Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1801 | 1 Very Simple Contact Form Project | 1 Very Simple Contact Form | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots. | |||||
| CVE-2022-1818 | 1 Multi-page Toolkit Project | 1 Multi-page Toolkit | 2022-06-28 | 3.5 LOW | 5.4 MEDIUM |
| The Multi-page Toolkit WordPress plugin through 2.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well | |||||
| CVE-2022-1717 | 1 Wp-experts | 1 Custom Share Buttons With Floating Sidebar | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The Custom Share Buttons with Floating Sidebar WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1915 | 1 Wpreviewslider | 1 Wp Zillow Review Slider | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The WP Zillow Review Slider WordPress plugin before 2.4 does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite) | |||||
| CVE-2021-41924 | 1 Webkul | 1 Krayin | 2022-06-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-33055 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-06-28 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/trains/manage_train.php. | |||||
| CVE-2022-1826 | 1 Cross-linker Project | 1 Cross-linker | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2022-23074 | 1 Tandoor | 1 Recipes | 2022-06-28 | 3.5 LOW | 5.4 MEDIUM |
| In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. | |||||
| CVE-2022-23073 | 1 Tandoor | 1 Recipes | 2022-06-28 | 3.5 LOW | 5.4 MEDIUM |
| In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. | |||||
| CVE-2022-1824 | 1 Mcafee | 1 Consumer Product Removal Tool | 2022-06-28 | 4.4 MEDIUM | 8.2 HIGH |
| An uncontrolled search path vulnerability in McAfee Consumer Product Removal Tool prior to version 10.4.128 could allow a local attacker to perform a sideloading attack by using a specific file name. This could result in the user gaining elevated permissions and being able to execute arbitrary code as there were insufficient checks on the executable being signed by McAfee. | |||||
| CVE-2022-1823 | 1 Mcafee | 1 Consumer Product Removal Tool | 2022-06-28 | 4.6 MEDIUM | 7.8 HIGH |
| Improper privilege management vulnerability in McAfee Consumer Product Removal Tool prior to version 10.4.128 could allow a local user to modify a configuration file and perform a LOLBin (Living off the land) attack. This could result in the user gaining elevated permissions and being able to execute arbitrary code, through not correctly checking the integrity of the configuration file. | |||||
| CVE-2022-31801 | 2 Phoenixcontact, Phoenixcontact-software | 3 Multiprog, Proconos, Proconos Eclr | 2022-06-28 | 10.0 HIGH | 9.8 CRITICAL |
| An unauthenticated, remote attacker could upload malicious logic to the devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | |||||
| CVE-2022-1630 | 1 Wp-email Project | 1 Wp-email | 2022-06-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack | |||||
| CVE-2022-31277 | 1 Mi | 2 Xiaomi Lamp 1, Xiaomi Lamp 1 Firmware | 2022-06-28 | 5.8 MEDIUM | 8.8 HIGH |
| Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request. | |||||
| CVE-2020-25459 | 1 Webank | 1 Federated Ai Technology Enabler | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in function sync_tree in hetero_decision_tree_guest.py in WeBank FATE (Federated AI Technology Enabler) 0.1 through 1.4.2 allows attackers to read sensitive information during the training process of machine learning joint modeling. | |||||
| CVE-2022-31800 | 1 Phoenixcontact | 34 Axc 1050, Axc 1050 Firmware, Axc 1050 Xc and 31 more | 2022-06-28 | 10.0 HIGH | 9.8 CRITICAL |
| An unauthenticated, remote attacker could upload malicious logic to devices based on ProConOS/ProConOS eCLR in order to gain full control over the device. | |||||
| CVE-2022-1905 | 1 E-dynamics | 1 Events Made Easy | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | |||||
| CVE-2022-1896 | 1 Underconstruction Project | 1 Underconstruction | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed. | |||||
| CVE-2022-1895 | 1 Underconstruction Project | 1 Underconstruction | 2022-06-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2022-1889 | 1 Thenewsletterplugin | 1 Newsletter | 2022-06-28 | 3.5 LOW | 4.8 MEDIUM |
| The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed | |||||