Total
22706 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41106 | 1 Microsoft | 5 365 Apps, Excel, Office and 2 more | 2023-01-20 | N/A | 7.8 HIGH |
| Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-41063. | |||||
| CVE-2022-40186 | 1 Hashicorp | 1 Vault | 2023-01-20 | N/A | 9.1 CRITICAL |
| An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault. | |||||
| CVE-2022-31629 | 3 Debian, Fedoraproject, Php | 3 Debian Linux, Fedora, Php | 2023-01-20 | N/A | 6.5 MEDIUM |
| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. | |||||
| CVE-2022-37661 | 1 Adtran | 4 Sr506n, Sr506n Firmware, Sr510n and 1 more | 2023-01-19 | N/A | 9.8 CRITICAL |
| SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature. | |||||
| CVE-2022-42327 | 2 Fedoraproject, Xen | 2 Fedora, Xen | 2023-01-19 | N/A | 7.1 HIGH |
| x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. | |||||
| CVE-2022-23960 | 3 Arm, Debian, Xen | 42 Cortex-a57, Cortex-a57 Firmware, Cortex-a65 and 39 more | 2023-01-19 | 1.9 LOW | 5.6 MEDIUM |
| Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. | |||||
| CVE-2021-22048 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2023-01-19 | 6.5 MEDIUM | 8.8 HIGH |
| The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group. | |||||
| CVE-2022-3613 | 1 Gitlab | 1 Gitlab | 2023-01-19 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service. | |||||
| CVE-2018-1058 | 3 Canonical, Postgresql, Redhat | 3 Ubuntu Linux, Postgresql, Cloudforms | 2023-01-19 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected. | |||||
| CVE-2023-22487 | 1 Flarum | 1 Flarum | 2023-01-19 | N/A | 4.3 MEDIUM |
| Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@"<username>"#p<id>` syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post or not: A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number. The `mentionsPosts` relationship included in the `POST /api/posts` and `PATCH /api/posts/<id>` JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. This includes the content, date, number and attributes added by other extensions. An attacker only needs the ability to create new posts on the forum to exploit the vulnerability. This works even if new posts require approval. If they have the ability to edit posts, the attack can be performed even more discreetly by using a single post to scan any size of database and hiding the attack post content afterward. The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions like FriendsOfFlarum Byobu. This also includes non-comment posts like tag changes or renaming events. The discussion payload is not leaked but using the mention HTML payload it's possible to extract the discussion ID of all posts and combine all posts back together into their original discussions even if the discussion title remains unknown. All Flarum versions prior to 1.6.3 are affected. The vulnerability has been fixed and published as flarum/core v1.6.3. As a workaround, user can disable the mentions extension. | |||||
| CVE-2022-3870 | 1 Gitlab | 1 Gitlab | 2023-01-19 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility. | |||||
| CVE-2022-38038 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-01-18 | N/A | 7.8 HIGH |
| Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38039. | |||||
| CVE-2022-37991 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2023-01-18 | N/A | 7.8 HIGH |
| Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37988, CVE-2022-37990, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038, CVE-2022-38039. | |||||
| CVE-2013-0796 | 2 Linux, Mozilla | 6 Linux Kernel, Firefox, Firefox Esr and 3 more | 2023-01-18 | 10.0 HIGH | N/A |
| The WebGL subsystem in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 on Linux does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (free of unallocated memory) via unspecified vectors. | |||||
| CVE-2022-4457 | 1 Cloudflare | 1 Warp | 2023-01-18 | N/A | 5.5 MEDIUM |
| Due to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack legitimate app and steal potentially sensitive information when installed on the victim's device. | |||||
| CVE-2021-26328 | 1 Amd | 48 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 45 more | 2023-01-18 | N/A | 4.4 MEDIUM |
| Failure to verify the mode of CPU execution at the time of SNP_INIT may lead to a potential loss of memory integrity for SNP guests. | |||||
| CVE-2021-26403 | 1 Amd | 82 Epyc 7001, Epyc 7001 Firmware, Epyc 7002 and 79 more | 2023-01-18 | N/A | 6.5 MEDIUM |
| Insufficient checks in SEV may lead to a malicious hypervisor disclosing the launch secret potentially resulting in compromise of VM confidentiality. | |||||
| CVE-2023-21739 | 1 Microsoft | 9 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 6 more | 2023-01-18 | N/A | 7.5 HIGH |
| Windows Bluetooth Driver Elevation of Privilege Vulnerability. | |||||
| CVE-2022-42012 | 2 D-bus Project, Fedoraproject | 2 D-bus, Fedora | 2023-01-18 | N/A | 6.5 MEDIUM |
| An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. | |||||
| CVE-2023-21741 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2023-01-18 | N/A | 7.1 HIGH |
| Microsoft Office Visio Information Disclosure Vulnerability. | |||||