Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25295 | 1 Getgophish | 1 Gophish | 2022-09-14 | N/A | 5.4 MEDIUM |
| This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\\\\\example.com, browser will redirect user to http://example.com. | |||||
| CVE-2021-37819 | 1 Pdftk-java Project | 1 Pdftk-java | 2022-09-14 | N/A | 7.5 HIGH |
| PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop via the component /text/pdf/PdfReader.java. | |||||
| CVE-2022-36110 | 1 Gravitl | 1 Netmaker | 2022-09-14 | N/A | 8.8 HIGH |
| Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1. | |||||
| CVE-2022-38069 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2022-09-14 | N/A | 6.1 MEDIUM |
| Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters | |||||
| CVE-2022-38100 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2022-09-14 | N/A | 7.5 HIGH |
| The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network. | |||||
| CVE-2022-38453 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2022-09-14 | N/A | 4.4 MEDIUM |
| Multiple binary application files on the CMS8000 device are compiled with 'not stripped' and 'debug_info' compilation settings. These compiler settings greatly decrease the level of effort for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities. | |||||
| CVE-2022-3027 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2022-09-14 | N/A | 5.7 MEDIUM |
| The CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point. A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information. | |||||
| CVE-2022-37411 | 1 Captcha Code Project | 1 Captcha Code | 2022-09-14 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza's Captcha Code plugin <= 2.7 at WordPress. | |||||
| CVE-2022-38067 | 1 Total-soft | 1 Event Calendar | 2022-09-14 | N/A | 5.3 MEDIUM |
| Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. | |||||
| CVE-2022-38096 | 1 Linux | 1 Linux Kernel | 2022-09-14 | N/A | 5.5 MEDIUM |
| A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). | |||||
| CVE-2022-38081 | 1 Openharmony | 1 Openharmony | 2022-09-14 | N/A | 5.5 MEDIUM |
| OpenHarmony-v3.1.2 and prior versions have a permission bypass vulnerability. LAN attackers can bypass the distributed permission control.To take advantage of this weakness, attackers need another vulnerability to obtain system. | |||||
| CVE-2022-38700 | 1 Openharmony | 1 Openharmony | 2022-09-14 | N/A | 8.8 HIGH |
| OpenHarmony-v3.1.1 and prior versions have a permission bypass vulnerability. LAN attackers can bypass permission control and get control of camera service. | |||||
| CVE-2022-38457 | 1 Linux | 1 Linux Kernel | 2022-09-14 | N/A | 5.5 MEDIUM |
| A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). | |||||
| CVE-2022-38701 | 1 Openharmony | 1 Openharmony | 2022-09-14 | N/A | 3.3 LOW |
| OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information. | |||||
| CVE-2021-36221 | 5 Debian, Fedoraproject, Golang and 2 more | 6 Debian Linux, Fedora, Go and 3 more | 2022-09-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. | |||||
| CVE-2021-29923 | 3 Fedoraproject, Golang, Oracle | 3 Fedora, Go, Timesten In-memory Database | 2022-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. | |||||
| CVE-2021-33198 | 1 Golang | 1 Go | 2022-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | |||||
| CVE-2021-33197 | 1 Golang | 1 Go | 2022-09-14 | 4.3 MEDIUM | 5.3 MEDIUM |
| In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | |||||
| CVE-2021-33195 | 2 Golang, Netapp | 2 Go, Cloud Insights Telegraf Agent | 2022-09-14 | 7.5 HIGH | 7.3 HIGH |
| Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. | |||||
| CVE-2022-32458 | 1 Digiwin | 1 Business Process Management | 2022-09-14 | N/A | 7.5 HIGH |
| Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. | |||||