Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29834 | 1 Iconics | 1 Genesis64 | 2022-07-27 | N/A | 7.5 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS GENESIS64 versions 10.97 to 10.97.1 allows a remote unauthenticated attacker to access to arbitrary files in the GENESIS64 server and disclose information stored in the files by embedding a malicious URL parameter in the URL of the monitoring screen delivered to the GENESIS64 mobile monitoring application and accessing the monitoring screen. | |||||
| CVE-2022-33320 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2022-07-27 | N/A | 7.8 HIGH |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. | |||||
| CVE-2022-1670 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | |||||
| CVE-2022-34901 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16137. | |||||
| CVE-2022-34900 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.3 (39313) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Dispatcher service. The service loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15213. | |||||
| CVE-2022-34902 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Desktop Control Agent service. The service loads Qt plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15787. | |||||
| CVE-2022-34889 | 1 Parallels | 1 Parallels Desktop | 2022-07-27 | N/A | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554. | |||||
| CVE-2022-34035 | 1 Htmldoc Project | 1 Htmldoc | 2022-07-27 | N/A | 7.5 HIGH |
| HTMLDoc v1.9.12 and below was discovered to contain a heap overflow via e_node htmldoc/htmldoc/html.cxx:588. | |||||
| CVE-2022-34033 | 1 Htmldoc Project | 1 Htmldoc | 2022-07-27 | N/A | 7.5 HIGH |
| HTMLDoc v1.9.15 was discovered to contain a heap overflow via (write_header) /htmldoc/htmldoc/html.cxx:273. | |||||
| CVE-2022-24691 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 7.1 HIGH |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A SQL Injection vulnerability allows authenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. | |||||
| CVE-2022-24690 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 8.2 HIGH |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A PresAbs.php SQL Injection vulnerability allows unauthenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. (An unauthenticated attacker can discover the endpoint by abusing a Broken Access Control issue with further SQL injection attacks to gather all user's badge numbers and PIN codes.) | |||||
| CVE-2021-31817 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | |||||
| CVE-2021-31816 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | |||||
| CVE-2021-30183 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext. | |||||
| CVE-2020-21405 | 1 H96tvbox | 2 H96 Pro Plus, H96 Pro Plus Firmware | 2022-07-27 | N/A | 7.5 HIGH |
| An issue was discovered in H96 Smart TV Box H96 Pro Plus allows attackers to corrupt files via calls to the saveDeepColorAttr service.unk | |||||
| CVE-2020-21406 | 2 Rk Max Smart Tv Box Project, V88 Smart Tv Box Project | 4 Rk Max Smart Tv Box, Rk Max Smart Tv Box Firmware, V88 Smart Tv Box and 1 more | 2022-07-27 | N/A | 7.5 HIGH |
| An issue was discovered in RK Smart TV Box MAX and V88 SmartTV box that allows attackers to cause a denial of service via the switchNextDisplayInterface service. | |||||
| CVE-2021-26556 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 4.4 MEDIUM | 7.8 HIGH |
| When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | |||||
| CVE-2019-11632 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 5.5 MEDIUM | 8.1 HIGH |
| In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) | |||||
| CVE-2018-18850 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 9.0 HIGH | 8.8 HIGH |
| In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM). | |||||
| CVE-2022-1127 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in QR Code Generator in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via user interaction. | |||||
| CVE-2022-1130 | 1 Google | 2 Android, Chrome | 2022-07-27 | N/A | 8.1 HIGH |
| Insufficient validation of trust input in WebOTP in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to send arbitrary intents from any app via a malicious app. | |||||
| CVE-2022-1131 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in Cast UI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1133 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in WebRTC Perf in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1134 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1135 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in Shopping Cart in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via standard feature user interaction. | |||||
| CVE-2022-1136 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in Tab Strip in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific set of user gestures. | |||||
| CVE-2022-0546 | 3 Blender, Debian, Fedoraproject | 4 Blender, Debian Linux, Extra Packages For Enterprise Linux and 1 more | 2022-07-27 | 5.1 MEDIUM | 7.8 HIGH |
| A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution. | |||||
| CVE-2022-1141 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in File Manager in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific user gesture. | |||||
| CVE-2022-1142 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Heap buffer overflow in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1143 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Heap buffer overflow in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1144 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1145 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 7.5 HIGH |
| Use after free in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific user interaction and profile destruction. | |||||
| CVE-2022-1305 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1232 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-27406 | 2 Fedoraproject, Freetype | 2 Fedora, Freetype | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size. | |||||
| CVE-2022-27405 | 2 Fedoraproject, Freetype | 2 Fedora, Freetype | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request. | |||||
| CVE-2022-1308 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in BFCache in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1311 | 1 Google | 2 Chrome, Chrome Os | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1310 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in regular expressions in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-32223 | 2 Microsoft, Nodejs | 2 Windows, Node.js | 2022-07-27 | N/A | 7.3 HIGH |
| Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability. | |||||
| CVE-2018-12089 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 3.5 LOW | 7.5 HIGH |
| In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0. | |||||
| CVE-2019-20419 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-07-27 | 4.4 MEDIUM | 7.8 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2. | |||||
| CVE-2021-43940 | 2 Atlassian, Microsoft | 3 Confluence Data Center, Confluence Server, Windows | 2022-07-27 | 6.9 MEDIUM | 7.8 HIGH |
| Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | |||||
| CVE-2022-1096 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1125 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in Portals in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via user interaction. | |||||
| CVE-2021-21341 | 4 Debian, Fedoraproject, Oracle and 1 more | 10 Debian Linux, Fedora, Banking Enterprise Default Management and 7 more | 2022-07-27 | 7.1 HIGH | 7.5 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2022-1313 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in tab groups in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-29060 | 1 Fortinet | 1 Fortiddos | 2022-07-27 | N/A | 8.1 HIGH |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device. | |||||
| CVE-2022-26113 | 1 Fortinet | 1 Forticlient | 2022-07-27 | N/A | 7.1 HIGH |
| An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.10 may allow a local attacker to perform an arbitrary file write on the system. | |||||
| CVE-2022-2468 | 1 Garage Management System Project | 1 Garage Management System | 2022-07-27 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Garage Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /editbrand.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||