Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34049 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-07-27 | N/A | 5.3 MEDIUM |
| An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. | |||||
| CVE-2021-40149 | 1 Reolink | 2 E1 Zoom, E1 Zoom Firmware | 2022-07-27 | N/A | 5.9 MEDIUM |
| The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI. | |||||
| CVE-2022-29890 | 1 Octopus | 1 Server | 2022-07-27 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | |||||
| CVE-2021-31818 | 1 Octopus | 1 Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables. | |||||
| CVE-2019-19085 | 1 Octopus | 1 Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML. | |||||
| CVE-2019-15508 | 1 Octopus | 2 Server, Tentacle | 2022-07-27 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. | |||||
| CVE-2019-15507 | 1 Octopus | 1 Server | 2022-07-27 | 3.5 LOW | 6.5 MEDIUM |
| In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8. | |||||
| CVE-2022-35569 | 1 Blogifier | 1 Blogifier | 2022-07-27 | N/A | 4.8 MEDIUM |
| Blogifier v3.0 was discovered to contain an arbitrary file upload vulnerability at /api/storage/upload/PostImage. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted file. | |||||
| CVE-2020-16197 | 1 Octopus | 2 Octopus Server, Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation. | |||||
| CVE-2019-15698 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10. | |||||
| CVE-2019-14525 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 4.0 MEDIUM | 4.9 MEDIUM |
| In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | |||||
| CVE-2022-23184 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 5.8 MEDIUM | 6.1 MEDIUM |
| In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | |||||
| CVE-2019-8944 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | |||||
| CVE-2022-1129 | 1 Google | 2 Android, Chrome | 2022-07-27 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-1132 | 1 Google | 2 Chrome, Chrome Os | 2022-07-27 | N/A | 6.1 MEDIUM |
| Inappropriate implementation in Virtual Keyboard in Google Chrome on Chrome OS prior to 100.0.4896.60 allowed a local attacker to bypass navigation restrictions via physical access to the device. | |||||
| CVE-2022-1137 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to leak potentially sensitive information via a crafted HTML page. | |||||
| CVE-2022-1306 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-1307 | 1 Google | 2 Android, Chrome | 2022-07-27 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in full screen in Google Chrome on Android prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2020-14836 | 2 Netapp, Oracle | 5 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 2 more | 2022-07-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2020-14830 | 2 Netapp, Oracle | 5 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 2 more | 2022-07-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2017-11348 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 6.3 MEDIUM | 5.7 MEDIUM |
| In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | |||||
| CVE-2022-24692 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 5.4 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution. | |||||
| CVE-2020-14179 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-07-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1. | |||||
| CVE-2022-31160 | 1 Jqueryui | 1 Jquery Ui | 2022-07-27 | N/A | 6.1 MEDIUM |
| jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`. | |||||
| CVE-2020-14175 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2. | |||||
| CVE-2018-20239 | 1 Atlassian | 8 Application Links, Confluence Data Center, Confluence Server and 5 more | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0. | |||||
| CVE-2018-20237 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | |||||
| CVE-2020-29444 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. | |||||
| CVE-2021-26072 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2020-29448 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | |||||
| CVE-2020-29450 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | |||||
| CVE-2022-30301 | 1 Fortinet | 1 Fortiap-u | 2022-07-27 | N/A | 6.7 MEDIUM |
| A path traversal vulnerability [CWE-22] in FortiAP-U CLI 6.2.0 through 6.2.3, 6.0.0 through 6.0.4, 5.4.0 through 5.4.6 may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands. | |||||
| CVE-2022-2318 | 1 Linux | 1 Linux Kernel | 2022-07-27 | 4.9 MEDIUM | 5.5 MEDIUM |
| There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. | |||||
| CVE-2022-33744 | 1 Linux | 1 Linux Kernel | 2022-07-27 | 1.9 LOW | 4.7 MEDIUM |
| Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. | |||||
| CVE-2021-32504 | 1 Sick | 2 Ftmg, Ftmg Firmware | 2022-07-27 | N/A | 5.3 MEDIUM |
| Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system. | |||||
| CVE-2022-29057 | 1 Fortinet | 1 Fortiedr | 2022-07-27 | N/A | 5.4 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints. | |||||
| CVE-2022-22416 | 1 Ibm | 2 Partner Engagement Manager, Partner Engagement Manager On Cloud\/saas | 2022-07-27 | N/A | 5.4 MEDIUM |
| IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 223126. | |||||
| CVE-2022-22359 | 1 Ibm | 2 Partner Engagement Manager, Partner Engagement Manager On Cloud\/saas | 2022-07-27 | N/A | 6.5 MEDIUM |
| IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 220652. | |||||
| CVE-2022-2476 | 1 Wavpack | 1 Wavpack | 2022-07-26 | N/A | 5.5 MEDIUM |
| A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING | |||||
| CVE-2022-31150 | 1 Nodejs | 1 Undici | 2022-07-26 | N/A | 6.5 MEDIUM |
| undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue. | |||||
| CVE-2022-34640 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| The *tval of ecall/ebreak in CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a was discovered to be incorrect. | |||||
| CVE-2022-34642 | 1 Riscv | 1 Spike Risc-v Isa Simulator | 2022-07-26 | N/A | 5.5 MEDIUM |
| The component mcontrol.action in RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 contains the incorrect mask which can cause a Denial of Service (DoS). | |||||
| CVE-2022-34639 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a treats non-standard fence instructions as illegal which can affect the function of the application. | |||||
| CVE-2022-34643 | 1 Riscv | 1 Spike Risc-v Isa Simulator | 2022-07-26 | N/A | 5.5 MEDIUM |
| RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 implements the incorrect exception priotrity when accessing memory. | |||||
| CVE-2022-34637 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a implements an incorrect exception type when an illegal virtual address is loaded. | |||||
| CVE-2022-34633 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a executes crafted or incorrectly formatted sfence.vma instructions rather create an exception. | |||||
| CVE-2022-34634 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a executes crafted or incorrectly formatted det instructions rather create an exception. | |||||
| CVE-2022-34641 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a and RISCV-Boom commit ad64c5419151e5e886daee7084d8399713b46b4b implements the incorrect exception type when a PMP violation occurs during address translation. | |||||
| CVE-2022-34636 | 1 Openhwgroup | 1 Cva6 | 2022-07-26 | N/A | 5.5 MEDIUM |
| CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a and RISCV-Boom commit ad64c5419151e5e886daee7084d8399713b46b4b implements the incorrect exception type when a PMA violation occurs during address translation. | |||||
| CVE-2022-21559 | 1 Oracle | 1 Commerce Platform | 2022-07-26 | N/A | 5.5 MEDIUM |
| Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Application Framework). Supported versions that are affected are 11.3.0, 11.3.1 and 11.3.2. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Commerce Platform executes to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Commerce Platform accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||