Total
6955 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40690 | 3 Apache, Debian, Oracle | 18 Cxf, Tomee, Xml Security For Java and 15 more | 2022-10-04 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | |||||
| CVE-2022-32540 | 1 Bosch | 3 Bosch Video Management System, Videojet Decoder 7513, Videojet Decoder 7513 Firmware | 2022-10-04 | N/A | 5.9 MEDIUM |
| Information Disclosure in Operator Client application in BVMS 10.1.1, 11.0 and 11.1.0 and VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30 allows man-in-the-middle attacker to compromise confidential video stream. This is only applicable for UDP encryption when target system contains cameras with platform CPP13 or CPP14 and firmware version 8.x. | |||||
| CVE-2017-0885 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages. | |||||
| CVE-2022-33741 | 3 Fedoraproject, Linux, Xen | 3 Fedora, Linux Kernel, Xen | 2022-10-02 | 3.6 LOW | 7.1 HIGH |
| Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). | |||||
| CVE-2022-33740 | 3 Fedoraproject, Linux, Xen | 3 Fedora, Linux Kernel, Xen | 2022-10-02 | 3.6 LOW | 7.1 HIGH |
| Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). | |||||
| CVE-2022-33742 | 3 Fedoraproject, Linux, Xen | 3 Fedora, Linux Kernel, Xen | 2022-10-02 | 3.6 LOW | 7.1 HIGH |
| Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). | |||||
| CVE-2022-26365 | 3 Fedoraproject, Linux, Xen | 3 Fedora, Linux Kernel, Xen | 2022-10-02 | 3.6 LOW | 7.1 HIGH |
| Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). | |||||
| CVE-2022-38668 | 1 Crowcpp | 1 Crow | 2022-09-30 | N/A | 7.5 HIGH |
| HTTP applications (servers) based on Crow through 1.0+4 may reveal potentially sensitive uninitialized data from stack memory when fulfilling a request for a static file smaller than 16 KB. | |||||
| CVE-2022-3348 | 1 Tooljet | 1 Tooljet | 2022-09-30 | N/A | 4.9 MEDIUM |
| Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim. | |||||
| CVE-2022-32218 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-27 | N/A | 4.3 MEDIUM |
| An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries. | |||||
| CVE-2022-32220 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-27 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | |||||
| CVE-2022-32219 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-27 | N/A | 4.3 MEDIUM |
| An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated. | |||||
| CVE-2022-35249 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-26 | N/A | 4.3 MEDIUM |
| A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | |||||
| CVE-2022-39230 | 1 Amazon | 1 Fhir-works-on-aws-authz-smart | 2022-09-26 | N/A | 6.5 MEDIUM |
| fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue. | |||||
| CVE-2022-40194 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2022-09-26 | N/A | 7.5 HIGH |
| Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress | |||||
| CVE-2022-36878 | 1 Samsung | 1 Find My Mobile | 2022-09-21 | N/A | 3.3 LOW |
| Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log. | |||||
| CVE-2022-36834 | 1 Samsung | 1 Game Launcher | 2022-09-20 | N/A | 5.0 MEDIUM |
| Exposure of Sensitive Information vulnerability in Game Launcher prior to version 6.0.07 allows local attacker to access app data with user interaction. | |||||
| CVE-2021-1406 | 1 Cisco | 1 Unified Communications Manager | 2022-09-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper inclusion of sensitive information in downloadable files. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to obtain hashed credentials of system users. To exploit this vulnerability an attacker would need to have valid user credentials with elevated privileges. | |||||
| CVE-2022-31143 | 1 Glpi-project | 1 Glpi | 2022-09-19 | N/A | 5.3 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue. | |||||
| CVE-2022-22330 | 2 Ibm, Linux | 2 Control Desk, Linux Kernel | 2022-09-15 | N/A | 5.3 MEDIUM |
| IBM Control Desk 7.6.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 219126. | |||||