Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8661 | 2 Cncf, Redhat | 2 Envoy, Openshift Service Mesh | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| CNCF Envoy through 1.13.0 may consume excessive amounts of memory when responding internally to pipelined requests. | |||||
| CVE-2020-8095 | 1 Bitdefender | 1 Total Security 2020 | 2022-05-24 | 4.9 MEDIUM | 5.5 MEDIUM |
| A vulnerability in the improper handling of junctions before deletion in Bitdefender Total Security 2020 can allow an attacker to to trigger a denial of service on the affected device. | |||||
| CVE-2022-1393 | 1 Wp Subtitle Project | 1 Wp Subtitle | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle field and provides a shortcode to display it via [wp_subtitle]. The subtitle is stored as a custom post meta with the key: "wps_subtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button (via AJAX) - and this makes the XSS exploitable by authenticated users with a role as low as contributor. | |||||
| CVE-2022-1398 | 1 External Media Without Import Project | 1 External Media Without Import | 2022-05-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and does to ensure that medias added via URLs are external medias, which could allow any authenticated users, such as subscriber to perform blind SSRF attacks | |||||
| CVE-2021-0089 | 3 Debian, Fedoraproject, Intel | 12 Debian Linux, Fedora, Celeron Processors and 9 more | 2022-05-24 | 2.1 LOW | 6.5 MEDIUM |
| Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | |||||
| CVE-2020-8156 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Mail | 2022-05-24 | 6.8 MEDIUM | 7.0 HIGH |
| A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack. | |||||
| CVE-2020-8153 | 2 Fedoraproject, Nextcloud | 2 Fedora, Group Folders | 2022-05-24 | 5.5 MEDIUM | 8.1 HIGH |
| Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name. | |||||
| CVE-2022-28930 | 1 Erp-pro Project | 1 Erp-pro | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| ERP-Pro v3.7.5 was discovered to contain a SQL injection vulnerability via the component /base/SysEveMenuAuthPointMapper.xml.. | |||||
| CVE-2020-8196 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2022-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | |||||
| CVE-2021-42171 | 1 Tribalsystems | 1 Zenario | 2022-05-24 | 6.5 MEDIUM | 7.2 HIGH |
| Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth. | |||||
| CVE-2019-14844 | 2 Fedoraproject, Mit | 2 Fedora, Kerberos 5 | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC. | |||||
| CVE-2021-4184 | 4 Debian, Fedoraproject, Oracle and 1 more | 5 Debian Linux, Fedora, Http Server and 2 more | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2021-4185 | 4 Debian, Fedoraproject, Oracle and 1 more | 5 Debian Linux, Fedora, Http Server and 2 more | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2020-9467 | 1 Piwigo | 1 Piwigo | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. | |||||
| CVE-2020-9440 | 3 Ckeditor, Fedoraproject, Webspellchecker | 3 Ckeditor, Fedora, Webspellchecker | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the WSC plugin through 5.5.7.5 for CKEditor 4 allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor. | |||||
| CVE-2022-30049 | 1 Getrebuild | 1 Rebuild | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| A Server-Side Request Forgery (SSRF) in Rebuild v2.8.3 allows attackers to obtain the real IP address and scan Intranet information via the fileurl parameter. | |||||
| CVE-2020-8778 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. | |||||
| CVE-2020-8776 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file. | |||||
| CVE-2020-8777 | 1 Alfresco | 1 Alfresco | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. | |||||
| CVE-2022-29354 | 1 Keystonejs | 1 Keystone | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2020-8224 | 1 Nextcloud | 1 Nextcloud | 2022-05-24 | 4.6 MEDIUM | 7.8 HIGH |
| A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. | |||||
| CVE-2022-29353 | 1 Graphql-upload Project | 1 Graphql-upload | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename. | |||||
| CVE-2020-8244 | 2 Bufferlist Project, Debian | 2 Bufferlist, Debian Linux | 2022-05-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls. | |||||
| CVE-2022-28936 | 1 Fisco-bcos | 1 Fisco-bcos | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| FISCO-BCOS release-3.0.0-rc2 was discovered to contain an issue where a malicious node can trigger an integer overflow and cause a Denial of Service (DoS) via an unusually large viewchange message packet. | |||||
| CVE-2020-8201 | 3 Fedoraproject, Nodejs, Opensuse | 3 Fedora, Node.js, Leap | 2022-05-24 | 5.8 MEDIUM | 7.4 HIGH |
| Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names. | |||||
| CVE-2022-29351 | 1 Tiddlywiki | 1 Tiddlywiki5 | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. | |||||
| CVE-2022-30708 | 1 Webmin | 1 Webmin | 2022-05-24 | 6.5 MEDIUM | 8.8 HIGH |
| Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. | |||||
| CVE-2022-29017 | 1 Axiosys | 1 Bento4 | 2022-05-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| Bento4 v1.6.0.0 was discovered to contain a segmentation fault via the component /x86_64/multiarch/strlen-avx2.S. | |||||
| CVE-2020-8252 | 3 Fedoraproject, Nodejs, Opensuse | 3 Fedora, Node.js, Leap | 2022-05-24 | 4.6 MEDIUM | 7.8 HIGH |
| The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. | |||||
| CVE-2020-8150 | 1 Nextcloud | 1 Nextcloud Server | 2022-05-24 | 1.9 LOW | 4.1 MEDIUM |
| A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. | |||||
| CVE-2021-42870 | 1 Accel-ppp | 1 Accel-ppp | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request. | |||||
| CVE-2020-8152 | 1 Nextcloud | 1 Nextcloud | 2022-05-24 | 2.1 LOW | 4.4 MEDIUM |
| Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. | |||||
| CVE-2022-30012 | 1 Hospital Management System Project | 1 Hospital Management System | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| In the POST request of the appointment.php page of HMS v.0, there are SQL injection vulnerabilities in multiple parameters, and database information can be obtained through injection. | |||||
| CVE-2020-8233 | 2 Opensuse, Ui | 14 Backports Sle, Leap, Edgeswitch Firmware and 11 more | 2022-05-24 | 9.0 HIGH | 8.8 HIGH |
| A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. | |||||
| CVE-2020-22983 | 1 Microstrategy | 1 Microstrategy Web | 2022-05-24 | 5.8 MEDIUM | 8.1 HIGH |
| A Server-Side Request Forgery (SSRF) vulnerability exists in MicroStrategy Web SDK 11.1 and earlier, allows remote unauthenticated attackers to conduct a server-side request forgery (SSRF) attack via the srcURL parameter to the shortURL task. | |||||
| CVE-2021-42967 | 1 Novel-plus Project | 1 Novel-plus | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files. | |||||
| CVE-2020-8251 | 2 Fedoraproject, Nodejs | 2 Fedora, Node.js | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. | |||||
| CVE-2022-24831 | 1 Openclinica | 1 Openclinica | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). Versions prior to 3.16.1 are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements. No known workarounds exist. This issue has been patched in 3.16.1, 3.15.9, 3.14.1, and 3.13.1 and users are advised to upgrade. | |||||
| CVE-2020-8227 | 1 Nextcloud | 1 Nextcloud | 2022-05-24 | 7.1 HIGH | 6.8 MEDIUM |
| Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory. | |||||
| CVE-2020-8189 | 1 Nextcloud | 1 Nextcloud | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt. | |||||
| CVE-2022-24830 | 1 Openclinica | 1 Openclinica | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). OpenClinica prior to version 3.16 is vulnerable to path traversal in multiple endpoints, leading to arbitrary file read/write, and potential remote code execution. There are no known workarounds. This issue has been patched and users are recommended to upgrade. | |||||
| CVE-2020-8165 | 3 Debian, Opensuse, Rubyonrails | 3 Debian Linux, Leap, Rails | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. | |||||
| CVE-2020-8164 | 3 Debian, Opensuse, Rubyonrails | 4 Debian Linux, Backports Sle, Leap and 1 more | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | |||||
| CVE-2022-27134 | 1 B1 | 1 Eosio Batdappboomx | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the `transfer` function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the `std::string memo` parameter. | |||||
| CVE-2022-22281 | 1 Sonicwall | 1 Netextender | 2022-05-24 | 7.2 HIGH | 7.8 HIGH |
| A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. | |||||
| CVE-2022-1089 | 1 Wpsheeteditor | 1 Bulk Edit And Create User Profiles - Wp Sheet Editor | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2020-8162 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | |||||
| CVE-2020-8163 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails | 2022-05-24 | 6.5 MEDIUM | 8.8 HIGH |
| The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. | |||||
| CVE-2021-33135 | 1 Intel | 1 Software Guard Extensions | 2022-05-24 | 2.1 LOW | 5.5 MEDIUM |
| Uncontrolled resource consumption in the Linux kernel drivers for Intel(R) SGX may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-1407 | 1 Vikwp | 1 Hotel Booking Engine \& Pms | 2022-05-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack | |||||