Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2003-1229 | 1 Sun | 4 Java Web Start, Jdk, Jre and 1 more | 2022-09-13 | 7.5 HIGH | N/A |
| X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files. | |||||
| CVE-2022-40280 | 1 Samsung | 1 Tizenrt | 2022-09-13 | N/A | 7.5 HIGH |
| An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_close after sqlite3_open_v2, leading to a denial of service. | |||||
| CVE-2022-37145 | 1 Plextrac | 1 Plextrac | 2022-09-13 | N/A | 7.5 HIGH |
| The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider. | |||||
| CVE-2022-36090 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 8.1 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki. | |||||
| CVE-2022-36091 | 1 Xwiki | 1 Xwiki | 2022-09-13 | N/A | 7.5 HIGH |
| XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though. | |||||
| CVE-2022-36070 | 2 Microsoft, Python-poetry | 2 Windows, Poetry | 2022-09-13 | N/A | 7.3 HIGH |
| Poetry is a dependency manager for Python. To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe. The victim could also not protect themself by vetting any Git or Poetry config files that might be present in the directory, because the behavior is undocumented. Versions 1.1.9 and 1.2.0b1 contain patches for this issue. | |||||
| CVE-2022-36069 | 1 Python-poetry | 1 Poetry | 2022-09-13 | N/A | 7.3 HIGH |
| Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue. | |||||
| CVE-2022-38283 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/video/list. | |||||
| CVE-2022-38282 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/videoalbum/list. | |||||
| CVE-2022-38277 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/folderrollpicture/list. | |||||
| CVE-2022-38279 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/imagealbum/list. | |||||
| CVE-2022-38278 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/friendlylink/list. | |||||
| CVE-2022-38280 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/image/list. | |||||
| CVE-2022-38281 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list. | |||||
| CVE-2022-38272 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list. | |||||
| CVE-2022-37163 | 1 Ihatetobudget Project | 1 Ihatetobudget | 2022-09-13 | N/A | 9.8 CRITICAL |
| Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes. | |||||
| CVE-2022-38273 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list_approve. | |||||
| CVE-2022-38275 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/contact/list. | |||||
| CVE-2022-38274 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/comment/list. | |||||
| CVE-2022-38276 | 1 Jflyfox | 1 Jfinal Cms | 2022-09-13 | N/A | 7.2 HIGH |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/foldernotice/list. | |||||