Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26157 | 1 Cherwell | 1 Cherwell Service Management | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The ASP.NET_Sessionid cookie is not protected by the Secure flag. This makes it prone to interception by an attacker if traffic is sent over unencrypted channels. | |||||
| CVE-2022-26159 | 1 Ametys | 1 Ametys | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/<domain>/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords. | |||||
| CVE-2022-24336 | 1 Jetbrains | 1 Teamcity | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can cancel running builds via an XML-RPC request to the TeamCity server. | |||||
| CVE-2022-24687 | 1 Hashicorp | 1 Consul | 2023-08-08 | 3.5 LOW | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3. | |||||
| CVE-2022-25363 | 1 Watchguard | 1 Fireware | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| WatchGuard Firebox and XTM appliances allow an authenticated remote attacker with unprivileged credentials to modify privileged management user credentials. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. | |||||
| CVE-2022-25355 | 1 Ec-cube | 1 Ec-cube | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users. | |||||
| CVE-2022-25375 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in drivers/usb/gadget/function/rndis.c in the Linux kernel before 5.16.10. The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory. | |||||
| CVE-2021-45081 | 1 Cobbler Project | 1 Cobbler | 2023-08-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. | |||||
| CVE-2022-25318 | 1 Cerebrate-project | 1 Cerebrate | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups. | |||||
| CVE-2022-25313 | 5 Debian, Fedoraproject, Libexpat Project and 2 more | 6 Debian Linux, Fedora, Libexpat and 3 more | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | |||||
| CVE-2022-23319 | 1 Pcf2bdf Project | 1 Pcf2bdf | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| A segmentation fault during PCF file parsing in pcf2bdf versions >=1.05 allows an attacker to trigger a program crash via a specially crafted PCF font file. This crash affects the availability of the software and dependent downstream components. | |||||
| CVE-2022-22899 | 1 Coreftp | 1 Core Ftp | 2023-08-08 | 2.6 LOW | 5.5 MEDIUM |
| Core FTP / SFTP Server v2 Build 725 was discovered to allow unauthenticated attackers to cause a Denial of Service (DoS) via a crafted packet through the SSH service. | |||||
| CVE-2022-24953 | 1 Pear | 1 Crypt Gpg | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions. | |||||
| CVE-2022-24684 | 1 Hashicorp | 1 Nomad | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. | |||||
| CVE-2022-24110 | 1 Accellion | 1 Managed File Transfer | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Kiteworks MFT 7.5 may allow an unauthorized user to reset other users' passwords. This is fixed in version 7.6 and later. | |||||
| CVE-2022-0117 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2023-08-08 | 4.3 MEDIUM | 6.5 MEDIUM |
| Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2022-0110 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2023-08-08 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-39631 | 1 Google | 1 Android | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| In clear_data_dlg_text of strings.xml, there is a possible situation when "Clear storage" functionality sets up the wrong security/privacy expectations due to a misleading message. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-193890833 | |||||
| CVE-2021-44850 | 1 Amd | 20 Xilinx Z-7007s, Xilinx Z-7007s Firmware, Xilinx Z-7010 and 17 more | 2023-08-08 | 4.6 MEDIUM | 6.8 MEDIUM |
| On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM. Because the Zynq-7000's boot image header is unencrypted and unauthenticated before use, an attacker can modify the boot header stored on an SD card so that a secure image appears to be unencrypted, and they will be able to modify the full range of register initialization values. Normally, these registers will be restricted when booting securely. Of importance to this attack are two registers that control the SD card's transfer type and transfer size. These registers could be modified a way that causes a buffer overflow in the ROM. | |||||
| CVE-2021-31814 | 1 Stormshield | 1 Stormshield Network Security | 2023-08-08 | 3.6 LOW | 6.1 MEDIUM |
| In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a client from accessing the VPN and can obtain sensitive information through the SN VPN SSL Client. | |||||
| CVE-2022-23255 | 1 Microsoft | 1 Onedrive | 2023-08-08 | 4.6 MEDIUM | 5.9 MEDIUM |
| Microsoft OneDrive for Android Security Feature Bypass Vulnerability | |||||
| CVE-2022-23254 | 1 Microsoft | 1 Powerbi-client Js Sdk | 2023-08-08 | 4.0 MEDIUM | 4.9 MEDIUM |
| Microsoft Power BI Information Disclosure Vulnerability | |||||
| CVE-2022-23252 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| Microsoft Office Information Disclosure Vulnerability | |||||
| CVE-2022-22716 | 1 Microsoft | 7 365 Apps, Excel, Office and 4 more | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| Microsoft Excel Information Disclosure Vulnerability | |||||
| CVE-2022-22712 | 1 Microsoft | 4 Windows 10, Windows 11, Windows Server and 1 more | 2023-08-08 | 4.7 MEDIUM | 5.6 MEDIUM |
| Windows Hyper-V Denial of Service Vulnerability | |||||
| CVE-2022-22710 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-08-08 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Common Log File System Driver Denial of Service Vulnerability | |||||
| CVE-2022-22002 | 1 Microsoft | 8 Windows 10, Windows 11, Windows 8.1 and 5 more | 2023-08-08 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows User Account Profile Picture Denial of Service Vulnerability | |||||
| CVE-2022-21998 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-08-08 | 4.9 MEDIUM | 5.5 MEDIUM |
| Windows Common Log File System Driver Information Disclosure Vulnerability | |||||
| CVE-2022-21985 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| Windows Remote Access Connection Manager Information Disclosure Vulnerability | |||||
| CVE-2022-21968 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| Microsoft SharePoint Server Security Feature Bypass Vulnerability | |||||
| CVE-2021-38130 | 1 Microfocus | 1 Voltage Securemail | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| A potential Information leakage vulnerability has been identified in versions of Micro Focus Voltage SecureMail Mail Relay prior to 7.3.0.1. The vulnerability could be exploited to create an information leakage attack. | |||||
| CVE-2021-44886 | 1 Zammad | 1 Zammad | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to. | |||||
| CVE-2021-44746 | 1 Nec | 9 Univerge Dt800 Data Maintenance Tool, Univerge Dt820, Univerge Dt820 Firmware and 6 more | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained. | |||||
| CVE-2022-24032 | 1 Adenza | 1 Axiomsl Controllerview | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enumeration. An attacker can identify valid usernames on the platform because a failed login attempt produces a different error message when the username is valid. | |||||
| CVE-2022-23863 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. | |||||
| CVE-2022-23437 | 3 Apache, Netapp, Oracle | 29 Xerces-j, Active Iq Unified Manager, Agile Engineering Data Management and 26 more | 2023-08-08 | 7.1 HIGH | 6.5 MEDIUM |
| There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. | |||||
| CVE-2022-23856 | 1 Saviynt | 1 Enterprise Identity Cloud | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. | |||||
| CVE-2022-22820 | 1 Linecorp | 1 Line | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4. | |||||
| CVE-2022-22310 | 6 Apple, Hp, Ibm and 3 more | 9 Macos, Hp-ux, Aix and 6 more | 2023-08-08 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. IBM X-Force ID: 217224. | |||||
| CVE-2021-44837 | 1 Deltarm | 1 Delta Rm | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk. | |||||
| CVE-2021-44838 | 1 Deltarm | 1 Delta Rm | 2023-08-08 | 5.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies. | |||||
| CVE-2022-0125 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project. | |||||
| CVE-2022-0124 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows to craft malicious URLs that are sent to slack. | |||||
| CVE-2022-0093 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds. | |||||
| CVE-2021-39892 | 1 Gitlab | 1 Gitlab | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. | |||||
| CVE-2021-42067 | 1 Sap | 2 Netweaver Abap, Netweaver Application Server Abap | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker authenticated as a regular user can use the S/4 Hana dashboard to reveal systems and services which they would not normally be allowed to see. No information alteration or denial of service is possible. | |||||
| CVE-2021-39633 | 1 Google | 1 Android | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150694665References: Upstream kernel | |||||
| CVE-2021-1037 | 1 Google | 1 Android | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| The broadcast that DevicePickerFragment sends when a new device is paired doesn't have any permission checks, so any app can register to listen for it. This lets apps keep track of what devices are paired without requesting BLUETOOTH permissions.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-162951906 | |||||
| CVE-2021-45763 | 1 Gpac | 1 Gpac | 2023-08-08 | 4.3 MEDIUM | 5.5 MEDIUM |
| GPAC v1.1.0 was discovered to contain an invalid call in the function gf_node_changed(). This vulnerability can lead to a Denial of Service (DoS). | |||||
| CVE-2021-30314 | 1 Qualcomm | 148 Qca6390, Qca6390 Firmware, Qca6391 and 145 more | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| Lack of validation for third party application accessing the service can lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables | |||||