Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38085 | 1 Read More By Adam Project | 1 Read More By Adam | 2022-09-26 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress. | |||||
| CVE-2022-35257 | 1 Ui | 1 Desktop | 2022-09-26 | N/A | 7.8 HIGH |
| A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM. | |||||
| CVE-2022-28802 | 1 Zapier | 1 Code By Zapier | 2022-09-26 | N/A | 9.9 CRITICAL |
| Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.) | |||||
| CVE-2022-33649 | 1 Microsoft | 1 Edge Chromium | 2022-09-26 | N/A | 9.6 CRITICAL |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. | |||||
| CVE-2022-38460 | 1 Notice Board Project | 1 Notice Board | 2022-09-26 | N/A | 5.4 MEDIUM |
| Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in NOTICE BOARD plugin <= 1.1 at WordPress. | |||||
| CVE-2022-35249 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-26 | N/A | 4.3 MEDIUM |
| A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | |||||
| CVE-2022-35248 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-26 | N/A | 8.8 HIGH |
| A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login. | |||||
| CVE-2022-39231 | 1 Parseplatform | 1 Parse-server | 2022-09-26 | N/A | 3.7 LOW |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter where `appIds` is set as a string instead of an array of strings authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. For this vulnerability to be exploited, an attacker needs to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. This issue is patched in versions 4.10.16 and 5.2.7. There are no known workarounds. | |||||
| CVE-2022-35247 | 1 Rocket.chat | 1 Rocket.chat | 2022-09-26 | N/A | 4.3 MEDIUM |
| A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients. | |||||
| CVE-2022-35621 | 1 Evohclaimable Project | 1 Evohclaimable | 2022-09-26 | N/A | 5.3 MEDIUM |
| Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers. | |||||
| CVE-2022-40979 | 1 Jetbrains | 1 Teamcity | 2022-09-26 | N/A | 5.3 MEDIUM |
| In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable | |||||
| CVE-2022-2785 | 1 Linux | 1 Linux Kernel | 2022-09-26 | N/A | 5.5 MEDIUM |
| There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c | |||||
| CVE-2022-26112 | 1 Apache | 1 Pinot | 2022-09-26 | N/A | 9.8 CRITICAL |
| In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0 | |||||
| CVE-2022-39230 | 1 Amazon | 1 Fhir-works-on-aws-authz-smart | 2022-09-26 | N/A | 6.5 MEDIUM |
| fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access. Users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 should upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected. There is no workaround for this issue. | |||||
| CVE-2022-3269 | 1 Ikus-soft | 1 Rdiffweb | 2022-09-26 | N/A | 9.8 CRITICAL |
| Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | |||||
| CVE-2022-36340 | 1 Mailoptin | 1 Mailoptin | 2022-09-26 | N/A | 5.3 MEDIUM |
| Unauthenticated Optin Campaign Cache Deletion vulnerability in MailOptin plugin <= 1.2.49.0 at WordPress. | |||||
| CVE-2022-40716 | 1 Hashicorp | 1 Consul | 2022-09-26 | N/A | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." | |||||
| CVE-2022-38936 | 1 Pbc Project | 1 Pbc | 2022-09-26 | N/A | 7.5 HIGH |
| An issue has been found in PBC through 2022-8-27. A SEGV issue detected in the function pbc_wmessage_integer in src/wmessage.c:137. | |||||
| CVE-2022-40132 | 1 Castos | 1 Seriously Simple Podcasting | 2022-09-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change. | |||||
| CVE-2022-40116 | 1 Online Banking System Project | 1 Online Banking System | 2022-09-26 | N/A | 9.8 CRITICAL |
| Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search parameter at /net-banking/beneficiary.php. | |||||