Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1290 | 1 Trudesk Project | 1 Trudesk | 2023-03-07 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in "Name", "Group Name" & "Title" in GitHub repository polonel/trudesk prior to v1.2.0. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse. | |||||
| CVE-2022-1289 | 1 Tildearrow | 1 Furnace | 2023-03-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability was found in tildearrow Furnace. It has been classified as problematic. This is due to an incomplete fix of CVE-2022-1211. It is possible to initiate the attack remotely but it requires user interaction. The issue got fixed with the patch 0eb02422d5161767e9983bdaa5c429762d3477ce. | |||||
| CVE-2022-4566 | 1 Ruoyi | 1 Ruoyi | 2023-03-07 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in y_project RuoYi 4.7.5. This issue affects some unknown processing of the file com/ruoyi/generator/controller/GenController. The manipulation leads to sql injection. The name of the patch is 167970e5c4da7bb46217f576dc50622b83f32b40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215975. | |||||
| CVE-2022-1531 | 1 Rtx Project | 1 Rtx | 2023-03-07 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover. | |||||
| CVE-2023-22493 | 1 Rsshub | 1 Rsshub | 2023-03-07 | N/A | 7.5 HIGH |
| RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. An attacker could also use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack. The patch for this issue can be found in commit a66cbcf. | |||||
| CVE-2023-25812 | 1 Minio | 1 Minio | 2023-03-07 | N/A | 8.8 HIGH |
| Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-0868 | 1 Opennms | 2 Horizon, Meridian | 2023-03-07 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0815 | 1 Opennms | 2 Horizon, Meridian | 2023-03-07 | N/A | 6.5 MEDIUM |
| Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2021-23212 | 2023-03-07 | N/A | N/A | ||
| This candidate was in a CNA pool that was not assigned to any issues during 2021. | |||||
| CVE-2021-23199 | 2023-03-07 | N/A | N/A | ||
| This candidate was in a CNA pool that was not assigned to any issues during 2021. | |||||
| CVE-2021-23185 | 2023-03-07 | N/A | N/A | ||
| This candidate was in a CNA pool that was not assigned to any issues during 2021. | |||||
| CVE-2020-10567 | 1 Tecrail | 1 Responsive Filemanager | 2023-03-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Responsive Filemanager through 9.14.0. In the ajax_calls.php file in the save_img action in the name parameter, there is no validation of what kind of extension is sent. This makes it possible to execute PHP code if a legitimate JPEG image contains this code in the EXIF data, and the .php extension is used in the name parameter. (A potential fast patch is to disable the save_img action in the config file.) | |||||
| CVE-2022-40705 | 1 Apache | 1 Soap | 2023-03-07 | N/A | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-25823 | 1 Gradio Project | 1 Gradio | 2023-03-07 | N/A | 9.8 CRITICAL |
| Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested. | |||||
| CVE-2022-41614 | 1 Intel | 1 On Event Series | 2023-03-07 | N/A | 5.5 MEDIUM |
| Insufficiently protected credentials in the Intel(R) ON Event Series Android application before version 2.0 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2022-36382 | 1 Intel | 30 Ethernet Controller X710-am2, Ethernet Controller X710-am2 Firmware, Ethernet Controller X710-bm2 and 27 more | 2023-03-07 | N/A | 4.4 MEDIUM |
| Out-of-bounds write in firmware for some Intel(R) Ethernet Network Controllers and Adapters E810 Series before version 1.7.0.8 and some Intel(R) Ethernet 700 Series Controllers and Adapters before version 9.101 may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2023-20089 | 1 Cisco | 47 Nexus 9000v, Nexus 92160yc-x, Nexus 92300yc and 44 more | 2023-03-07 | N/A | 6.5 MEDIUM |
| A vulnerability in the Link Layer Discovery Protocol (LLDP) feature for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to cause a memory leak, which could result in an unexpected reload of the device. This vulnerability is due to incorrect error checking when parsing ingress LLDP packets. An attacker could exploit this vulnerability by sending a steady stream of crafted LLDP packets to an affected device. A successful exploit could allow the attacker to cause a memory leak, which could result in a denial of service (DoS) condition when the device unexpectedly reloads. Note: This vulnerability cannot be exploited by transit traffic through the device. The crafted LLDP packet must be targeted to a directly connected interface, and the attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). In addition, the attack surface for this vulnerability can be reduced by disabling LLDP on interfaces where it is not required. | |||||
| CVE-2022-36287 | 1 Intel | 1 Field Programmable Gate Array Crypto Service Server | 2023-03-07 | N/A | 4.3 MEDIUM |
| Uncaught exception in the FCS Server software maintained by Intel before version 1.1.79.3 may allow a privileged user to potentially enable denial of service via physical access. | |||||
| CVE-2022-45140 | 1 Wago | 14 751-9301, 751-9301 Firmware, 752-8303\/8000-002 and 11 more | 2023-03-07 | N/A | 9.8 CRITICAL |
| The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise. | |||||
| CVE-2022-42797 | 1 Apple | 1 Xcode | 2023-03-07 | N/A | 7.8 HIGH |
| An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges. | |||||