Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-20
Total 9170 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39353 2 Debian, Xmldom Project 2 Debian Linux, Xmldom 2023-03-01 N/A 9.8 CRITICAL
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
CVE-2014-0048 2 Apache, Docker 2 Geode, Docker 2023-02-28 7.5 HIGH 9.8 CRITICAL
An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.
CVE-2017-1002157 1 Redhat 1 Modulemd 2023-02-28 7.5 HIGH 9.8 CRITICAL
modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution.
CVE-2017-1002153 1 Koji Project 1 Koji 2023-02-28 5.0 MEDIUM 7.5 HIGH
Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
CVE-2022-26582 1 Paxtechnology 2 A930, Paydroid 2023-02-28 N/A 7.8 HIGH
The systool_server in PAX Technology A930 PayDroid 7.1.1 Virgo V04.4.02 20211201 fails to check for dollar signs or backticks in user supplied commands, leading to to arbitrary command execution as root.
CVE-2018-3634 1 Intel 1 Online Connect Access 2023-02-28 4.9 MEDIUM 5.5 MEDIUM
Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access.
CVE-2018-3719 1 Mixin-deep Project 1 Mixin-deep 2023-02-28 6.5 MEDIUM 8.8 HIGH
mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
CVE-2020-12388 2 Microsoft, Mozilla 3 Windows, Firefox, Firefox Esr 2023-02-28 7.5 HIGH 10.0 CRITICAL
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76.
CVE-2023-24329 1 Python 1 Python 2023-02-27 N/A 7.5 HIGH
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2022-33964 1 Intel 1 System Usage Report 2023-02-27 N/A 9.8 CRITICAL
Improper input validation in the Intel(R) SUR software before version 2.4.8902 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVE-2022-33190 1 Intel 1 System Usage Report 2023-02-27 N/A 7.8 HIGH
Improper input validation in the Intel(R) SUR software before version 2.4.8902 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-3411 1 Gitlab 1 Gitlab 2023-02-27 N/A 6.5 MEDIUM
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
CVE-2018-20846 1 Uclouvain 1 Openjpeg 2023-02-27 4.3 MEDIUM 6.5 MEDIUM
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2022-43929 5 Hp, Ibm, Linux and 2 more 6 Hp-ux, Aix, Db2 and 3 more 2023-02-24 N/A 7.5 HIGH
IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command. IBM X-Force ID: 241676.
CVE-2023-22239 3 Adobe, Apple, Microsoft 3 After Effects, Macos, Windows 2023-02-24 N/A 7.8 HIGH
After Affects versions 23.1 (and earlier), 22.6.3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2023-22228 3 Adobe, Apple, Microsoft 3 Bridge, Macos, Windows 2023-02-24 N/A 7.8 HIGH
Adobe Bridge versions 12.0.3 (and earlier) and 13.0.1 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2023-21574 3 Adobe, Apple, Microsoft 3 Photoshop, Macos, Windows 2023-02-24 N/A 7.8 HIGH
Photoshop version 23.5.3 (and earlier), 24.1 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2018-14619 1 Linux 1 Linux Kernel 2023-02-24 7.2 HIGH 7.8 HIGH
A flaw was found in the crypto subsystem of the Linux kernel before version kernel-4.15-rc4. The "null skcipher" was being dropped when each af_alg_ctx was freed instead of when the aead_tfm was freed. This can cause the null skcipher to be freed while it is still in use leading to a local user being able to crash the system or possibly escalate privileges.
CVE-2022-27892 1 Palantir 1 Gotham 2023-02-24 N/A 7.5 HIGH
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would have allowed an attacker to exhaust the memory of the Gotham dispatch service.
CVE-2022-27897 1 Palantir 1 Gotham 2023-02-24 N/A 7.5 HIGH
Palantir Gotham versions prior to 3.22.11.2 included an unauthenticated endpoint that would load portions of maliciously crafted zip files to memory. An attacker could repeatedly upload a malicious zip file, which would allow them to exhaust memory resources on the dispatch server.