Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-74
Total 803 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-29078 1 Ejs 1 Ejs 2022-11-09 7.5 HIGH 9.8 CRITICAL
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
CVE-2022-43562 1 Splunk 2 Splunk, Splunk Cloud Platform 2022-11-09 N/A 5.4 MEDIUM
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning.
CVE-2022-27858 1 Activity Log Project 1 Activity Log 2022-11-09 N/A 9.8 CRITICAL
CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.
CVE-2022-20772 1 Cisco 4 Email Security Appliance, Email Security Appliance Firmware, Secure Email And Web Manager and 1 more 2022-11-08 N/A 5.3 MEDIUM
A vulnerability in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses.
CVE-2022-3868 1 Sanitization Management System Project 1 Sanitization Management System 2022-11-07 N/A 9.8 CRITICAL
A vulnerability classified as critical has been found in SourceCodester Sanitization Management System. Affected is an unknown function of the file /php-sms/classes/Master.php?f=save_quote. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-213012.
CVE-2020-23050 1 Taotesting 1 Tao Assessment Platform 2022-11-04 6.0 MEDIUM 8.0 HIGH
TAO Open Source Assessment Platform v3.3.0 RC02 was discovered to contain a HTML injection vulnerability in the userFirstName parameter of the user account input field. This vulnerability allows attackers to execute phishing attacks, external redirects, and arbitrary code.
CVE-2022-0582 3 Debian, Fedoraproject, Wireshark 3 Debian Linux, Fedora, Wireshark 2022-11-04 7.5 HIGH 9.8 CRITICAL
Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVE-2022-3518 1 Sanitization Management System Project 1 Sanitization Management System 2022-11-04 N/A 4.8 MEDIUM
A vulnerability classified as problematic has been found in SourceCodester Sanitization Management System 1.0. Affected is an unknown function of the component User Creation Handler. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. It is possible to launch the attack remotely. VDB-211014 is the identifier assigned to this vulnerability.
CVE-2022-0581 3 Debian, Fedoraproject, Wireshark 3 Debian Linux, Fedora, Wireshark 2022-11-04 5.0 MEDIUM 7.5 HIGH
Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file
CVE-2022-39382 1 Keystonejs 1 Keystone 2022-11-04 N/A 9.8 CRITICAL
Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"development"` for user code, irrespective of what your environment variables. If you do not use `NODE_ENV` in your user code to trigger security-sensitive functionality, you are not impacted by this vulnerability. Any dependencies that use `NODE_ENV` to trigger particular behaviors (optimizations, security or otherwise) should still respect your environment's configured `NODE_ENV` variable. The application's dependencies, as found in `node_modules` (including `@keystone-6/core`), are typically not compiled as part of this process, and thus should be unaffected. We have tested this assumption by verifying that `NODE_ENV=production yarn keystone start` still uses secure cookies when using `statelessSessions`. This vulnerability has been fixed in @keystone-6/core@3.0.2, regression tests have been added for this vulnerability in #8063.
CVE-2022-41716 2 Golang, Microsoft 2 Go, Windows 2022-11-04 N/A 7.5 HIGH
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
CVE-2022-3825 1 Huaxiaerp 1 Huaxia Erp 2022-11-04 N/A 6.5 MEDIUM
A vulnerability was found in Huaxia ERP 2.3 and classified as critical. Affected by this issue is some unknown functionality of the component User Management. The manipulation of the argument login leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-212792.
CVE-2022-3827 1 Centreon 1 Centreon 2022-11-03 N/A 9.8 CRITICAL
A vulnerability was found in centreon. It has been declared as critical. This vulnerability affects unknown code of the file formContactGroup.php of the component Contact Groups Form. The manipulation of the argument cg_id leads to sql injection. The attack can be initiated remotely. The name of the patch is 293b10628f7d9f83c6c82c78cf637cbe9b907369. It is recommended to apply a patch to fix this issue. VDB-212794 is the identifier assigned to this vulnerability.
CVE-2021-38395 1 Honeywell 8 Application Control Environment, Application Control Environment Firmware, C200 and 5 more 2022-11-02 N/A 9.8 CRITICAL
Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
CVE-2022-39016 1 M-files 1 Hubshare 2022-11-01 N/A 8.8 HIGH
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
CVE-2022-3731 1 Ehoney Project 1 Ehoney 2022-10-31 N/A 9.8 CRITICAL
A vulnerability has been found in seccome Ehoney and classified as critical. Affected by this vulnerability is an unknown functionality of the file /api/v1/attack/token. The manipulation of the argument Payload leads to sql injection. The attack can be launched remotely. The identifier VDB-212413 was assigned to this vulnerability.
CVE-2022-3730 1 Ehoney Project 1 Ehoney 2022-10-31 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, was found in seccome Ehoney. Affected is an unknown function of the file /api/v1/attack/falco. The manipulation of the argument Payload leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-212412.
CVE-2022-3729 1 Ehoney Project 1 Ehoney 2022-10-31 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in seccome Ehoney. This issue affects some unknown processing of the file /api/v1/attack. The manipulation of the argument AttackIP leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-212411.
CVE-2022-3733 1 Web-based Student Clearance System Project 1 Web-based Student Clearance System 2022-10-31 N/A 8.8 HIGH
A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. This affects an unknown part of the file Admin/edit-admin.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212415.
CVE-2022-3714 1 Online Medicine Ordering System Project 1 Online Medicine Ordering System 2022-10-28 N/A 9.8 CRITICAL
A vulnerability classified as critical has been found in SourceCodester Online Medicine Ordering System 1.0. Affected is an unknown function of the file admin/?page=orders/view_order. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. VDB-212346 is the identifier assigned to this vulnerability.