Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30953 | 1 Jenkins | 1 Blue Ocean | 2022-05-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | |||||
| CVE-2022-30952 | 1 Jenkins | 1 Blue Ocean | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | |||||
| CVE-2022-24890 | 1 Nextcloud | 1 Talk | 2022-05-26 | 3.5 LOW | 4.3 MEDIUM |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds. | |||||
| CVE-2022-28192 | 1 Nvidia | 1 Virtual Gpu | 2022-05-26 | 1.9 LOW | 4.1 MEDIUM |
| NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (nvidia.ko), where it may lead to a use-after-free, which in turn may cause denial of service. This attack is complex to carry out because the attacker needs to have control over freeing some host side resources out of sequence, which requires elevated privileges. | |||||
| CVE-2022-24611 | 1 Silabs | 10 Sd3502, Sd3502 Firmware, Sd3503 and 7 more | 2022-05-26 | 6.1 MEDIUM | 6.5 MEDIUM |
| Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs. | |||||
| CVE-2020-3583 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2022-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. | |||||
| CVE-2020-3582 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2022-05-26 | 2.6 LOW | 6.1 MEDIUM |
| Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. | |||||
| CVE-2020-3581 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2022-05-26 | 2.6 LOW | 6.1 MEDIUM |
| Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. | |||||
| CVE-2020-3580 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2022-05-26 | 2.6 LOW | 6.1 MEDIUM |
| Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. | |||||
| CVE-2020-3578 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2022-05-26 | 5.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device. | |||||
| CVE-2022-30110 | 1 Jirafeau | 1 Jirafeau | 2022-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone visits the File Preview URL for this file, the JavaScript inside of this image/svg+xml file will be executed in the users' browser. | |||||
| CVE-2022-29332 | 1 Dlink | 2 Dir-825, Dir-825 Firmware | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal. An attacker could use the "../../../../" setting of the FTP server folder to set the router's root folder for FTP access. This allows you to access the entire router file system via the FTP server. | |||||
| CVE-2021-42644 | 1 Cmseasy | 1 Cmseasy | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| cmseasy V7.7.5_20211012 is affected by an arbitrary file read vulnerability. After login, the configuration file information of the website such as the database configuration file (config / config_database) can be read through this vulnerability. | |||||
| CVE-2022-1774 | 1 Diagrams | 1 Draw.io | 2022-05-26 | 5.8 MEDIUM | 6.1 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. | |||||
| CVE-2022-1771 | 1 Vim | 1 Vim | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. | |||||
| CVE-2022-0873 | 1 Codeasily | 1 Gmedia Gallery | 2022-05-26 | 3.5 LOW | 4.8 MEDIUM |
| The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed | |||||
| CVE-2022-28921 | 1 Blogengine | 1 Blogengine.net | 2022-05-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server. | |||||
| CVE-2022-28924 | 1 Universis | 1 Universis-students | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/. | |||||
| CVE-2021-29752 | 1 Ibm | 1 Db2 | 2022-05-26 | 3.5 LOW | 4.4 MEDIUM |
| IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. IBM X-Fporce ID: 201780. | |||||
| CVE-2021-30833 | 1 Apple | 1 Macos | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.0.1. Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files. | |||||
| CVE-2021-30972 | 1 Apple | 2 Mac Os X, Macos | 2022-05-26 | 2.1 LOW | 5.5 MEDIUM |
| This issue was addressed with improved checks. This issue is fixed in Security Update 2022-001 Catalina, macOS Big Sur 11.6.3. A malicious application may be able to bypass certain Privacy preferences. | |||||
| CVE-2021-30913 | 1 Apple | 1 Macos | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| The issue was addressed with improved permissions logic. This issue is fixed in macOS Monterey 12.0.1, macOS Big Sur 11.6.1. An unprivileged application may be able to edit NVRAM variables. | |||||
| CVE-2021-30895 | 1 Apple | 5 Ipad Os, Iphone Os, Macos and 2 more | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in iOS 15.0.2 and iPadOS 15.0.2, tvOS 15.1, watchOS 8.1, macOS Monterey 12.0.1. A malicious application may be able to access information about a user's contacts. | |||||
| CVE-2022-28959 | 1 Spip | 1 Spip | 2022-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML. | |||||
| CVE-2021-45730 | 1 Jfrog | 1 Artifactory | 2022-05-26 | 4.0 MEDIUM | 4.9 MEDIUM |
| JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators. | |||||
| CVE-2022-1110 | 1 Lenovo | 1 Smart Standby Driver | 2022-05-26 | 4.9 MEDIUM | 5.5 MEDIUM |
| A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service. | |||||
| CVE-2022-1706 | 1 Redhat | 3 Enterprise Linux, Ignition, Openshift Container Platform | 2022-05-26 | 3.5 LOW | 6.5 MEDIUM |
| A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config. | |||||
| CVE-2022-21658 | 2 Fedoraproject, Rust-lang | 2 Fedora, Rust | 2022-05-26 | 3.3 LOW | 6.3 MEDIUM |
| Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability with 1.58.1 containing a patch. Note that the following build targets don't have usable APIs to properly mitigate the attack, and are thus still vulnerable even with a patched toolchain: macOS before version 10.10 (Yosemite) and REDOX. We recommend everyone to update to Rust 1.58.1 as soon as possible, especially people developing programs expected to run in privileged contexts (including system daemons and setuid binaries), as those have the highest risk of being affected by this. Note that adding checks in your codebase before calling remove_dir_all will not mitigate the vulnerability, as they would also be vulnerable to race conditions like remove_dir_all itself. The existing mitigation is working as intended outside of race conditions. | |||||
| CVE-2021-27548 | 1 Xpdfreader | 1 Xpdf | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. | |||||
| CVE-2022-1782 | 1 Erudika | 1 Para | 2022-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11. | |||||
| CVE-2022-30975 | 1 Artifex | 1 Mujs | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp. | |||||
| CVE-2022-30974 | 1 Artifex | 1 Mujs | 2022-05-26 | 4.3 MEDIUM | 5.5 MEDIUM |
| compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413. | |||||
| CVE-2021-35249 | 1 Solarwinds | 1 Serv-u | 2022-05-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed. | |||||
| CVE-2022-23634 | 2 Puma, Rubyonrails | 2 Puma, Rails | 2022-05-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. | |||||
| CVE-2022-30073 | 1 Wbce | 1 Wbce Cms | 2022-05-26 | 3.5 LOW | 5.4 MEDIUM |
| WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php. | |||||
| CVE-2021-33124 | 1 Intel | 1346 Core I3-1000g1, Core I3-1000g1 Firmware, Core I3-1000g4 and 1343 more | 2022-05-26 | 7.2 HIGH | 6.7 MEDIUM |
| Out-of-bounds write in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access. | |||||
| CVE-2022-22482 | 1 Ibm | 1 Sterling B2b Integrator | 2022-05-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow an authenticated user to upload files that could fill up the filesystem and cause a denial of service. IBM X-Force ID: 225977. | |||||
| CVE-2022-22773 | 1 Tibco | 1 Jasperreports Server | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions 8.0.1 and below, TIBCO JasperReports Server - Community Edition: versions 8.0.1 and below, TIBCO JasperReports Server - Developer Edition: versions 8.0.0 and below, TIBCO JasperReports Server for AWS Marketplace: versions 8.0.1 and below, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.2 and below, and TIBCO JasperReports Server for Microsoft Azure: versions 8.0.1 and below. | |||||
| CVE-2022-30072 | 1 Wbce | 1 Wbce Cms | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters. | |||||
| CVE-2022-22775 | 1 Tibco | 2 Bpm Enterprise, Bpm Enterprise Distribution For Silver Fabric | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting (XSS) vulnerabilities that allow low privileged attackers with network access to execute scripts targeting the affected system or the victim's local system. Affected releases are TIBCO Software Inc.'s TIBCO BPM Enterprise: versions 4.3.1 and below and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric: versions 4.3.1 and below. | |||||
| CVE-2022-22809 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2022-05-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow modifications of the touch configurations in an unauthorized manner when an attacker attempts to modify the touch configurations. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2020-10471 | 1 Chadhasoftware | 1 Phpkb | 2022-05-25 | 3.5 LOW | 4.8 MEDIUM |
| Reflected XSS in admin/manage-articles.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort. | |||||
| CVE-2022-29449 | 1 Wpopal | 1 Opal Hotel Room Booking | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress. | |||||
| CVE-2022-25617 | 1 Codesnippets | 1 Code Snippets | 2022-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter. | |||||
| CVE-2022-1432 | 1 Octoprint | 1 Octoprint | 2022-05-25 | 4.6 MEDIUM | 6.4 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0. | |||||
| CVE-2021-42943 | 1 Ipplan Project | 1 Ipplan | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter. | |||||
| CVE-2022-23674 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-05-25 | 3.5 LOW | 5.4 MEDIUM |
| A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2022-23706 | 1 Hp | 1 Oneview | 2022-05-25 | 4.3 MEDIUM | 6.1 MEDIUM |
| A remote cross-site scripting (xss) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView. | |||||
| CVE-2022-28190 | 1 Nvidia | 1 Gpu Display Driver | 2022-05-25 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service. | |||||
| CVE-2022-28189 | 1 Nvidia | 1 Gpu Display Driver | 2022-05-25 | 2.1 LOW | 5.5 MEDIUM |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash. | |||||