1
2022-12-28 CVE-2022-4822 Flatpress Cross-site Scripting vulnerability in Flatpress

A vulnerability, which was classified as problematic, has been found in FlatPress.

6.1
2022-12-28 CVE-2018-25051 Pomash Project Cross-site Scripting vulnerability in Pomash Project Pomash

A vulnerability, which was classified as problematic, was found in JmPotato Pomash.

6.1
2022-12-28 CVE-2018-25052 Catalyst Plugin Session Project Cross-site Scripting vulnerability in Catalyst-Plugin-Session Project Catalyst-Plugin-Session

A vulnerability has been found in Catalyst-Plugin-Session up to 0.40 and classified as problematic.

6.1
2022-12-28 CVE-2018-25053 Json2Html Cross-site Scripting vulnerability in Json2Html

A vulnerability was found in moappi Json2html up to 1.1.x and classified as problematic.

6.1
2022-12-28 CVE-2018-25055 Farcry Solr PRO Project Cross-site Scripting vulnerability in Farcry Solr PRO Project Farcry Solr PRO

A vulnerability was found in FarCry Solr Pro Plugin up to 1.5.x.

6.1
2022-12-28 CVE-2018-25056 Yola Cross-site Scripting vulnerability in Yola Yolapi

A vulnerability, which was classified as problematic, was found in yolapi.

6.1
2022-12-28 CVE-2018-25050 Getharvest Cross-site Scripting vulnerability in Getharvest Chosen

A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6.

6.1
2022-12-28 CVE-2021-4293 SIR Cross-site Scripting vulnerability in SIR Youngcart5

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic has been found in gnuboard youngcart5 up to 5.4.5.1.

6.1
2022-12-28 CVE-2022-23544 MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing.
6.1
2022-12-27 CVE-2020-36636 Openmrs Cross-site Scripting vulnerability in Openmrs Admin UI Module

A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x.

6.1
2022-12-27 CVE-2021-4291 Openmrs Cross-site Scripting vulnerability in Openmrs Admin UI Module 1.5.0

A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x.

6.1
2022-12-27 CVE-2021-4292 Openmrs Cross-site Scripting vulnerability in Openmrs Admin UI Module

A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x.

6.1
2022-12-27 CVE-2020-36626 TRI Cross-site Scripting vulnerability in TRI Panel Builder

A vulnerability classified as critical has been found in Modern Tribe Panel Builder Plugin.

6.1
2022-12-27 CVE-2022-4720 Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.
6.1
2022-12-27 CVE-2022-4727 Openmrs Cross-site Scripting vulnerability in Openmrs Appointment Scheduling Module

A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x.

6.1
2022-12-27 CVE-2019-25090 Sangoma Cross-site Scripting vulnerability in Sangoma Freepbx

A vulnerability was found in FreePBX arimanager up to 13.0.5.3 and classified as problematic.

6.1
2022-12-27 CVE-2021-4288 Openmrs Cross-site Scripting vulnerability in Openmrs Reference Application

A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x.

6.1
2022-12-27 CVE-2021-4289 Openmrs Cross-site Scripting vulnerability in Openmrs Reference Application

A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x.

6.1
2022-12-27 CVE-2021-4285 Nagios Cross-site Scripting vulnerability in Nagios Cross Platform Agent

A vulnerability classified as problematic was found in Nagios NCPA.

6.1
2022-12-27 CVE-2021-4282 Sangoma Cross-site Scripting vulnerability in Sangoma Voicemail

A vulnerability was found in FreePBX voicemail.

6.1
2022-12-27 CVE-2021-4284 Openmrs Cross-site Scripting vulnerability in Openmrs Htmlformentryui

A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x.

6.1
2022-12-27 CVE-2022-4755 Flatpress Cross-site Scripting vulnerability in Flatpress

A vulnerability was found in FlatPress and classified as problematic.

6.1
2022-12-26 CVE-2022-36664 Adiscon Cross-site Scripting vulnerability in Adiscon Password Manager for IIS 2.0

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

6.1
2022-12-26 CVE-2022-4227 Booster Unspecified vulnerability in Booster for Woocommerce

The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting

6.1
2022-12-26 CVE-2022-4267 Speakdigital Unspecified vulnerability in Speakdigital Bulk Delete Users BY Email 1.2

The Bulk Delete Users by Email WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

6.1
2022-12-26 CVE-2021-30134 php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php.
6.1
2022-12-26 CVE-2022-37309 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.

6.1
2022-12-26 CVE-2022-37310 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.

6.1
2022-12-26 CVE-2022-37308 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.

6.1
2022-12-26 CVE-2022-31469 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.

6.1
2022-12-26 CVE-2022-37307 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.

6.1
2022-12-28 CVE-2022-4823 Instedd Information Exposure Through Discrepancy vulnerability in Instedd Nuntium

A vulnerability, which was classified as problematic, was found in InSTEDD Nuntium.

5.9
2022-12-28 CVE-2021-4294 Redhat Information Exposure Through Discrepancy vulnerability in Redhat Openshift Container Platform and Openshift Osin

A vulnerability was found in OpenShift OSIN.

5.9
2022-12-27 CVE-2022-45434 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server.

5.9
2022-12-29 CVE-2022-4848 Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.
5.7
2022-12-30 CVE-2022-34675 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and GPU Display Driver

NVIDIA Display Driver for Linux contains a vulnerability in the Virtual GPU Manager, where it does not check the return value from a null-pointer dereference, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-34678 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-34679 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-34680 Nvidia
Debian
Incorrect Conversion between Numeric Types vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-34681 Nvidia Improper Input Validation vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler, where improper input validation of a display-related data structure may lead to denial of service.

5.5
2022-12-30 CVE-2022-34682 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-34683 Nvidia NULL Pointer Dereference vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a null-pointer dereference occurs, which may lead to denial of service.

5.5
2022-12-30 CVE-2022-42259 Nvidia
Debian
Integer Overflow or Wraparound vulnerability in multiple products

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.

5.5
2022-12-28 CVE-2022-45874 Huawei Unspecified vulnerability in Huawei Aslan-Al10 Firmware

Huawei Aslan Children's Watch has an improper authorization vulnerability.

5.5
2022-12-27 CVE-2021-4235 Yaml Project Unspecified vulnerability in Yaml Project Yaml

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources.

5.5
2022-12-26 CVE-2021-43395 Illumos
Omniosce
Openindiana
Joyent
Oracle
Improper Locking vulnerability in multiple products

An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923.

5.5
2023-01-01 CVE-2022-34323 Sage Cross-site Scripting vulnerability in Sage XRT Business Exchange 12.4.302

Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users' browsers.

5.4
2023-01-01 CVE-2023-0028 Linagora Cross-site Scripting vulnerability in Linagora Twake

Cross-site Scripting (XSS) - Stored in GitHub repository linagora/twake prior to 2023.Q1.1200+.

5.4
2022-12-30 CVE-2022-4864 Froxlor Injection vulnerability in Froxlor

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

5.4
2022-12-29 CVE-2022-46181 Gotify Cross-site Scripting vulnerability in Gotify Server

Gotify server is a simple server for sending and receiving messages in real-time per WebSocket.

5.4
2022-12-29 CVE-2022-4839 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.
5.4
2022-12-29 CVE-2022-4840 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.
5.4
2022-12-29 CVE-2022-4841 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.
5.4
2022-12-28 CVE-2022-23554 Alpine Project Incorrect Comparison vulnerability in Alpine Project Alpine

Alpine is a scaffolding library in Java.

5.4
2022-12-28 CVE-2022-4802 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

5.4
2022-12-28 CVE-2022-4811 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.

5.4
2022-12-28 CVE-2018-25054 Shredzone Cross-site Scripting vulnerability in Shredzone Cilla

A vulnerability was found in shred cilla.

5.4
2022-12-27 CVE-2020-36635 Openmrs Cross-site Scripting vulnerability in Openmrs Appointment Scheduling Module

A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x.

5.4
2022-12-27 CVE-2022-47968 Heimdall Application Dashboard through 2.5.4 allows reflected and stored XSS via "Application name" to the "Add application" page.
5.4
2022-12-27 CVE-2022-4691 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.
5.4
2022-12-27 CVE-2022-4694 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.
5.4
2022-12-27 CVE-2022-4695 Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.
5.4
2022-12-27 CVE-2022-4721 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.
5.4
2022-12-27 CVE-2022-4728 Graphite Project Cross-site Scripting vulnerability in Graphite Project Graphite

A vulnerability has been found in Graphite Web and classified as problematic.

5.4
2022-12-27 CVE-2022-4729 Graphite Project Cross-site Scripting vulnerability in Graphite Project Graphite

A vulnerability was found in Graphite Web and classified as problematic.

5.4
2022-12-27 CVE-2022-4730 Graphite Project Cross-site Scripting vulnerability in Graphite Project Graphite

A vulnerability was found in Graphite Web.

5.4
2022-12-27 CVE-2020-36634 Indeed Cross-site Scripting vulnerability in Indeed Util

A vulnerability classified as problematic has been found in Indeed Engineering util up to 1.0.33.

5.4
2022-12-27 CVE-2019-25088 Oxidized WEB Project Cross-site Scripting vulnerability in Oxidized web Project Oxidized web

A vulnerability was found in ytti Oxidized Web.

5.4
2022-12-27 CVE-2021-4283 Sangoma Cross-site Scripting vulnerability in Sangoma Voicemail

A vulnerability was found in FreeBPX voicemail.

5.4
2022-12-27 CVE-2019-25086 Open Cross-site Scripting vulnerability in Open Media Player

A vulnerability was found in IET-OU Open Media Player up to 1.5.0.

5.4
2022-12-26 CVE-2021-44855 Mediawiki Cross-site Scripting vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

5.4
2022-12-26 CVE-2022-29852 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.

5.4
2022-12-26 CVE-2022-29853 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6/8.2

OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.

5.4
2023-01-01 CVE-2022-45027 Perfsonar Server-Side Request Forgery (SSRF) vulnerability in Perfsonar

perfSONAR before 4.4.6, when performing participant discovery, incorrectly uses an HTTP request header value to determine a local address.

5.3
2023-01-01 CVE-2022-45213 Perfsonar Unspecified vulnerability in Perfsonar

perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL.

5.3
2022-12-30 CVE-2018-25059 Pastebinit Project Path Traversal vulnerability in Pastebinit Project Pastebinit 0.2.2

A vulnerability was found in pastebinit up to 0.2.2 and classified as problematic.

5.3
2022-12-29 CVE-2022-4851 Improper Handling of Values in GitHub repository usememos/memos prior to 0.9.1.
5.3
2022-12-28 CVE-2022-4798 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

5.3
2022-12-28 CVE-2022-4801 Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
5.3
2022-12-28 CVE-2022-4804 Improper Authorization in GitHub repository usememos/memos prior to 0.9.1.
5.3
2022-12-28 CVE-2022-4806 Usememos Authorization Bypass Through User-Controlled Key vulnerability in Usememos Memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

5.3
2022-12-28 CVE-2020-36563 Robotsandpencils Improper Verification of Cryptographic Signature vulnerability in Robotsandpencils Go-Saml

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.

5.3
2022-12-27 CVE-2019-25091 Nsupdate Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Nsupdate Nsupdate.Info

A vulnerability classified as problematic has been found in nsupdate.info.

5.3
2022-12-27 CVE-2022-45424 Dahuasecurity Missing Authentication for Critical Function vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key.

5.3
2022-12-27 CVE-2022-45432 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated search for devices.

5.3
2022-12-26 CVE-2019-19030 Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.
5.3
2022-12-26 CVE-2019-14802 HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8.
5.3
2022-12-26 CVE-2019-9011 In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.
5.3
2022-12-26 CVE-2021-35952 Fastrack Unspecified vulnerability in Fastrack Reflex 2.0 Firmware 90.89

fastrack Reflex 2.0 W307S_REFLEX_v90.89 Activity Tracker allows a Remote attacker to change the time, date, and month via Bluetooth LE Characteristics on handle 0x0017.

5.3
2022-12-26 CVE-2021-44856 Mediawiki Improper Check for Unusual or Exceptional Conditions vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

5.3
2022-12-26 CVE-2022-41765 Mediawiki Information Exposure Through Discrepancy vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3.

5.3
2022-12-26 CVE-2022-41767 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3.

5.3
2022-12-26 CVE-2021-44854 Mediawiki Unspecified vulnerability in Mediawiki

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1.

5.3
2022-12-26 CVE-2022-37311 Open Xchange Improper Validation of Specified Quantity in Input vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet.

5.3
2022-12-26 CVE-2022-37312 Open Xchange Improper Validation of Specified Quantity in Input vulnerability in Open-Xchange Appsuite

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.

5.3
2022-12-26 CVE-2022-37313 Open Xchange Server-Side Request Forgery (SSRF) vulnerability in Open-Xchange Appsuite 7.10.5/7.10.6

OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record.

5.3
2022-12-30 CVE-2022-4861 M Files Improper Authentication vulnerability in M-Files Client

Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource.

4.9
2022-12-26 CVE-2022-4154 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php.

4.9
2022-12-26 CVE-2022-4155 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php.

4.9
2022-12-26 CVE-2022-4157 Contest Gallery Unspecified vulnerability in Contest-Gallery Contest Gallery

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php.

4.9
2023-01-01 CVE-2022-40711 Primekey Cross-site Scripting vulnerability in Primekey Ejbca 7.9.0.2

PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section.

4.8
2022-12-28 CVE-2022-3922 Managewp Cross-site Scripting vulnerability in Managewp Broken Link Checker

The Broken Link Checker WordPress plugin before 1.11.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2022-12-28 CVE-2019-25092 Mellivora Project Cross-site Scripting vulnerability in Mellivora Project Mellivora 1.0/2.0/2.1

A vulnerability classified as problematic was found in Nakiami Mellivora up to 2.1.x.

4.8
2022-12-27 CVE-2022-4733 Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
4.8
2022-12-26 CVE-2022-3835 Kwayyinfotech Unspecified vulnerability in Kwayyinfotech Kwayy Html Sitemap

The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-3840 WP Glogin Unspecified vulnerability in Wp-Glogin Login for Google Apps

The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4042 Paytium Unspecified vulnerability in Paytium 4.3.6

The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4110 Eventify Project Unspecified vulnerability in Eventify Project Eventify 2.1

The Eventify™ WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4197 10Web Unspecified vulnerability in 10Web Slider

The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4226 Wpkube Unspecified vulnerability in Wpkube Simple Basic Contact Form

The Simple Basic Contact Form WordPress plugin before 20221201 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4242 Ljapps Cross-site Scripting vulnerability in Ljapps WP Google Review Slider

The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-4243 Wpscoop Unspecified vulnerability in Wpscoop Imageinject

The ImageInject WordPress plugin through 1.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2022-12-26 CVE-2022-24120 Certain General Electric Renewable Energy products store cleartext credentials in flash memory.
4.6
2022-12-31 CVE-2022-4868 Froxlor Improper Authorization vulnerability in Froxlor

Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

4.3
2022-12-31 CVE-2022-4867 Froxlor Cross-Site Request Forgery (CSRF) vulnerability in Froxlor

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

4.3
2022-12-29 CVE-2022-4845 Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4818 Talend XXE vulnerability in Talend Open Studio for MDM

A vulnerability was found in Talend Open Studio for MDM.

4.3
2022-12-28 CVE-2022-4797 Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4805 Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4807 Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4810 Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4813 Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-28 CVE-2022-4814 Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
4.3
2022-12-27 CVE-2022-2582 The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field.
4.3
2022-12-27 CVE-2022-4734 Usememos Improper Cross-boundary Removal of Sensitive Data vulnerability in Usememos Memos

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.

4.3
2022-12-28 CVE-2022-46174 Amazon Race Condition vulnerability in Amazon products

efs-utils is a set of Utilities for Amazon Elastic File System (EFS).

4.2

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2022-12-27 CVE-2022-2583 Gobase Project Race Condition vulnerability in Gobase Project Gobase

A race condition can cause incorrect HTTP request routing.

3.7
2022-12-27 CVE-2022-45430 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service.

3.7
2022-12-27 CVE-2022-45433 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server.

3.7
2023-01-01 CVE-2022-47952 Linuxcontainers Information Exposure Through Discrepancy vulnerability in Linuxcontainers LXC

lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists.

3.3
2022-12-30 CVE-2022-42266 Nvidia Information Exposure vulnerability in Nvidia Cloud Gaming and Virtual GPU

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can cause exposure of sensitive information to an actor that is not explicitly authorized to have access to that information, which may lead to limited information disclosure.

3.3
2022-12-28 CVE-2022-4773 Cloudsync Project Path Traversal vulnerability in Cloudsync Project Cloudsync

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in cloudsync.

3.3
2022-12-27 CVE-2022-45428 Dahuasecurity Unspecified vulnerability in Dahuasecurity products

Some Dahua software products have a vulnerability of sensitive information leakage.

2.7