Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32056 | 1 Online Accreditation Management System Project | 1 Online Accreditation Management System | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Online Accreditation Management v1.0 was discovered to contain a SQL injection vulnerability via the USERNAME parameter at process.php. | |||||
| CVE-2022-32054 | 1 Tenda | 2 Ac10, Ac10 Firmware | 2022-07-14 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda AC10 US_AC10V1.0RTL_V15.03.06.26_multi_TD01 was discovered to contain a remote code execution (RCE) vulnerability via the lanIp parameter. | |||||
| CVE-2021-44791 | 1 Apache | 1 Druid | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. | |||||
| CVE-2021-29281 | 1 Gfi | 1 Archiver | 2022-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317. | |||||
| CVE-2022-2321 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks. | |||||
| CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Old session tokens can be used to authenticate to the application and send authenticated requests. | |||||
| CVE-2022-35229 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-35230 | 1 Zabbix | 1 Zabbix | 2022-07-14 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
| CVE-2022-32290 | 1 Northern.tech | 1 Mender | 2022-07-14 | 3.3 LOW | 4.3 MEDIUM |
| The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead of only the localhost interface. Therefore, any client on the same network can connect to this TCP port and send HTTP requests. The Mender Client will forward these requests to the Mender Server. Additionally, if mTLS is set up, the Mender Client will connect to the Mender Server using the device's client certificate, making it possible for the attacker to bypass mTLS authentication and send requests to the Mender Server without direct access to the client certificate and related private key. Accessing the HTTP proxy from the local network doesn't represent a direct threat, because it doesn't expose any device or server-specific data. However, it increases the attack surface and can be a potential vector to exploit other vulnerabilities both on the Client and the Server. | |||||
| CVE-2022-31133 | 1 Humhub | 1 Humhub | 2022-07-14 | 3.5 LOW | 4.8 MEDIUM |
| HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue. | |||||
| CVE-2021-31645 | 1 Glftpd | 1 Glftpd | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in glFTPd 2.11a that allows remote attackers to cause a denial of service via exceeding the connection limit. | |||||
| CVE-2021-28507 | 1 Arista | 1 Eos | 2022-07-14 | 4.9 MEDIUM | 7.1 HIGH |
| An issue has recently been discovered in Arista EOS where, under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being forwarded to the agent. | |||||
| CVE-2021-28506 | 1 Arista | 1 Eos | 2022-07-14 | 9.4 HIGH | 9.1 CRITICAL |
| An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device. | |||||
| CVE-2021-46825 | 1 Broadcom | 2 Advanced Secure Gateway, Proxysg | 2022-07-14 | 6.4 MEDIUM | 9.1 CRITICAL |
| Symantec Advanced Secure Gateway (ASG) and ProxySG are susceptible to an HTTP desync vulnerability. When a remote unauthenticated attacker and other web clients communicate through the proxy with the same web server, the attacker can send crafted HTTP requests and cause the proxy to forward web server responses to unintended clients. Severity/CVSSv3: High / 8.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N | |||||
| CVE-2022-32441 | 1 Hex-rays | 1 Ida | 2022-07-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. Related to Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056. | |||||
| CVE-2021-28501 | 1 Arista | 1 Terminattr | 2022-07-14 | 6.9 MEDIUM | 7.8 HIGH |
| An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. | |||||
| CVE-2022-23714 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2022-07-14 | 7.2 HIGH | 7.8 HIGH |
| A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | |||||
| CVE-2021-35248 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2022-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. | |||||
| CVE-2022-23172 | 1 Priority-software | 1 Priority | 2022-07-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not. | |||||