Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-6149 | 1 Redhat | 3 Satellite, Satellite 5 Managed Db, Spacewalk-java | 2022-02-25 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in systems/sdc/notes.jsp in Spacewalk and Red Hat Network (RHN) Satellite 5.6 allow remote attackers to inject arbitrary web script or HTML via the (1) subject or (2) content values of a note in a system.addNote XML-RPC call. | |||||
| CVE-2012-1250 | 1 Logitech | 4 Lan-w300n\/r, Lan-w300n\/rs, Lan-w300n\/ru2 and 1 more | 2022-02-25 | 10.0 HIGH | N/A |
| Logitec LAN-W300N/R routers with firmware before 2.27 do not properly restrict login access, which allows remote attackers to obtain administrative privileges and modify settings via vectors related to PPPoE authentication. | |||||
| CVE-2022-24347 | 2022-02-25 | N/A | N/A | ||
| JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon. | |||||
| CVE-2022-24346 | 2022-02-25 | N/A | N/A | ||
| In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. | |||||
| CVE-2022-24345 | 2022-02-25 | N/A | N/A | ||
| In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. | |||||
| CVE-2022-24344 | 2022-02-25 | N/A | N/A | ||
| JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page. | |||||
| CVE-2022-24343 | 2022-02-25 | N/A | N/A | ||
| In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. | |||||
| CVE-2022-24342 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. | |||||
| CVE-2022-24341 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2.1, editing a user account to change its password didn't terminate sessions of the edited user. | |||||
| CVE-2022-24340 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. | |||||
| CVE-2022-24339 | 2022-02-25 | N/A | N/A | ||
| JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. | |||||
| CVE-2022-24338 | 2022-02-25 | N/A | N/A | ||
| JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. | |||||
| CVE-2022-24337 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions. | |||||
| CVE-2022-24335 | 2022-02-25 | N/A | N/A | ||
| JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Time-of-use (TOCTOU) race-condition attack in agent registration via XML-RPC. | |||||
| CVE-2022-24334 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed selection of any private key on the server. | |||||
| CVE-2022-24333 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. | |||||
| CVE-2022-24332 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2, a logout action didn't remove a Remember Me cookie. | |||||
| CVE-2022-24330 | 2022-02-25 | N/A | N/A | ||
| In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. | |||||
| CVE-2022-24328 | 2022-02-25 | N/A | N/A | ||
| In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS. | |||||
| CVE-2022-24327 | 2022-02-25 | N/A | N/A | ||
| In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions. | |||||
| CVE-2021-45977 | 2022-02-25 | N/A | N/A | ||
| JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1. | |||||
| CVE-2022-25374 | 2022-02-25 | N/A | N/A | ||
| HashiCorp Terraform Enterprise before 202202-1 inserts Sensitive Information into a Log File. | |||||
| CVE-2022-24948 | 2022-02-25 | N/A | N/A | ||
| A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later. | |||||
| CVE-2022-24947 | 2022-02-25 | N/A | N/A | ||
| Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later. | |||||
| CVE-2022-24612 | 2022-02-25 | N/A | N/A | ||
| An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. | |||||
| CVE-2022-24594 | 2022-02-25 | N/A | N/A | ||
| In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. | |||||
| CVE-2022-25328 | 2022-02-25 | N/A | N/A | ||
| The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above | |||||
| CVE-2022-25327 | 2022-02-25 | N/A | N/A | ||
| The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above | |||||
| CVE-2022-25326 | 2022-02-25 | N/A | N/A | ||
| fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable. | |||||
| CVE-2022-0247 | 2022-02-25 | N/A | N/A | ||
| An issue exists in Fuchsia where VMO data can be modified through access to copy-on-write snapshots. A local attacker could modify objects in the VMO that they do not have permission to. We recommend upgrading past commit d97c05d2301799ed585620a9c5c739d36e7b5d3d or any of the listed versions. | |||||
| CVE-2022-24288 | 2022-02-25 | N/A | N/A | ||
| In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | |||||
| CVE-2022-0746 | 2022-02-25 | N/A | N/A | ||
| Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0. | |||||
| CVE-2021-45229 | 2022-02-25 | N/A | N/A | ||
| It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below. | |||||
| CVE-2021-34361 | 2022-02-25 | N/A | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2021-34359 | 2022-02-25 | N/A | N/A | ||
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later | |||||
| CVE-2022-23835 | 2022-02-25 | N/A | N/A | ||
| ** DISPUTED ** The Visual Voice Mail (VVM) application through 2022-02-24 for Android allows persistent access if an attacker temporarily controls an application that has the READ_SMS permission, and reads an IMAP credentialing message that is (by design) not displayed to the victim within the AOSP SMS/MMS messaging application. (Often, the IMAP credentials are usable to listen to voice mail messages sent before the vulnerability was exploited, in addition to new ones.) NOTE: some vendors characterize this as not a "concrete and exploitable risk." | |||||
| CVE-2022-23701 | 2022-02-25 | N/A | N/A | ||
| A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4). | |||||
| CVE-2021-43745 | 2022-02-25 | N/A | N/A | ||
| A Denial of Service vulnerabilty exists in Trilium Notes 0.48.6 in the setupPage function | |||||
| CVE-2021-39364 | 2022-02-25 | N/A | N/A | ||
| Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow command spoofing (for camera control) after ARP cache poisoning has been achieved. | |||||
| CVE-2021-39363 | 2022-02-25 | N/A | N/A | ||
| Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allow a video replay attack after ARP cache poisoning has been achieved. | |||||
| CVE-2021-29220 | 2022-02-25 | N/A | N/A | ||
| Multiple buffer overflow security vulnerabilities have been identified in HPE iLO Amplifier Pack version(s): Prior to 2.12. These vulnerabilities could be exploited by a highly privileged user to remotely execute code that could lead to a loss of confidentiality, integrity, and availability. HPE has provided a software update to resolve this vulnerability in HPE iLO Amplifier Pack. | |||||
| CVE-2021-29217 | 2022-02-25 | N/A | N/A | ||
| A remote URL redirection vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. HPE has provided a software update to resolve this vulnerability in HPE OneView Global Dashboard. | |||||
| CVE-2021-29216 | 2022-02-25 | N/A | N/A | ||
| A remote cross-site scripting vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. HPE has provided a software update to resolve this vulnerability in HPE OneView Global Dashboard. | |||||
| CVE-2021-44665 | 2022-02-25 | N/A | N/A | ||
| A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php. | |||||
| CVE-2022-24709 | 2022-02-25 | N/A | N/A | ||
| @awsui/components-react is the main AWS UI package which contains React components, with TypeScript definitions designed for user interface development. Multiple components in versions before 3.0.367 have been found to not properly neutralize user input and may allow for javascript injection. Users are advised to upgrade to version 3.0.367 or later. There are no known workarounds for this issue. | |||||
| CVE-2022-25307 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25306 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25305 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. | |||||
| CVE-2022-25149 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||
| CVE-2022-25148 | 2022-02-25 | N/A | N/A | ||
| The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. | |||||