Total
28988 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-40808 | 1 Democritus Dates Project | 1 Democritus Dates | 2024-02-28 | N/A | 9.8 CRITICAL |
The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0 | |||||
CVE-2022-36387 | 1 About-me Project | 1 About-me | 2024-02-28 | N/A | 9.8 CRITICAL |
Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress. | |||||
CVE-2022-2622 | 3 Fedoraproject, Google, Microsoft | 3 Fedora, Chrome, Windows | 2024-02-28 | N/A | 6.5 MEDIUM |
Insufficient validation of untrusted input in Safe Browsing in Google Chrome on Windows prior to 104.0.5112.79 allowed a remote attacker to bypass download restrictions via a crafted file. | |||||
CVE-2022-3443 | 1 Google | 1 Chrome | 2024-02-28 | N/A | 4.3 MEDIUM |
Insufficient data validation in File System API in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to bypass File System restrictions via a crafted HTML page. (Chromium security severity: Low) | |||||
CVE-2022-2493 | 1 Open-emr | 1 Openemr | 2024-02-28 | N/A | 8.1 HIGH |
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0. | |||||
CVE-2022-38986 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-28 | N/A | 9.1 CRITICAL |
The HIPP module has a vulnerability of bypassing the check of the data transferred in the kernel space.Successful exploitation of this vulnerability may cause out-of-bounds access to the HIPP module and page table tampering, affecting device confidentiality and availability. | |||||
CVE-2022-36537 | 1 Zkoss | 1 Zk Framework | 2024-02-28 | N/A | 7.5 HIGH |
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader. | |||||
CVE-2022-36601 | 1 Jinglemining | 2 Jasminer X4 Server, Jasminer X4 Server Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
The Eclipse TCF debug interface in JasMiner-X4-Server-20220621-090907 and below is open on port 1534. This issue allows unauthenticated attackers to gain root privileges on the affected device and access sensitive data or execute arbitrary commands. | |||||
CVE-2022-39254 | 1 Matrix-nio Project | 1 Matrix-nio | 2024-02-28 | N/A | 6.5 MEDIUM |
matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue. | |||||
CVE-2022-24083 | 1 Pega | 1 Infinity | 2024-02-28 | N/A | 9.8 CRITICAL |
Password authentication bypass vulnerability for local accounts can be used to bypass local authentication checks. | |||||
CVE-2022-35522 | 1 Wavlink | 10 Wn530h4, Wn530h4 Firmware, Wn531p3 and 7 more | 2024-02-28 | N/A | 9.8 CRITICAL |
WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: ppp_username, ppp_passwd, rwan_gateway, rwan_mask and rwan_ip, which leads to command injection in page /wan.shtml. | |||||
CVE-2022-26308 | 1 Pandorafms | 1 Pandora Fms | 2024-02-28 | N/A | 5.4 MEDIUM |
Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role. | |||||
CVE-2022-39883 | 1 Google | 1 Android | 2024-02-28 | N/A | 7.8 HIGH |
Improper authorization vulnerability in StorageManagerService prior to SMR Nov-2022 Release 1 allows local attacker to call privileged API. | |||||
CVE-2022-40424 | 1 Democritus Urls Project | 1 Democritus Urls | 2024-02-28 | N/A | 9.8 CRITICAL |
The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-networking package. The affected version of d8s-urls is 0.1.0 | |||||
CVE-2022-39243 | 2 Linux, Nuprocess Project | 2 Linux Kernel, Nuprocess | 2024-02-28 | N/A | 9.8 CRITICAL |
NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution. | |||||
CVE-2022-43364 | 1 Ip-com | 2 Ew9, Ew9 Firmware | 2024-02-28 | N/A | 7.5 HIGH |
An access control issue in the password reset page of IP-COM EW9 V15.11.0.14(9732) allows unauthenticated attackers to arbitrarily change the admin password. | |||||
CVE-2022-31177 | 1 Flask-appbuilder Project | 1 Flask-appbuilder | 2024-02-28 | N/A | 2.7 LOW |
Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
CVE-2022-32228 | 1 Rocket.chat | 1 Rocket.chat | 2024-02-28 | N/A | 4.3 MEDIUM |
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs. | |||||
CVE-2022-33173 | 1 Couchbase | 1 Couchbase Server | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead. | |||||
CVE-2022-40429 | 1 D8s-ip-addresses Project | 1 D8s-ip-addresses | 2024-02-28 | N/A | 9.8 CRITICAL |
The d8s-ip-addresses for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0. |