Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31801 | 2 Phoenixcontact, Phoenixcontact-software | 3 Multiprog, Proconos, Proconos Eclr | 2022-06-28 | 10.0 HIGH | 9.8 CRITICAL |
| An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | |||||
| CVE-2022-1630 | 1 Wp-email Project | 1 Wp-email | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack | |||||
| CVE-2022-31277 | 1 Mi | 2 Xiaomi Lamp 1, Xiaomi Lamp 1 Firmware | 2022-06-28 | 5.8 MEDIUM | 8.8 HIGH |
| Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request. | |||||
| CVE-2020-25459 | 1 Webank | 1 Federated Ai Technology Enabler | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling. | |||||
| CVE-2022-31800 | 1 Phoenixcontact | 34 Axc 1050, Axc 1050 Firmware, Axc 1050 Xc and 31 more | 2022-06-28 | 10.0 HIGH | 9.8 CRITICAL |
| An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | |||||
| CVE-2022-1905 | 1 E-dynamics | 1 Events Made Easy | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | |||||
| CVE-2022-1896 | 1 Underconstruction Project | 1 Underconstruction | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed. | |||||
| CVE-2022-1895 | 1 Underconstruction Project | 1 Underconstruction | 2022-06-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2022-1889 | 1 Thenewsletterplugin | 1 Newsletter | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed | |||||
| CVE-2022-1832 | 1 Capa Protect Project | 1 Capa Protect | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The CaPa Protect WordPress plugin through 0.5.8.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection. | |||||
| CVE-2022-1831 | 1 Wplite Project | 1 Wplite | 2022-06-28 | 3.5 LOW | 6.5 MEDIUM |
| The WPlite WordPress plugin through 1.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-31295 | 1 Online Discussion Forum Site Project | 1 Online Discussion Forum Site | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete posts. | |||||
| CVE-2022-1830 | 1 Amazon Einzeltitellinks Project | 1 Amazon Einzeltitellinks | 2022-06-28 | 3.5 LOW | 6.5 MEDIUM |
| The Amazon Einzeltitellinks WordPress plugin through 1.3.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | |||||
| CVE-2022-1829 | 1 Inline Google Maps Project | 1 Inline Google Maps | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | |||||
| CVE-2022-1828 | 1 Pdf24 Articles To Pdf Project | 1 Pdf24 Articles To Pdf | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The PDF24 Articles To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1827 | 1 Pdf24 Articles To Pdf Project | 1 Pdf24 Articles To Pdf | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-31372 | 1 Wiris | 1 Mathtype | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| Wiris Mathtype v7.28.0 was discovered to contain a path traversal vulnerability in the resourceFile parameter. This vulnerability is exploited via a crafted request to the resource handler. | |||||
| CVE-2022-23071 | 1 Tandoor | 1 Recipes | 2022-06-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information. | |||||
| CVE-2022-2130 | 1 Microweber | 1 Microweber | 2022-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17. | |||||
| CVE-2022-34000 | 1 Libjxl Project | 1 Libjxl | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| libjxl 0.6.1 has an assertion failure in LowMemoryRenderPipeline::Init() in render_pipeline/low_memory_render_pipeline.cc. | |||||
| CVE-2019-12359 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter. | |||||
| CVE-2019-12358 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie. | |||||
| CVE-2022-33987 | 1 Got Project | 1 Got | 2022-06-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. | |||||
| CVE-2019-12357 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter. | |||||
| CVE-2019-12355 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter. | |||||
| CVE-2021-46822 | 1 Libjpeg-turbo | 1 Libjpeg-turbo | 2022-06-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c. | |||||
| CVE-2022-21503 | 1 Oracle | 1 Cloud Infrastructure | 2022-06-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| Vulnerability in the Oracle Cloud Infrastructure product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to Oracle Cloud Infrastructure accessible data. All affected customers were notified of CVE-2022-21503 by Oracle. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) | |||||
| CVE-2019-12356 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter. | |||||
| CVE-2019-12354 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter. | |||||
| CVE-2022-31875 | 1 Trendnet | 2 Tv-ip110wn, Tv-ip110wn Firmware | 2022-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Trendnet IP-110wn camera fw_tv-ip110wn_v2(1.2.2.68) has an xss vulnerability via the proname parameter in /admin/scheprofile.cgi | |||||
| CVE-2019-12353 | 1 Zzcms | 1 Zzcms | 2022-06-28 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter. | |||||
| CVE-2022-31874 | 1 Asus | 2 Rt-n53, Rt-n53 Firmware | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface. | |||||
| CVE-2022-25872 | 1 Fast String Search Project | 1 Fast String Search | 2022-06-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| All versions of package fast-string-search are vulnerable to Out-of-bounds Read due to incorrect memory freeing and length calculation for any non-string input as the source. This allows the attacker to read previously allocated memory. | |||||
| CVE-2022-25871 | 1 Querymen Project | 1 Querymen | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867). | |||||
| CVE-2022-33750 | 1 Broadcom | 1 Ca Automic Automation | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| CA Automic Automation 12.2 and 12.3 contain an authentication error vulnerability in the Automic agent that could allow a remote attacker to potentially execute arbitrary commands. | |||||
| CVE-2022-33739 | 1 Broadcom | 1 Ca Clarity | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| CA Clarity 15.8 and below and 15.9.0 contain an insecure XML parsing vulnerability that could allow a remote attacker to potentially view the contents of any file on the system. | |||||
| CVE-2022-32276 | 1 Grafana | 1 Grafana | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability. | |||||
| CVE-2022-24436 | 1 Intel | 1 * | 2022-06-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2022-25852 | 2 Libpq Project, Pg-native Project | 2 Libpq, Pg-native | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq. | |||||
| CVE-2022-21213 | 1 Moutjs | 1 Mout | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544). | |||||
| CVE-2022-29496 | 1 Blynk | 1 Blynk-library | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| A stack-based buffer overflow vulnerability exists in the BlynkConsole.h runCommand functionality of Blynk -Library v1.0.1. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2022-33912 | 1 Tribe29 | 1 Checkmk | 2022-06-28 | 7.2 HIGH | 7.8 HIGH |
| A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected. | |||||
| CVE-2022-21806 | 1 Anker | 2 Eufy Homebase 2, Eufy Homebase 2 Firmware | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted set of network packets can lead to remote code execution. The device is exposed to attacks from the network. | |||||
| CVE-2022-2134 | 1 Inventree Project | 1 Inventree | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| Denial of Service in GitHub repository inventree/inventree prior to 0.8.0. | |||||
| CVE-2017-20056 | 1 Intechnosoftware | 1 User Login Log | 2022-06-28 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in weblizar User Login Log Plugin 2.2.1. It has been classified as problematic. Affected is an unknown function. The manipulation leads to basic cross site scripting (Stored). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20055 | 1 Bestwebsoft | 1 Contact Form | 2022-06-28 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in BestWebSoft Contact Form Plugin 4.0.0. This affects an unknown part. The manipulation leads to basic cross site scripting (Stored). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.0.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-31246 | 2 Electrum, Microsoft | 2 Electrum, Windows | 2022-06-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename. | |||||
| CVE-2021-41402 | 1 Flatcore | 1 Flatcore-cms | 2022-06-28 | 6.5 MEDIUM | 8.8 HIGH |
| flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code. | |||||
| CVE-2021-41411 | 1 Redhat | 1 Drools | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability. | |||||
| CVE-2017-20053 | 1 Xyzscripts | 1 Contact Form Manager | 2022-06-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in XYZScripts Contact Form Manager Plugin. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||