Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1425 | 1 2code | 1 Wpqa Builder | 2022-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability. | |||||
| CVE-2021-27773 | 1 Hcltech | 1 Sametime | 2022-05-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| This vulnerability allows users to execute a clickjacking attack in the meeting's chat. | |||||
| CVE-2022-1435 | 1 Wptaskforce | 1 Track \& Trace | 2022-05-24 | 3.5 LOW | 4.8 MEDIUM |
| The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-1436 | 1 Wptaskforce | 1 Track \& Trace | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks. | |||||
| CVE-2022-1455 | 1 Callnowbutton | 1 Call Now Button | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled | |||||
| CVE-2020-7106 | 5 Cacti, Debian, Fedoraproject and 2 more | 8 Cacti, Debian Linux, Extra Packages For Enterprise Linux and 5 more | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). | |||||
| CVE-2022-30457 | 2022-05-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2022-25862 | 1 Sds Project | 1 Sds | 2022-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-7618](https://security.snyk.io/vuln/SNYK-JS-SDS-564123) | |||||
| CVE-2020-13230 | 3 Cacti, Debian, Fedoraproject | 3 Cacti, Debian Linux, Fedora | 2022-05-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). | |||||
| CVE-2020-9979 | 1 Apple | 3 Ipados, Iphone Os, Tvos | 2022-05-24 | 2.1 LOW | 5.5 MEDIUM |
| A trust issue was addressed by removing a legacy API. This issue is fixed in iOS 14.0 and iPadOS 14.0, tvOS 14.0. An attacker may be able to misuse a trust relationship to download malicious content. | |||||
| CVE-2020-9986 | 1 Apple | 1 Mac Os X | 2022-05-24 | 4.3 MEDIUM | 3.3 LOW |
| A file access issue existed with certain home folder files. This was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.7. A malicious application may be able to read sensitive location information. | |||||
| CVE-2022-21190 | 1 Mozilla | 1 Convict | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype. | |||||
| CVE-2021-34587 | 2 Bender, Ibm | 9 Cc612, Cc612 Firmware, Cc613 and 6 more | 2022-05-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Bender/ebee Charge Controllers in multiple versions a long URL could lead to webserver crash. The URL is used as input of an sprintf to a stack variable. | |||||
| CVE-2022-1465 | 1 Wpclever | 1 Wpc Smart Wishlist For Woocommerce | 2022-05-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-23225 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php. | |||||
| CVE-2019-11025 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. | |||||
| CVE-2018-10061 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). | |||||
| CVE-2018-10060 | 2 Cacti, Debian | 2 Cacti, Debian Linux | 2022-05-24 | 3.5 LOW | 5.4 MEDIUM |
| Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. | |||||
| CVE-2021-27768 | 1 Hcltech | 1 Verse | 2022-05-24 | 4.3 MEDIUM | 5.9 MEDIUM |
| Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login. | |||||
| CVE-2022-29383 | 1 Netgear | 2 Ssl312, Ssl312 Firmware | 2022-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi. | |||||