Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27466 | 1 Mingsoft | 1 Mcms | 2022-05-10 | 7.5 HIGH | 9.8 CRITICAL |
| MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. | |||||
| CVE-2022-28571 | 1 Dlink | 2 Dir-882, Dir-882 Firmware | 2022-05-10 | 5.8 MEDIUM | 9.8 CRITICAL |
| D-link 882 DIR882A1_FW130B06 was discovered to contain a command injection vulnerability in`/usr/bin/cli. | |||||
| CVE-2022-23065 | 1 Vendure | 1 Vendure | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users. | |||||
| CVE-2022-23064 | 1 Snipeitapp | 1 Snipe-it | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over. | |||||
| CVE-2022-28451 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. | |||||
| CVE-2022-29903 | 1 Mediawiki | 1 Mediawiki | 2022-05-10 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains. | |||||
| CVE-2022-24892 | 1 Shopware | 1 Shopware | 2022-05-10 | 6.8 MEDIUM | 7.5 HIGH |
| Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9. | |||||
| CVE-2022-23904 | 1 Rainworx | 1 Auctionworx | 2022-05-10 | 6.0 MEDIUM | 8.0 HIGH |
| Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition. | |||||
| CVE-2022-22514 | 1 Codesys | 20 Control For Beaglebone Sl, Control For Beckhoff Cx9020, Control For Empc-a\/imx6 Sl and 17 more | 2022-05-10 | 4.9 MEDIUM | 7.1 HIGH |
| An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash. | |||||
| CVE-2022-22513 | 1 Codesys | 20 Control For Beaglebone Sl, Control For Beckhoff Cx9020, Control For Empc-a\/imx6 Sl and 17 more | 2022-05-10 | 3.5 LOW | 6.5 MEDIUM |
| An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash. | |||||
| CVE-2022-1175 | 1 Gitlab | 1 Gitlab | 2022-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. | |||||
| CVE-2022-1166 | 1 Nootheme | 1 Jobmonster | 2022-05-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. This could expose personal data such as people's resumes. Although Directory Listing can be prevented by securely configuring the web server, vendors can also take measures to make it less likely to happen. | |||||
| CVE-2021-22572 | 1 Google | 1 Data Transfer Project | 2022-05-10 | 2.1 LOW | 5.5 MEDIUM |
| On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969 | |||||
| CVE-2022-29967 | 1 Glewlwyd Project | 1 Glewlwyd | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. | |||||
| CVE-2022-29849 | 1 Progress | 1 Openedge | 2022-05-10 | 7.2 HIGH | 7.8 HIGH |
| In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system. | |||||
| CVE-2022-26565 | 1 Totaljs | 1 Content Management System | 2022-05-10 | 3.5 LOW | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Totaljs all versions before commit 95f54a5commit, allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page. | |||||
| CVE-2021-28657 | 2 Apache, Oracle | 5 Tika, Communications Messaging Server, Healthcare Foundation and 2 more | 2022-05-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. | |||||
| CVE-2020-13543 | 1 Webkitgtk | 1 Webkitgtk | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | |||||
| CVE-2020-10693 | 4 Ibm, Oracle, Quarkus and 1 more | 8 Websphere Application Server, Weblogic Server, Quarkus and 5 more | 2022-05-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. | |||||
| CVE-2021-20289 | 4 Netapp, Oracle, Quarkus and 1 more | 4 Oncommand Insight, Communications Cloud Native Core Console, Quarkus and 1 more | 2022-05-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. | |||||