Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21169 | 1 Express Xss Sanitizer Project | 1 Express Xss Sanitizer | 2022-09-28 | N/A | 6.1 MEDIUM |
| The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. | |||||
| CVE-2022-26276 | 1 Onenav | 1 Onenav | 2022-09-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal. | |||||
| CVE-2021-38138 | 1 Onenav | 1 Onenav | 2022-09-28 | 3.5 LOW | 5.4 MEDIUM |
| OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release. | |||||
| CVE-2022-3295 | 1 Ikus-soft | 1 Rdiffweb | 2022-09-28 | N/A | 7.5 HIGH |
| Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8. | |||||
| CVE-2022-38553 | 1 Creativeitem | 1 Academy Learning Management System | 2022-09-28 | N/A | 6.1 MEDIUM |
| Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter. | |||||
| CVE-2022-40866 | 1 Tenda | 2 W20e, W20e Firmware | 2022-09-28 | N/A | 9.8 CRITICAL |
| Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formSetDebugCfg with request /goform/setDebugCfg/ | |||||
| CVE-2022-40855 | 1 Tenda | 2 W20e, W20e Firmware | 2022-09-28 | N/A | 9.8 CRITICAL |
| Tenda W20E router V15.11.0.6 contains a stack overflow in the function formSetPortMapping with post request 'goform/setPortMapping/'. This vulnerability allows attackers to cause a Denial of Service (DoS) or Remote Code Execution (RCE) via the portMappingServer, portMappingProtocol, portMappingWan, porMappingtInternal, and portMappingExternal parameters. | |||||
| CVE-2022-40867 | 1 Tenda | 2 W20e, W20e Firmware | 2022-09-28 | N/A | 9.8 CRITICAL |
| Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formIPMacBindDel with the request /goform/delIpMacBind/ | |||||
| CVE-2022-40868 | 1 Tenda | 2 W20e, W20e Firmware | 2022-09-28 | N/A | 9.8 CRITICAL |
| Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formDelDhcpRule with the request /goform/delDhcpRules/ | |||||
| CVE-2022-30003 | 1 Online Market Place Site Project | 1 Online Market Place Site | 2022-09-28 | N/A | 5.4 MEDIUM |
| Sourcecodester Online Market Place Site 1.0 is vulnerable to Cross Site Scripting (XSS), allowing attackers to register as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields. | |||||
| CVE-2022-41347 | 1 Zimbra | 1 Collaboration | 2022-09-28 | N/A | 7.8 HIGH |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root. | |||||
| CVE-2022-30004 | 1 Online Market Place Site Project | 1 Online Market Place Site | 2022-09-28 | N/A | 9.8 CRITICAL |
| Sourcecodester Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.. | |||||
| CVE-2022-3298 | 1 Ikus-soft | 1 Rdiffweb | 2022-09-28 | N/A | 7.5 HIGH |
| Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.4.8. | |||||
| CVE-2022-1613 | 1 10up | 1 Restricted Site Access | 2022-09-28 | N/A | 5.3 MEDIUM |
| The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | |||||
| CVE-2021-24890 | 1 Dplugins | 1 Scripts Organizer | 2022-09-28 | N/A | 8.8 HIGH |
| The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file | |||||
| CVE-2022-2926 | 1 Adobe | 1 Download Manager | 2022-09-28 | N/A | 4.9 MEDIUM |
| The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory | |||||
| CVE-2022-3119 | 1 Oauth Client Single Sign On Project | 1 Oauth Client Single Sign On | 2022-09-28 | N/A | 7.5 HIGH |
| The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address | |||||
| CVE-2022-2987 | 1 Ldap Wp Login \/ Active Directory Integration Project | 1 Ldap Wp Login \/ Active Directory Integration | 2022-09-28 | N/A | 7.5 HIGH |
| The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication | |||||
| CVE-2022-35893 | 1 Insyde | 1 Insydeh2o | 2022-09-28 | N/A | 8.2 HIGH |
| An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM. | |||||
| CVE-2022-41340 | 1 Secp256k1-js Project | 1 Secp256k1-js | 2022-09-28 | N/A | 7.5 HIGH |
| The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. | |||||