Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1716 | 2022-06-06 | N/A | N/A | ||
| Keep My Notes v1.80.147 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation. | |||||
| CVE-2022-30617 | 1 Strapi | 1 Strapi | 2022-06-06 | 9.0 HIGH | 8.8 HIGH |
| An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users. | |||||
| CVE-2021-32934 | 1 Throughtek | 1 Kalay P2p Software Development Kit | 2022-06-06 | 5.0 MEDIUM | 7.5 HIGH |
| The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. | |||||
| CVE-2021-25698 | 1 Teradici | 1 Pcoip Standard Agent | 2022-06-06 | 4.4 MEDIUM | 7.8 HIGH |
| The OpenSSL component of the Teradici PCoIP Standard Agent prior to version 21.07.0 was compiled without the no-autoload-config option, which allowed an attacker to elevate to the privileges of the running process via placing a specially crafted dll in a build configuration directory. | |||||
| CVE-2022-29184 | 1 Thoughtworks | 1 Gocd | 2022-06-06 | 6.5 MEDIUM | 8.8 HIGH |
| GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. | |||||
| CVE-2022-29249 | 1 Javaez Project | 1 Javaez | 2022-06-06 | 5.0 MEDIUM | 7.5 HIGH |
| JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading. | |||||
| CVE-2022-29183 | 1 Thoughtworks | 1 Gocd | 2022-06-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function. | |||||
| CVE-2022-29182 | 1 Thoughtworks | 1 Gocd | 2022-06-06 | 4.3 MEDIUM | 5.4 MEDIUM |
| GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds. | |||||
| CVE-2021-4230 | 1 Airfield Online Project | 1 Airfield Online | 2022-06-06 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in Airfield Online and classified as problematic. This vulnerability affects the path /backups/ of the MySQL backup handler. An attacker is able to get access to sensitive data without proper authentication. It is recommended to the change the configuration settings. | |||||
| CVE-2021-4229 | 1 Ua-parser-js Project | 1 Ua-parser-js | 2022-06-06 | 7.6 HIGH | 8.8 HIGH |
| A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-45915 | 1 Luxsoft | 1 Luxcal | 2022-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator. | |||||
| CVE-2021-45914 | 1 Luxsoft | 1 Luxcal | 2022-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator. | |||||
| CVE-2022-29178 | 1 Cilium | 1 Cilium | 2022-06-06 | 4.6 MEDIUM | 8.2 HIGH |
| Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability. | |||||
| CVE-2022-29405 | 1 Apache | 1 Archiva | 2022-06-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8 | |||||
| CVE-2022-24905 | 1 Linuxfoundation | 1 Argo-cd | 2022-06-06 | 2.6 LOW | 4.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds. | |||||
| CVE-2021-40161 | 1 Autodesk | 13 Advance Steel, Autocad, Autocad Architecture and 10 more | 2022-06-04 | 4.4 MEDIUM | 7.8 HIGH |
| A Memory Corruption vulnerability may lead to code execution through maliciously crafted DLL files through PDFTron earlier than 9.0.7 version. | |||||
| CVE-2021-46363 | 1 Magnolia-cms | 1 Magnolia Cms | 2022-06-04 | 9.3 HIGH | 7.8 HIGH |
| An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel. | |||||
| CVE-2022-28062 | 1 Online Car Rental System Project | 1 Online Car Rental System | 2022-06-04 | 6.5 MEDIUM | 8.8 HIGH |
| Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code. | |||||
| CVE-2021-38264 | 1 Liferay | 1 Liferay Portal | 2022-06-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Frontend Taglib module in Liferay Portal 7.4.0 and 7.4.1 allows remote attackers to inject arbitrary web script or HTML into the management toolbar search via the `keywords` parameter. This issue is caused by an incomplete fix in CVE-2021-35463. | |||||
| CVE-2016-4074 | 1 Jq Project | 1 Jq | 2022-06-04 | 7.8 HIGH | 7.5 HIGH |
| The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jq 1.6_rc1-r0. | |||||