Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26858 | 1 Dell | 798 Alienware M15 R6, Alienware M15 R6 Firmware, Chengming 3980 and 795 more | 2022-09-13 | N/A | 7.8 HIGH |
| Dell BIOS versions contain an Improper Authentication vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability by sending malicious input to an SMI in order to bypass security controls. | |||||
| CVE-2022-26859 | 1 Dell | 798 Alienware M15 R6, Alienware M15 R6 Firmware, Chengming 3980 and 795 more | 2022-09-13 | N/A | 7.0 HIGH |
| Dell BIOS contains a race condition vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI in order to bypass security checks during SMM. | |||||
| CVE-2022-26860 | 1 Dell | 798 Alienware M15 R6, Alienware M15 R6 Firmware, Chengming 3980 and 795 more | 2022-09-13 | N/A | 7.8 HIGH |
| Dell BIOS versions contain a stack-based buffer overflow vulnerability. A local attacker could exploit this vulnerability by sending malicious input via SMI to bypass security checks resulting in arbitrary code execution in SMM. | |||||
| CVE-2022-31149 | 1 Activitywatch | 1 Activitywatch | 2022-09-13 | N/A | 9.6 CRITICAL |
| ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a patch. As a workaround, block DNS lookups that resolve to 127.0.0.1. | |||||
| CVE-2022-31166 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 8.8 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it. | |||||
| CVE-2022-20696 | 1 Cisco | 1 Sd-wan Vmanage | 2022-09-13 | N/A | 8.8 HIGH |
| A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload. | |||||
| CVE-2022-20863 | 1 Cisco | 1 Webex Teams | 2022-09-13 | N/A | 5.3 MEDIUM |
| A vulnerability in the messaging interface of Cisco Webex App, formerly Webex Teams, could allow an unauthenticated, remote attacker to manipulate links or other content within the messaging interface. This vulnerability exists because the affected software does not properly handle character rendering. An attacker could exploit this vulnerability by sending messages within the application interface. A successful exploit could allow the attacker to modify the display of links or other content within the interface, potentially allowing the attacker to conduct phishing or spoofing attacks. | |||||
| CVE-2022-30311 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2022-09-13 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30310 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2022-09-13 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30309 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2022-09-13 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30308 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2022-09-13 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2020-22017 | 2 Debian, Ffmpeg | 2 Debian Linux, Ffmpeg | 2022-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences. | |||||
| CVE-2022-30874 | 1 Nukeviet | 1 Nukeviet | 2022-09-13 | 3.5 LOW | 5.4 MEDIUM |
| There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02. | |||||
| CVE-2021-23337 | 4 Lodash, Netapp, Oracle and 1 more | 23 Lodash, Active Iq Unified Manager, Cloud Manager and 20 more | 2022-09-13 | 6.5 MEDIUM | 7.2 HIGH |
| Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | |||||
| CVE-2020-28168 | 2 Axios, Siemens | 2 Axios, Sinec Ins | 2022-09-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. | |||||
| CVE-2019-18960 | 1 Amazon | 1 Firecracker | 2022-09-13 | 7.5 HIGH | 9.8 CRITICAL |
| Firecracker vsock implementation buffer overflow in versions 0.18.0 and 0.19.0. This can result in potentially exploitable crashes. | |||||
| CVE-2018-11237 | 5 Canonical, Gnu, Netapp and 2 more | 10 Ubuntu Linux, Glibc, Data Ontap Edge and 7 more | 2022-09-13 | 4.6 MEDIUM | 7.8 HIGH |
| An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper. | |||||
| CVE-2020-7793 | 2 Siemens, Ua-parser-js Project | 2 Sinec Ins, Ua-parser-js | 2022-09-13 | 5.0 MEDIUM | 7.5 HIGH |
| The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). | |||||
| CVE-2020-19159 | 1 Laiketui | 1 Laiketui | 2022-09-13 | 6.8 MEDIUM | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component '/index.php?module=member&action=add'. | |||||
| CVE-2020-28500 | 3 Lodash, Oracle, Siemens | 19 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 16 more | 2022-09-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. | |||||