Total
173 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28978 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | N/A | 5.3 MEDIUM |
| An Insecure Default Initialization of Resource vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network based attacker to read certain confidential information. In the default configuration it is possible to read confidential information about locally configured (administrative) users of the affected system. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S7-EVO on pending commit???; 21.1-EVO versions prior to 21.1R3-S4-EVO on awaiting build; 21.4-EVO versions prior to 21.4R3-S1-EVO; 22.2-EVO versions prior to 22.2R3-EVO; 21.2-EVO versions prior to 21.2R3-S5-EVO on pending commit???; 21.3-EVO version 21.3R1-EVO and later versions; 22.1-EVO version 22.1R1-EVO and later versions; 22.2-EVO versions prior to 22.2R2-S1-EVO. | |||||
| CVE-2023-27524 | 1 Apache | 1 Superset | 2024-11-21 | N/A | 8.9 HIGH |
| Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable. | |||||
| CVE-2023-27516 | 1 Softether | 1 Vpn | 2024-11-21 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2023-1618 | 1 Mitsubishielectric | 2 Melsec Ws0-geth00200, Melsec Ws0-geth00200 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 Serial number 2310 **** and prior allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module's configuration or rewrite the firmware. | |||||
| CVE-2022-4224 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2024-11-21 | N/A | 8.8 HIGH |
| In multiple products of CODESYS v3 in multiple versions a remote low privileged user could utilize this vulnerability to read and modify system files and OS resources or DoS the device. | |||||
| CVE-2022-48432 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | N/A | 5.2 MEDIUM |
| In JetBrains IntelliJ IDEA before 2023.1 the bundled version of Chromium wasn't sandboxed. | |||||
| CVE-2022-48342 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 5.2 MEDIUM |
| In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by default on agents. | |||||
| CVE-2022-47196 | 1 Ghost | 1 Ghost | 2024-11-21 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post. | |||||
| CVE-2022-47194 | 1 Ghost | 1 Ghost | 2024-11-21 | N/A | 5.4 MEDIUM |
| An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user. | |||||
| CVE-2022-46831 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 6.6 MEDIUM |
| In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to TeamCity system administrators. | |||||
| CVE-2022-42467 | 1 Apache | 1 Isis | 2024-11-21 | N/A | 5.3 MEDIUM |
| When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the 'isis.prototyping.h2-console.web-allow-remote-access' configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new 'isis.prototyping.h2-console.generate-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode. | |||||
| CVE-2022-40468 | 1 Tinyproxy Project | 1 Tinyproxy | 2024-11-21 | N/A | 7.5 HIGH |
| Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function. | |||||
| CVE-2022-3262 | 1 Redhat | 1 Openshift | 2024-11-21 | N/A | 8.1 HIGH |
| A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability. | |||||
| CVE-2022-38745 | 1 Apache | 1 Openoffice | 2024-11-21 | N/A | 7.8 HIGH |
| Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | |||||
| CVE-2022-36349 | 1 Intel | 4 Nuc Board Nuc5i3mybe, Nuc Board Nuc5i3mybe Firmware, Nuc Kit Nuc5i3myhe and 1 more | 2024-11-21 | N/A | 5.2 MEDIUM |
| Insecure default variable initialization in BIOS firmware for some Intel(R) NUC Boards and Intel(R) NUC Kits before version MYi30060 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-32480 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | N/A | 4.3 MEDIUM |
| Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure. | |||||
| CVE-2022-31806 | 1 Codesys | 2 Plcwinnt, Runtime Toolkit | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller. | |||||
| CVE-2022-2196 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2024-11-21 | N/A | 5.8 MEDIUM |
| A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a | |||||
| CVE-2022-25568 | 1 Motioneye Project | 1 Motioneye | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured. | |||||
| CVE-2022-24706 | 1 Apache | 1 Couchdb | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. | |||||