Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1142 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Heap buffer overflow in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1143 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Heap buffer overflow in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1144 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools. | |||||
| CVE-2022-1145 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 7.5 HIGH |
| Use after free in Extensions in Google Chrome prior to 100.0.4896.60 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific user interaction and profile destruction. | |||||
| CVE-2022-1305 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1232 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1306 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2022-1307 | 1 Google | 2 Android, Chrome | 2022-07-27 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in full screen in Google Chrome on Android prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2020-14836 | 2 Netapp, Oracle | 5 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 2 more | 2022-07-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2020-14830 | 2 Netapp, Oracle | 5 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 2 more | 2022-07-27 | 6.8 MEDIUM | 6.5 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2022-27406 | 2 Fedoraproject, Freetype | 2 Fedora, Freetype | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size. | |||||
| CVE-2022-27405 | 2 Fedoraproject, Freetype | 2 Fedora, Freetype | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request. | |||||
| CVE-2022-1308 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in BFCache in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1311 | 1 Google | 2 Chrome, Chrome Os | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1310 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in regular expressions in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-2550 | 2022-07-27 | N/A | N/A | ||
| OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. | |||||
| CVE-2022-2549 | 2022-07-27 | N/A | N/A | ||
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV. | |||||
| CVE-2022-35291 | 2022-07-27 | N/A | N/A | ||
| Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application | |||||
| CVE-2022-34551 | 2022-07-27 | N/A | N/A | ||
| Sims v1.0 was discovered to allow path traversal when downloading attachments. | |||||
| CVE-2022-34549 | 2022-07-27 | N/A | N/A | ||
| Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file. | |||||
| CVE-2022-33970 | 2022-07-27 | N/A | N/A | ||
| Authenticated WordPress Options Change vulnerability in Biplob018 Shortcode Addons plugin <= 3.1.2 at WordPress. | |||||
| CVE-2022-24405 | 2022-07-27 | N/A | N/A | ||
| OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. | |||||
| CVE-2022-23101 | 2022-07-27 | N/A | N/A | ||
| OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. | |||||
| CVE-2022-23100 | 2022-07-27 | N/A | N/A | ||
| OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). | |||||
| CVE-2022-23099 | 2022-07-27 | N/A | N/A | ||
| OX App Suite through 7.10.6 allows XSS by forcing block-wise read. | |||||
| CVE-2022-2313 | 2022-07-27 | N/A | N/A | ||
| A DLL hijacking vulnerability in the MA Smart Installer for Windows prior to 5.7.7, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL into the folder from where the Smart installer is being executed. | |||||
| CVE-2022-27610 | 2022-07-27 | N/A | N/A | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors. | |||||
| CVE-2022-32213 | 2 Llhttp, Nodejs | 2 Llhttp, Node.js | 2022-07-27 | N/A | 9.1 CRITICAL |
| The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | |||||
| CVE-2022-32215 | 2 Llhttp, Nodejs | 2 Llhttp, Node.js | 2022-07-27 | N/A | 9.1 CRITICAL |
| The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). | |||||
| CVE-2022-32214 | 2 Llhttp, Nodejs | 2 Llhttp, Node.js | 2022-07-27 | N/A | 9.1 CRITICAL |
| The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | |||||
| CVE-2022-32223 | 2 Microsoft, Nodejs | 2 Windows, Node.js | 2022-07-27 | N/A | 7.3 HIGH |
| Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability. | |||||
| CVE-2018-12089 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 3.5 LOW | 7.5 HIGH |
| In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0. | |||||
| CVE-2018-11320 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | |||||
| CVE-2017-11348 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2022-07-27 | 6.3 MEDIUM | 5.7 MEDIUM |
| In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | |||||
| CVE-2022-24692 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 5.4 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The new menu option within the general Parameters page is vulnerable to stored XSS. The attacker can create a menu option, make it visible to every application user, and conduct session hijacking, account takeover, or malicious code delivery, with the final goal of achieving client-side code execution. | |||||
| CVE-2020-14179 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-07-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1. | |||||
| CVE-2019-20419 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-07-27 | 4.4 MEDIUM | 7.8 HIGH |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat. The affected versions are before version 8.5.5, and from version 8.6.0 before 8.7.2. | |||||
| CVE-2022-31160 | 1 Jqueryui | 1 Jquery Ui | 2022-07-27 | N/A | 6.1 MEDIUM |
| jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`. | |||||
| CVE-2021-43940 | 2 Atlassian, Microsoft | 3 Confluence Data Center, Confluence Server, Windows | 2022-07-27 | 6.9 MEDIUM | 7.8 HIGH |
| Affected versions of Atlassian Confluence Server and Data Center allow authenticated local attackers to achieve elevated privileges on the local system via a DLL Hijacking vulnerability in the Confluence installer. This vulnerability only affects installations of Confluence Server and Data Center on Windows. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | |||||
| CVE-2020-14175 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2. | |||||
| CVE-2018-20239 | 1 Atlassian | 8 Application Links, Confluence Data Center, Confluence Server and 5 more | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3, Fisheye before version 4.7.0, Jira before version 7.13.3 and 8.x before 8.1.0. | |||||
| CVE-2022-1096 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||||
| CVE-2022-1125 | 1 Google | 1 Chrome | 2022-07-27 | N/A | 8.8 HIGH |
| Use after free in Portals in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via user interaction. | |||||
| CVE-2021-21341 | 4 Debian, Fedoraproject, Oracle and 1 more | 10 Debian Linux, Fedora, Banking Enterprise Default Management and 7 more | 2022-07-27 | 7.1 HIGH | 7.5 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2018-20237 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. | |||||
| CVE-2020-29444 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 3.5 LOW | 5.4 MEDIUM |
| Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters. | |||||
| CVE-2021-26072 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WidgetConnector plugin in Confluence Server and Confluence Data Center before version 5.8.6 allowed remote attackers to manipulate the content of internal network resources via a blind Server-Side Request Forgery (SSRF) vulnerability. | |||||
| CVE-2020-29448 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | |||||
| CVE-2020-29450 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2022-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0. | |||||
| CVE-2022-27404 | 2 Fedoraproject, Freetype | 2 Fedora, Freetype | 2022-07-27 | 7.5 HIGH | 9.8 CRITICAL |
| FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face. | |||||