Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1881 | 1 Octopus | 1 Octopus Server | 2022-07-27 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space. | |||||
| CVE-2022-1670 | 1 Octopus | 1 Octopus Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | |||||
| CVE-2022-34901 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-16137. | |||||
| CVE-2022-34900 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.3 (39313) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Dispatcher service. The service loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15213. | |||||
| CVE-2022-34902 | 1 Parallels | 1 Parallels Access | 2022-07-27 | N/A | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Desktop Control Agent service. The service loads Qt plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-15787. | |||||
| CVE-2022-34889 | 1 Parallels | 1 Parallels Desktop | 2022-07-27 | N/A | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the ACPI virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-16554. | |||||
| CVE-2022-2394 | 1 Perforce | 1 Puppet Bolt | 2022-07-27 | N/A | 3.5 LOW |
| Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise. | |||||
| CVE-2022-34001 | 1 Unit4 | 1 Enterprise Resource Planning | 2022-07-27 | N/A | 6.5 MEDIUM |
| Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously. | |||||
| CVE-2022-34035 | 1 Htmldoc Project | 1 Htmldoc | 2022-07-27 | N/A | 7.5 HIGH |
| HTMLDoc v1.9.12 and below was discovered to contain a heap overflow via e_node htmldoc/htmldoc/html.cxx:588. | |||||
| CVE-2022-34033 | 1 Htmldoc Project | 1 Htmldoc | 2022-07-27 | N/A | 7.5 HIGH |
| HTMLDoc v1.9.15 was discovered to contain a heap overflow via (write_header) /htmldoc/htmldoc/html.cxx:273. | |||||
| CVE-2015-8031 | 1 Eclipse | 1 Hudson | 2022-07-27 | N/A | 9.8 CRITICAL |
| Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks. | |||||
| CVE-2022-24691 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 7.1 HIGH |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A SQL Injection vulnerability allows authenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. | |||||
| CVE-2022-24690 | 1 Dsk | 1 Dsknet | 2022-07-27 | N/A | 8.2 HIGH |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. A PresAbs.php SQL Injection vulnerability allows unauthenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. (An unauthenticated attacker can discover the endpoint by abusing a Broken Access Control issue with further SQL injection attacks to gather all user's badge numbers and PIN codes.) | |||||
| CVE-2022-34049 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-07-27 | N/A | 5.3 MEDIUM |
| An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. | |||||
| CVE-2021-40149 | 1 Reolink | 2 E1 Zoom, E1 Zoom Firmware | 2022-07-27 | N/A | 5.9 MEDIUM |
| The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI. | |||||
| CVE-2022-1502 | 1 Octopus | 1 Server | 2022-07-27 | 3.5 LOW | 4.3 MEDIUM |
| Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions. | |||||
| CVE-2021-31817 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | |||||
| CVE-2021-31816 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | |||||
| CVE-2021-31818 | 1 Octopus | 1 Server | 2022-07-27 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables. | |||||
| CVE-2021-30183 | 1 Octopus | 1 Server | 2022-07-27 | 5.0 MEDIUM | 7.5 HIGH |
| Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext. | |||||