Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28385 | 1 Verbatim | 4 Executive Fingerprint Secure Ssd, Executive Fingerprint Secure Ssd Firmware, Fingerprint Secure Portable Hard Drive and 1 more | 2022-06-21 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Verbatim drives through 2022-03-31. Due to missing integrity checks, an attacker can manipulate the content of the emulated CD-ROM drive (containing the Windows and macOS client software). The content of this emulated CD-ROM drive is stored as an ISO-9660 image in the hidden sectors of the USB drive, that can only be accessed using special IOCTL commands, or when installing the drive in an external disk enclosure. By manipulating this ISO-9660 image or replacing it with another one, an attacker is able to store malicious software on the emulated CD-ROM drive. This software may get executed by an unsuspecting victim when using the device. For example, an attacker with temporary physical access during the supply chain could program a modified ISO-9660 image on a device that always accepts an attacker-controlled password for unlocking the device. If the attacker later on gains access to the used USB drive, he can simply decrypt all contained user data. Storing arbitrary other malicious software is also possible. This affects Executive Fingerprint Secure SSD GDMSFE01-INI3637-C VER1.1 and Fingerprint Secure Portable Hard Drive Part Number #53650. | |||||
| CVE-2022-1790 | 1 New User Email Set Up Project | 1 New User Email Set Up | 2022-06-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1788 | 1 Change Uploaded File Permissions Project | 1 Change Uploaded File Permissions | 2022-06-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this. | |||||
| CVE-2022-1814 | 1 Wp Admin Style Project | 1 Wp Admin Style | 2022-06-21 | 3.5 LOW | 4.8 MEDIUM |
| The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed | |||||
| CVE-2022-1800 | 1 Export Any Wordpress Data To Xml\/csv Project | 1 Export Any Wordpress Data To Xml\/csv | 2022-06-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. | |||||
| CVE-2022-1793 | 1 Private Files Project | 1 Private Files | 2022-06-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Private Files WordPress plugin through 0.40 is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public | |||||
| CVE-2022-1792 | 1 Quick Subscribe Project | 1 Quick Subscribe | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them | |||||
| CVE-2022-1822 | 1 Zephyrproject | 1 Zephyr | 2022-06-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2022-22475 | 1 Ibm | 2 Open Liberty, Websphere Application Server | 2022-06-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603. | |||||
| CVE-2003-0947 | 1 Wireless Tools Project | 1 Wireless Tools | 2022-06-21 | 7.2 HIGH | N/A |
| Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable. | |||||
| CVE-2022-2054 | 1 Nuitka | 1 Nuitka | 2022-06-21 | 7.2 HIGH | 7.8 HIGH |
| Command Injection in GitHub repository nuitka/nuitka prior to 0.9. | |||||
| CVE-2021-41641 | 1 Deno | 1 Deno | 2022-06-21 | 3.6 LOW | 8.4 HIGH |
| Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory. | |||||
| CVE-2018-25039 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/RgUrlBlock.asp. The manipulation of the argument BasicParentalNewKeyword with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25038 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been classified as problematic. This affects an unknown part of the file /goform/RgDhcp. The manipulation of the argument PppUserName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-31040 | 1 Maykinmedia | 1 Open Forms | 2022-06-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a `referer` querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a website under their control, opening them up for phishing attacks. The redirect is initiated by the open forms backend which is a legimate page, making it less obvious to end users they are being redirected to a malicious website. Versions 1.0.9 and 1.1.1 contain patches for this issue. There are no known workarounds avaialble. | |||||
| CVE-2022-32272 | 1 Opswat | 1 Metadefender | 2022-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| OPSWAT MetaDefender Core before 5.1.2, MetaDefender ICAP before 4.12.1, and MetaDefender Email Gateway Security before 5.6.1 have incorrect access control, resulting in privilege escalation. | |||||
| CVE-2018-25037 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability was found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/RgDdns. The manipulation of the argument DdnsHostName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25036 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability has been found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/RgTime. The manipulation of the argument TimeServer1/TimeServer2/TimeServer3 with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2018-25035 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2022-06-21 | 3.5 LOW | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Thomson TCW710 ST5D.10.05. Affected is an unknown function of the file /goform/RGFirewallEL. The manipulation of the argument EmailAddress/SmtpServerName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-9201 | 1 Phoenixcontact | 16 Axc 1050, Axc 1050 Firmware, Ilc 131 Eth and 13 more | 2022-06-21 | 9.0 HIGH | 9.8 CRITICAL |
| Multiple Phoenix Contact devices allow remote attackers to establish TCP sessions to port 1962 and obtain sensitive information or make changes, as demonstrated by using the Create Backup feature to traverse all directories. | |||||