Search
Total
6686 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-2964 | 2 Netapp, Oracle | 15 Active Iq Unified Manager, Cloud Backup, E-series Santricity Os Controller and 12 more | 2022-06-27 | 5.1 MEDIUM | 8.3 HIGH |
| Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u172 and 10.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2018-3169 | 5 Canonical, Debian, Hp and 2 more | 13 Ubuntu Linux, Debian Linux, Xp7 Command View and 10 more | 2022-06-27 | 5.1 MEDIUM | 8.3 HIGH |
| Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2018-3149 | 5 Canonical, Debian, Hp and 2 more | 14 Ubuntu Linux, Debian Linux, Xp7 Command View and 11 more | 2022-06-27 | 5.1 MEDIUM | 8.3 HIGH |
| Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2018-3209 | 1 Oracle | 2 Jdk, Jre | 2022-06-27 | 5.1 MEDIUM | 8.3 HIGH |
| Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). The supported version that is affected is Java SE: 8u182. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2022-29257 | 1 Electronjs | 1 Electron | 2022-06-27 | 6.5 MEDIUM | 7.2 HIGH |
| Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. This kind of attack would require significant privileges in a potential victim's own auto updating infrastructure and the ease of that attack entirely depends on the potential victim's infrastructure security. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. There are no known workarounds. | |||||
| CVE-2022-31757 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| The setting module has a vulnerability of improper use of APIs. Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2021-30281 | 1 Qualcomm | 294 Aqt1000, Aqt1000 Firmware, Ar8031 and 291 more | 2022-06-27 | 7.2 HIGH | 7.8 HIGH |
| Possible unauthorized access to secure space due to improper check of data allowed while flashing the no access control device configuration in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking | |||||
| CVE-2022-29241 | 1 Jupyter | 1 Jupyter Server | 2022-06-24 | 9.0 HIGH | 8.8 HIGH |
| Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this URL can be used from a cross-site scripting payload or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system. This issue is patched in version 1.17.1. | |||||
| CVE-2022-31590 | 1 Sap | 1 Powerdesigner Proxy | 2022-06-24 | 7.2 HIGH | 7.8 HIGH |
| SAP PowerDesigner Proxy - version 16.7, allows an attacker with low privileges and has local access, with the ability to work around system’s root disk access restrictions to Write/Create a program file on system disk root path, which could then be executed with elevated privileges of the application during application start up or reboot, potentially compromising Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2022-20207 | 1 Google | 1 Android | 2022-06-24 | 4.6 MEDIUM | 7.8 HIGH |
| In static definitions of GattServiceConfig.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-185513714 | |||||
| CVE-2022-20197 | 1 Google | 1 Android | 2022-06-24 | 4.6 MEDIUM | 7.8 HIGH |
| In recycle of Parcel.java, there is a possible way to start foreground activity from background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-208279300 | |||||
| CVE-2022-20194 | 1 Google | 1 Android | 2022-06-24 | 4.6 MEDIUM | 7.8 HIGH |
| In onCreate of ChooseLockGeneric.java, there is a possible permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-222684510 | |||||
| CVE-2022-20193 | 1 Google | 1 Android | 2022-06-24 | 4.4 MEDIUM | 7.3 HIGH |
| In getUniqueUsagesWithLabels of PermissionUsageHelper.java, there is a possible incorrect permission attribution due to a logic error in the code. This could lead to local escalation of privilege by conflating apps with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-212434116 | |||||
| CVE-2022-20192 | 1 Google | 1 Android | 2022-06-24 | 4.6 MEDIUM | 7.8 HIGH |
| In grantEmbeddedWindowFocus of WindowManagerService.java, there is a possible way to change an input channel for embedded hierarchy due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-215912712 | |||||
| CVE-2022-20190 | 1 Google | 1 Android | 2022-06-24 | 7.8 HIGH | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-208744915References: N/A | |||||
| CVE-2022-20188 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-207254598References: N/A | |||||
| CVE-2022-20135 | 1 Google | 1 Android | 2022-06-24 | 7.2 HIGH | 7.8 HIGH |
| In writeToParcel of GateKeeperResponse.java, there is a possible parcel format mismatch. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220303465 | |||||
| CVE-2022-20184 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-209153114References: N/A | |||||
| CVE-2022-20181 | 1 Google | 1 Android | 2022-06-24 | 7.8 HIGH | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-210936609References: N/A | |||||
| CVE-2022-20179 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-211683760References: N/A | |||||
| CVE-2022-20177 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-209906686References: N/A | |||||
| CVE-2022-20175 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-209252491References: N/A | |||||
| CVE-2022-20169 | 1 Google | 1 Android | 2022-06-24 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-211162353References: N/A | |||||
| CVE-2022-20168 | 1 Google | 1 Android | 2022-06-24 | 7.8 HIGH | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-210594998References: N/A | |||||
| CVE-2022-20142 | 1 Google | 1 Android | 2022-06-24 | 7.2 HIGH | 7.8 HIGH |
| In createFromParcel of GeofenceHardwareRequestParcelable.java, there is a possible arbitrary code execution due to parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-216631962 | |||||
| CVE-2022-20151 | 1 Google | 1 Android | 2022-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-210712565References: N/A | |||||
| CVE-2022-20149 | 1 Google | 1 Android | 2022-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-211685939References: N/A | |||||
| CVE-2022-1958 | 1 Filecloud | 1 Filecloud | 2022-06-23 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability classified as critical has been found in FileCloud. Affected is the NTFS handler which leads to improper access controls. It is possible to launch the attack remotely but it demands some form of authentication. Upgrading to version 21.3.5.18513 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-20124 | 1 Google | 1 Android | 2022-06-23 | 7.2 HIGH | 7.8 HIGH |
| In deletePackageX of DeletePackageHelper.java, there is a possible way for a Guest user to reset pre-loaded applications for other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-170646036 | |||||
| CVE-2018-1272 | 2 Oracle, Vmware | 25 Application Testing Suite, Big Data Discovery, Communications Converged Application Server and 22 more | 2022-06-23 | 6.0 MEDIUM | 7.5 HIGH |
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. | |||||
| CVE-2022-32564 | 1 Couchbase | 1 Couchbase Server | 2022-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Couchbase Server before 7.0.4. In couchbase-cli, server-eshell leaks the Cluster Manager cookie. | |||||
| CVE-2022-32558 | 1 Couchbase | 1 Couchbase Server | 2022-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Couchbase Server before 7.0.4. Sample bucket loading may leak internal user passwords during a failure. | |||||
| CVE-2016-9842 | 7 Apple, Canonical, Debian and 4 more | 18 Iphone Os, Mac Os X, Tvos and 15 more | 2022-06-22 | 6.8 MEDIUM | 8.8 HIGH |
| The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. | |||||
| CVE-2016-9840 | 7 Apple, Canonical, Debian and 4 more | 18 Iphone Os, Mac Os X, Tvos and 15 more | 2022-06-22 | 6.8 MEDIUM | 8.8 HIGH |
| inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | |||||
| CVE-2022-1659 | 1 Artbees | 1 Jupiterx | 2022-06-21 | 7.5 HIGH | 7.3 HIGH |
| Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter. This can be used to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack. | |||||
| CVE-2022-1654 | 1 Artbees | 2 Jupiter, Jupiterx | 2022-06-21 | 9.0 HIGH | 8.8 HIGH |
| Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions | |||||
| CVE-2022-29501 | 1 Schedmd | 1 Slurm | 2022-06-20 | 9.0 HIGH | 8.8 HIGH |
| SchedMD Slurm 21.08.x through 20.11.x has Incorrect Access Control that leads to Escalation of Privileges and code execution. | |||||
| CVE-2022-30075 | 1 Tp-link | 2 Archer Ax50, Archer Ax50 Firmware | 2022-06-20 | 6.5 MEDIUM | 8.8 HIGH |
| In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation. | |||||
| CVE-2022-29798 | 1 Huawei | 2 Cv81-wdm, Cv81-wdm Firmware | 2022-06-18 | 7.8 HIGH | 7.5 HIGH |
| There is a denial of service vulnerability in CV81-WDM FW versions 01.70.49.29.46. Successful exploitation could cause denial of service. | |||||
| CVE-2022-31761 | 1 Huawei | 2 Emui, Magic Ui | 2022-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| Configuration defects in the secure OS module. Successful exploitation of this vulnerability will affect confidentiality. | |||||
| CVE-2022-31754 | 1 Huawei | 2 Emui, Magic Ui | 2022-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| Logical defects in code implementation in some products. Successful exploitation of this vulnerability may affect the availability of some features. | |||||
| CVE-2021-46812 | 1 Huawei | 2 Emui, Harmonyos | 2022-06-18 | 5.0 MEDIUM | 7.5 HIGH |
| The Device Manager has a vulnerability in multi-device interaction. Successful exploitation of this vulnerability may affect data integrity. | |||||
| CVE-2017-20019 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2022-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability classified as problematic was found in Solare Solar-Log 2.8.4-56/3.5.2-85. Affected by this vulnerability is an unknown functionality of the component Config Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2017-20022 | 1 Solar-log | 16 Solar-log 1000, Solar-log 1000 Firmware, Solar-log 1000 Pm\+ and 13 more | 2022-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in Solare Solar-Log 2.8.4-56/3.5.2-85 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to information disclosure. The attack can be initiated remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-2013 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Deploy | 2022-06-17 | 4.3 MEDIUM | 7.5 HIGH |
| In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space. | |||||
| CVE-2017-20037 | 1 Sicunet | 1 Access Control | 2022-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been found in SICUNET Access Controller 0.32-05z and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument c leads to privilege escalation. The attack can be launched remotely. | |||||
| CVE-2017-20038 | 1 Sicunet | 1 Access Control | 2022-06-17 | 7.5 HIGH | 8.8 HIGH |
| A vulnerability was found in SICUNET Access Controller 0.32-05z and classified as critical. Affected by this issue is some unknown functionality of the file card_scan_decoder.php. The manipulation of the argument No/door leads to privilege escalation. The attack may be launched remotely. | |||||
| CVE-2022-27502 | 2 Microsoft, Realvnc | 2 Windows, Vnc Server | 2022-06-17 | 7.2 HIGH | 7.8 HIGH |
| RealVNC VNC Server 6.9.0 through 5.1.0 for Windows allows local privilege escalation because an installer repair operation executes %TEMP% files as SYSTEM. | |||||
| CVE-2022-29014 | 1 Razer | 2 Sila, Sila Firmware | 2022-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files. | |||||
| CVE-2022-1680 | 1 Gitlab | 1 Gitlab | 2022-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account. | |||||