Total
27865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25887 | 1 Apostrophecms | 1 Sanitize-html | 2022-09-01 | N/A | 7.5 HIGH |
| The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal. | |||||
| CVE-2020-35605 | 2 Debian, Kitty Project | 2 Debian Linux, Kitty | 2022-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| The Graphics Protocol feature in graphics.c in kitty before 0.19.3 allows remote attackers to execute arbitrary code because a filename containing special characters can be included in an error message. | |||||
| CVE-2022-38792 | 1 Exotel Project | 1 Exotel | 2022-09-01 | N/A | 9.8 CRITICAL |
| The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party. | |||||
| CVE-2022-1663 | 1 Stop Spam Comments Project | 1 Stop Spam Comments | 2022-08-31 | N/A | 6.5 MEDIUM |
| The Stop Spam Comments WordPress plugin through 0.2.1.2 does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request. | |||||
| CVE-2020-28593 | 1 Cosori | 2 Cs158-af, Cs158-af Firmware | 2022-08-31 | 6.8 MEDIUM | 8.1 HIGH |
| A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2022-36542 | 1 Edoc-doctor-appointment-system Project | 1 Edoc-doctor-appointment-system | 2022-08-31 | N/A | 6.5 MEDIUM |
| An access control issue in the component /ip/admin/ of Edoc-doctor-appointment-system v1.0.1 allows attackers to arbitrarily edit, read, and delete Administrator data. | |||||
| CVE-2022-34256 | 2 Adobe, Magento | 2 Commerce, Magento | 2022-08-31 | N/A | 9.8 CRITICAL |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction. | |||||
| CVE-2021-24188 | 1 Wp-buy | 1 Wp Content Copy Protection \& No Right Click | 2022-08-30 | 6.5 MEDIUM | 8.8 HIGH |
| Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE. | |||||
| CVE-2021-24158 | 1 Themeisle | 1 Orbit Fox | 2022-08-30 | 3.5 LOW | 6.5 MEDIUM |
| Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for lower-level users, however, they can still supply the user_role parameter to update the default role for registration. | |||||
| CVE-2021-22911 | 1 Rocket.chat | 1 Rocket.chat | 2022-08-30 | 7.5 HIGH | 9.8 CRITICAL |
| A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. | |||||
| CVE-2021-22941 | 1 Citrix | 1 Sharefile Storagezones Controller | 2022-08-30 | 10.0 HIGH | 9.8 CRITICAL |
| Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. | |||||
| CVE-2021-22917 | 1 Brave | 1 Browser | 2022-08-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| Brave Browser Desktop between versions 1.17 and 1.20 is vulnerable to information disclosure by way of DNS requests in Tor windows not flowing through Tor if adblocking was enabled. | |||||
| CVE-2021-22916 | 1 Brave | 1 Brave | 2022-08-30 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Brave Desktop between versions 1.17 and 1.26.60, when adblocking is enabled and a proxy browser extension is installed, the CNAME adblocking feature issues DNS requests that used the system DNS settings instead of the extension's proxy settings, resulting in possible information disclosure. | |||||
| CVE-2021-22907 | 1 Citrix | 1 Workspace | 2022-08-30 | 7.2 HIGH | 7.8 HIGH |
| An improper access control vulnerability exists in Citrix Workspace App for Windows potentially allows privilege escalation in CR versions prior to 2105 and 1912 LTSR prior to CU4. | |||||
| CVE-2022-37316 | 1 Rsa | 1 Archer | 2022-08-30 | N/A | 6.5 MEDIUM |
| Archer Platform 6.8 before 6.11 P3 (6.11.0.3) contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 (6.10.0.3.1) is also a fixed release. | |||||
| CVE-2021-23861 | 1 Bosch | 4 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 1 more | 2022-08-30 | 5.5 MEDIUM | 6.5 MEDIUM |
| By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software. This issue also affects installations of the DIVAR IP and BVMS with VRM installed. | |||||
| CVE-2021-23173 | 1 Philips | 1 Engage | 2022-08-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| The affected product is vulnerable to an improper access control, which may allow an authenticated user to gain unauthorized access to sensitive data. | |||||
| CVE-2021-23055 | 1 F5 | 1 Nginx Ingress Controller | 2022-08-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2018-12116 | 2 Nodejs, Suse | 4 Node.js, Suse Enterprise Storage, Suse Linux Enterprise Server and 1 more | 2022-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. | |||||
| CVE-2018-7158 | 1 Nodejs | 1 Node.js | 2022-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service. | |||||