Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40138 | 1 Facebook | 1 Hermes | 2022-10-11 | N/A | 9.8 CRITICAL |
| An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have been used to perform Out-Of-Bounds operations and subsequently execute arbitrary code. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. | |||||
| CVE-2022-39870 | 1 Samsung | 1 Smartthings | 2022-10-11 | N/A | 7.5 HIGH |
| Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast. | |||||
| CVE-2022-35289 | 1 Facebook | 1 Hermes | 2022-10-11 | N/A | 9.8 CRITICAL |
| A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected. | |||||
| CVE-2022-32234 | 1 Facebook | 1 Hermes | 2022-10-11 | N/A | 9.8 CRITICAL |
| An out of bounds write in hermes, while handling large arrays, prior to commit 06eaec767e376bfdb883d912cb15e987ddf2bda1 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected. | |||||
| CVE-2022-39871 | 1 Samsung | 1 Smartthings | 2022-10-11 | N/A | 7.5 HIGH |
| Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts. | |||||
| CVE-2022-42731 | 1 Django-mfa2 Project | 1 Django-mfa2 | 2022-10-11 | N/A | 7.5 HIGH |
| mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage. | |||||
| CVE-2022-36868 | 1 Google | 1 Android | 2022-10-11 | N/A | 3.3 LOW |
| Improper restriction of broadcasting Intent in MouseNKeyHidDevice prior to SMR Oct-2022 Release 1 leaks MAC address of the connected Bluetooth device. | |||||
| CVE-2021-35226 | 1 Solarwinds | 1 Network Configuration Manager | 2022-10-11 | N/A | 6.5 MEDIUM |
| An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role. | |||||
| CVE-2022-3433 | 1 Haskell | 1 Aeson | 2022-10-11 | N/A | 6.5 MEDIUM |
| The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a denial of service. | |||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2022-10-11 | N/A | 5.3 MEDIUM |
| The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will. | |||||
| CVE-2022-41749 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2022-10-11 | N/A | 7.8 HIGH |
| An origin validation error vulnerability in Trend Micro Apex One agents could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2022-3438 | 1 Ikus-soft | 1 Rdiffweb | 2022-10-11 | N/A | 6.1 MEDIUM |
| Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | |||||
| CVE-2022-39855 | 1 Google | 1 Android | 2022-10-11 | N/A | 4.3 MEDIUM |
| Improper access control vulnerability in FACM application prior to SMR Oct-2022 Release 1 allows a local attacker to connect arbitrary AP and Bluetooth devices. | |||||
| CVE-2022-41870 | 1 Innovaphone | 1 Innovaphone Firmware | 2022-10-11 | N/A | 7.2 HIGH |
| AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload. | |||||
| CVE-2021-25044 | 1 Premium-themes | 1 Cryptocurrency Pricing List And Ticker | 2022-10-11 | N/A | 6.1 MEDIUM |
| The Cryptocurrency Pricing list and Ticker WordPress plugin through 1.5 does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2022-2448 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2022-10-11 | N/A | 4.8 MEDIUM |
| The reSmush.it WordPress plugin before 0.4.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-40257 | 1 Cert | 1 Vince | 2022-10-11 | N/A | 5.4 MEDIUM |
| An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field. | |||||
| CVE-2022-40248 | 1 Cert | 1 Vince | 2022-10-11 | N/A | 5.4 MEDIUM |
| An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field. | |||||
| CVE-2022-39292 | 1 Slack Morphism Project | 1 Slack Morphism | 2022-10-11 | N/A | 7.5 HIGH |
| Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slack webhooks may disable or filter debug logs. | |||||
| CVE-2022-2823 | 1 Metaslider | 1 Slider\, Gallery\, And Carousel | 2022-10-11 | N/A | 4.8 MEDIUM |
| The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.27.9 does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||