Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-35286 | 2022-07-26 | N/A | N/A | ||
| IBM Security Verify Information Queue 10.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230814. | |||||
| CVE-2022-22412 | 2022-07-26 | N/A | N/A | ||
| IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with access to the local host (client machine) to obtain a login access token. IBM X-Force ID: 223019. | |||||
| CVE-2022-1648 | 2022-07-26 | N/A | N/A | ||
| Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to a Remote Code Execution with running application privilege. | |||||
| CVE-2022-36412 | 2022-07-26 | N/A | N/A | ||
| In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.) | |||||
| CVE-2022-36408 | 2022-07-26 | N/A | N/A | ||
| PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.7 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection and MySQL Smarty cache storage injection, as exploited in the wild in July 2022. | |||||
| CVE-2022-36161 | 2022-07-26 | N/A | N/A | ||
| Orange Station 1.0 was discovered to contain a SQL injection vulnerability via the username parameter. | |||||
| CVE-2022-34989 | 2022-07-26 | N/A | N/A | ||
| Fruits Bazar v1.0 was discovered to contain a SQL injection vulnerability via the recover_email parameter at user_password_recover.php. | |||||
| CVE-2022-34067 | 2022-07-26 | N/A | N/A | ||
| Warehouse Management System v1.0 was discovered to contain a SQL injection vulnerability via the cari parameter. | |||||
| CVE-2022-31879 | 2022-07-26 | N/A | N/A | ||
| Online Fire Reporting System 1.0 is vulnerable to SQL Injection via the date parameter. | |||||
| CVE-2021-33453 | 2022-07-26 | N/A | N/A | ||
| An issue was discovered in lrzip version 0.641. There is a use-after-free in ucompthread() in stream.c:1538. | |||||
| CVE-2021-33452 | 2022-07-26 | N/A | N/A | ||
| An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_malloc() in nasmlib/alloc.c. | |||||
| CVE-2021-33451 | 2022-07-26 | N/A | N/A | ||
| An issue was discovered in lrzip version 0.641. There are memory leaks in fill_buffer() in stream.c. | |||||
| CVE-2021-33450 | 2022-07-26 | N/A | N/A | ||
| An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_calloc() in nasmlib/alloc.c. | |||||
| CVE-2022-2225 | 2022-07-26 | N/A | N/A | ||
| By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'. | |||||
| CVE-2021-43959 | 2022-07-26 | N/A | N/A | ||
| Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in the CSV importing feature of JSM Insight. When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information. The affected versions are before version 4.13.20, from version 4.14.0 before 4.20.8, and from version 4.21.0 before 4.22.2. | |||||
| CVE-2022-33977 | 2022-07-26 | N/A | N/A | ||
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on the server where the product is running. | |||||
| CVE-2022-31471 | 2022-07-26 | N/A | N/A | ||
| untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files. | |||||
| CVE-2022-30706 | 2022-07-26 | N/A | N/A | ||
| Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | |||||
| CVE-2022-1042 | 2022-07-26 | N/A | N/A | ||
| In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. | |||||
| CVE-2022-1041 | 2022-07-26 | N/A | N/A | ||
| In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. | |||||
| CVE-2020-36290 | 2022-07-26 | N/A | N/A | ||
| The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality. | |||||
| CVE-2022-22686 | 2022-07-26 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. | |||||
| CVE-2022-34577 | 2022-07-26 | N/A | N/A | ||
| A vulnerability in adm.cgi of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2022-34576 | 2022-07-26 | N/A | N/A | ||
| A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2022-34575 | 2022-07-26 | N/A | N/A | ||
| An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing fctest.shtml. | |||||
| CVE-2022-35131 | 2022-07-26 | N/A | N/A | ||
| Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles. | |||||
| CVE-2022-34906 | 2022-07-26 | N/A | N/A | ||
| A hard-coded cryptographic key is used in FileWave before 14.6.3 and 14.7.x before 14.7.2. Exploitation could allow an unauthenticated actor to decrypt sensitive information saved in FileWave, and even send crafted requests. | |||||
| CVE-2022-36375 | 2022-07-26 | N/A | N/A | ||
| Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress. | |||||
| CVE-2022-35873 | 2022-07-26 | N/A | N/A | ||
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of ZIP files. Crafted data in a ZIP file can cause the application to execute arbitrary Python scripts. The user interface fails to provide sufficient indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16949. | |||||
| CVE-2022-35872 | 2022-07-26 | N/A | N/A | ||
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115. | |||||
| CVE-2022-35871 | 2022-07-26 | N/A | N/A | ||
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the execution of python code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17206. | |||||
| CVE-2022-35870 | 2022-07-26 | N/A | N/A | ||
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17265. | |||||
| CVE-2022-35869 | 2022-07-26 | N/A | N/A | ||
| This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within com.inductiveautomation.ignition.gateway.web.pages. The issue results from the lack of proper authentication prior to access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17211. | |||||
| CVE-2022-23000 | 2022-07-26 | N/A | N/A | ||
| The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability. | |||||
| CVE-2022-22999 | 2022-07-26 | N/A | N/A | ||
| Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components. | |||||
| CVE-2022-2077 | 2022-07-25 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2022-35287 | 2022-07-25 | N/A | N/A | ||
| IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817. | |||||
| CVE-2022-35284 | 2022-07-25 | N/A | N/A | ||
| IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811. | |||||
| CVE-2022-34962 | 2022-07-25 | N/A | N/A | ||
| OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Group Timeline module. | |||||
| CVE-2022-33969 | 2022-07-25 | N/A | N/A | ||
| Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress. | |||||
| CVE-2022-2059 | 2022-07-25 | N/A | N/A | ||
| In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. | |||||
| CVE-2022-2032 | 2022-07-25 | N/A | N/A | ||
| In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. | |||||
| CVE-2022-24992 | 2022-07-25 | N/A | N/A | ||
| A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal. | |||||
| CVE-2022-34965 | 2022-07-25 | N/A | N/A | ||
| OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/com_installer. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-24083 | 2022-07-25 | N/A | N/A | ||
| Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks. | |||||
| CVE-2022-2076 | 2022-07-25 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2022-2131 | 2022-07-25 | N/A | N/A | ||
| OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack. | |||||
| CVE-2022-26307 | 2022-07-25 | N/A | N/A | ||
| LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3. | |||||
| CVE-2022-26306 | 2022-07-25 | N/A | N/A | ||
| LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. | |||||
| CVE-2022-26305 | 2022-07-25 | N/A | N/A | ||
| An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. | |||||