Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1951 | 1 Kitestudio | 1 Core Plugin For Kitestudio Themes | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-1938 | 1 Awin | 1 Awin Data Feed | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Awin Data Feed WordPress plugin through 1.6 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings | |||||
| CVE-2022-1937 | 1 Awin | 1 Awin Data Feed | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Awin Data Feed WordPress plugin through 1.6 does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1894 | 1 Sygnoos | 1 Popup Builder | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed | |||||
| CVE-2022-1757 | 1 Pagebar Project | 1 Pagebar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Pagebar WordPress plugin through 2.65 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues | |||||
| CVE-2022-32308 | 1 Ublock Origin Project | 1 Ublock Origin | 2022-07-15 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in uBlock Origin extension before 1.41.1 allows remote attackers to run arbitrary code via a spoofed 'MessageSender.url' to the browser renderer process. | |||||
| CVE-2022-1732 | 1 Rename Wp-login Project | 1 Rename Wp-login | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1626 | 1 Sharebar Project | 1 Sharebar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Sharebar WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them | |||||
| CVE-2022-1576 | 1 Themeisle | 1 Wp Maintenance Mode \& Coming Soon | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2022-22682 | 1 Synology | 1 Calendar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2022-1546 | 1 Visser | 1 Woocommerce - Product Importer | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WooCommerce - Product Importer WordPress plugin through 1.5.2 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-1474 | 1 Wp-eventmanager | 1 Wp Event Manager | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-34283 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-048) | |||||
| CVE-2022-34282 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-047) | |||||
| CVE-2022-34285 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-050) | |||||
| CVE-2022-34288 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-053) | |||||
| CVE-2022-34287 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application contains a stack corruption vulnerability while parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-052, FG-VD-22-056) | |||||
| CVE-2022-1220 | 1 Foxy-shop | 1 Foxyshop | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-34290 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application contains a stack corruption vulnerability while parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-055) | |||||
| CVE-2022-1794 | 2 Codesys, Microsoft | 2 Opc Da Server, Windows | 2022-07-15 | 4.7 MEDIUM | 5.5 MEDIUM |
| The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system. | |||||
| CVE-2022-34291 | 1 Siemens | 1 Pads Viewer | 2022-07-15 | 4.3 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been identified in PADS Standard/Plus Viewer (All versions). The affected application contains a stack corruption vulnerability while parsing PCB files. An attacker could leverage this vulnerability to leak information in the context of the current process. (FG-VD-22-057, FG-VD-22-058, FG-VD-22-060) | |||||
| CVE-2022-27168 | 1 Litecart | 1 Litecart | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in LiteCart versions prior to 2.4.2 allows a remote attacker to inject an arbitrary script via unspecified vectors. | |||||
| CVE-2022-2365 | 1 Trilium Project | 1 Trilium | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3. | |||||
| CVE-2021-1113 | 1 Nvidia | 8 Jetson Agx Xavier, Jetson Linux, Jetson Nano and 5 more | 2022-07-15 | 5.4 MEDIUM | 4.7 MEDIUM |
| NVIDIA camera firmware contains a difficult to exploit vulnerability where a highly privileged attacker can cause unauthorized modification to camera resources, which may result in complete denial of service and partial loss of data integrity for all clients. | |||||
| CVE-2022-35416 | 1 H3c | 1 Ssl Vpn | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS. | |||||
| CVE-2022-1599 | 1 Admin Management Xtended Project | 1 Admin Management Xtended | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status (enabled, disabled) and more. | |||||
| CVE-2022-1910 | 1 Averta | 1 Shortcodes And Extra Features For Phlox Theme | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-32061 | 1 Snipeitapp | 1 Snipe-it | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2022-32060 | 1 Snipeitapp | 1 Snipe-it | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2015-5298 | 1 Jenkins | 1 Google Login | 2022-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification. | |||||
| CVE-2022-31029 | 1 Adminite | 1 Adminlte | 2022-07-15 | 3.5 LOW | 4.8 MEDIUM |
| AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2022-07-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | |||||
| CVE-2022-31136 | 1 Joinbookwyrm | 1 Bookwyrm | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue. | |||||
| CVE-2022-31472 | 1 Cybozu | 1 Garoon | 2022-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Browse restriction bypass vulnerability in Cabinet of Cybozu Garoon 4.0.0 to 5.5.1 allows a remote authenticated attacker to obtain the data of Cabinet. | |||||
| CVE-2022-30943 | 1 Cybozu | 1 Garoon | 2022-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Browsing restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data of Bulletin. | |||||
| CVE-2022-31032 | 1 Enalean | 1 Tuleap | 2022-07-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31063 | 1 Enalean | 1 Tuleap | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.111 the title of a document is not properly escaped in the search result of MyDocmanSearch widget and in the administration page of the locked documents. A malicious user with the capability to create a document could force victim to execute uncontrolled code. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-32208 | 1 Haxx | 1 Curl | 2022-07-15 | 4.3 MEDIUM | 5.9 MEDIUM |
| When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. | |||||
| CVE-2022-32206 | 1 Haxx | 1 Curl | 2022-07-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. | |||||
| CVE-2022-33098 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-28889 | 1 Apache | 1 Druid | 2022-07-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header. | |||||
| CVE-2021-44791 | 1 Apache | 1 Druid | 2022-07-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. | |||||
| CVE-2022-35230 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2022-07-14 | 3.3 LOW | 4.3 MEDIUM |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | |||||
| CVE-2022-31133 | 1 Humhub | 1 Humhub | 2022-07-14 | 3.5 LOW | 4.8 MEDIUM |
| HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue. | |||||
| CVE-2022-32441 | 1 Hex-rays | 1 Ida | 2022-07-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. Related to Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056. | |||||
| CVE-2021-35248 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2022-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. | |||||
| CVE-2022-23172 | 1 Priority-software | 1 Priority | 2022-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not. | |||||
| CVE-2022-23173 | 1 Priority-software | 1 Priority | 2022-07-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed. | |||||
| CVE-2015-1785 | 1 Imagely | 1 Nextgen Gallery | 2022-07-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the application validates user uploaded files and lack of security measures preventing unwanted HTTP requests. | |||||