Total
210374 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-30334 | 1 Brave | 1 Brave | 2022-05-17 | 5.0 MEDIUM | 5.3 MEDIUM |
Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises "Note that Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy. Brave does NOT implement most of the privacy protections from Tor Browser." | |||||
CVE-2022-27412 | 1 Exploreit | 1 Explore Cms | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request. | |||||
CVE-2022-27308 | 1 Phprojekt Phpsimplygest Project | 1 Phprojekt Phpsimplygest | 2022-05-17 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title. | |||||
CVE-2021-42743 | 2 Microsoft, Splunk | 2 Windows, Splunk | 2022-05-17 | 4.6 MEDIUM | 7.8 HIGH |
A misconfiguration in the node default path allows for local privilege escalation from a lower privileged user to the Splunk user in Splunk Enterprise versions before 8.1.1 on Windows. | |||||
CVE-2021-23792 | 1 Twelvemonkeys Project | 1 Twelvemonkeys | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered. | |||||
CVE-2022-26070 | 1 Splunk | 1 Splunk | 2022-05-17 | 4.0 MEDIUM | 4.3 MEDIUM |
When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0. | |||||
CVE-2021-33845 | 1 Splunk | 1 Splunk | 2022-05-17 | 5.0 MEDIUM | 5.3 MEDIUM |
The Splunk Enterprise REST API allows enumeration of usernames via the lockout error message. The potential vulnerability impacts Splunk Enterprise instances before 8.1.7 when configured to repress verbose login errors. | |||||
CVE-2022-25324 | 1 Bignum Project | 1 Bignum | 2022-05-17 | 5.0 MEDIUM | 7.5 HIGH |
All versions of package bignum are vulnerable to Denial of Service (DoS) due to a type-check exception in V8, when verifying the type of the second argument to the .powm function, V8 will crash regardless of Node try/catch blocks. | |||||
CVE-2022-27114 | 2 Debian, Htmldoc Project | 2 Debian Linux, Htmldoc | 2022-05-17 | 4.3 MEDIUM | 5.5 MEDIUM |
There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function. | |||||
CVE-2022-22481 | 1 Ibm | 1 I | 2022-05-17 | 5.0 MEDIUM | 5.3 MEDIUM |
IBM Navigator for i 7.2, 7.3, and 7.4 (heritage version) could allow a remote attacker to obtain access to the web interface without valid credentials. By modifying the sign on request, an attacker can gain visibility to the fully qualified domain name of the target system and the navigator tasks page, however they do not gain the ability to perform those tasks on the system or see any specific system data. IBM X-Force ID: 225899. | |||||
CVE-2021-27759 | 1 Hcltech | 1 Bigfix Inventory | 2022-05-17 | 4.3 MEDIUM | 6.5 MEDIUM |
This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application. | |||||
CVE-2019-25060 | 1 Wpgraphql | 1 Wpgraphql | 2022-05-17 | 5.0 MEDIUM | 5.3 MEDIUM |
The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site. | |||||
CVE-2021-27758 | 1 Hcltech | 1 Bigfix Inventory | 2022-05-17 | 4.3 MEDIUM | 6.5 MEDIUM |
There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account. | |||||
CVE-2022-1047 | 1 Themify | 1 Post Type Builder Search Addon | 2022-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability. | |||||
CVE-2022-29535 | 1 Zohocorp | 1 Manageengine Opmanager | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. | |||||
CVE-2022-0814 | 1 Ubigeo De Peru Para Woocommerce Project | 1 Ubigeo De Peru Para Woocommerce | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections | |||||
CVE-2022-1104 | 1 Code-atlantic | 1 Popup Maker | 2022-05-17 | 3.5 LOW | 4.8 MEDIUM |
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
CVE-2022-29161 | 1 Xwiki | 1 Xwiki | 2022-05-17 | 6.8 MEDIUM | 9.8 CRITICAL |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3 and re-compiling the module. | |||||
CVE-2022-1013 | 1 Ays-pro | 1 Personal Dictionary | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability. | |||||
CVE-2022-0948 | 1 Pluginbazaar | 1 Order Listener For Woocommerce | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection |