Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25648 | 4 Fedoraproject, Mozilla, Oracle and 1 more | 6 Fedora, Network Security Services, Communications Offline Mediation Controller and 3 more | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58. | |||||
| CVE-2022-25364 | 1 Gradle | 1 Enterprise | 2022-05-10 | 9.3 HIGH | 8.1 HIGH |
| In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.) | |||||
| CVE-2019-1600 | 1 Cisco | 16 Firepower 4100, Firepower 9300, Fxos and 13 more | 2022-05-10 | 2.1 LOW | 4.4 MEDIUM |
| A vulnerability in the file system permissions of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to access sensitive information that is stored in the file system of an affected system. The vulnerability is due to improper implementation of file system permissions. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow the attacker to access sensitive and critical files. Firepower 4100 Series Next-Generation Firewalls are affected in versions prior to 2.2.2.91 and 2.3.1.110. Firepower 9300 Series Next-Generation Firewalls are affected in versions prior to 2.2.2.91 and 2.3.1.110. MDS 9000 Series Multilayer Switches are affected in versions prior to 6.2(25), 8.1(1b), and 8.3(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 6.0(2)A8(10) and 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected in versions prior to 7.1(5)N1(1b) and 7.3(3)N1(1). Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 7.3(3)D1(1), and 8.2(3). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2021-22571 | 1 Google | 1 Sa360 Webquery To Bigquery Exporter | 2022-05-10 | 2.1 LOW | 5.5 MEDIUM |
| A local attacker could read files from some other users' SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery. We recommend upgrading to version 1.0.3 or above. | |||||
| CVE-2021-22145 | 2 Elastic, Oracle | 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite | 2022-05-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. | |||||
| CVE-2020-8277 | 4 C-ares Project, Fedoraproject, Nodejs and 1 more | 8 C-ares, Fedora, Node.js and 5 more | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1. | |||||
| CVE-2022-29556 | 1 Northern.tech | 1 Mender | 2022-05-10 | 7.5 HIGH | 9.8 CRITICAL |
| The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. | |||||
| CVE-2022-22519 | 1 Codesys | 18 Control For Beaglebone Sl, Control For Beckhoff Cx9020, Control For Empc-a\/imx6 Sl and 15 more | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| A remote, unauthenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver of the CODESYS Control runtime system. | |||||
| CVE-2020-8908 | 4 Google, Netapp, Oracle and 1 more | 13 Guava, Active Iq Unified Manager, Commerce Guided Search and 10 more | 2022-05-10 | 2.1 LOW | 3.3 LOW |
| A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. | |||||
| CVE-2022-29555 | 1 Northern.tech | 1 Mender | 2022-05-10 | 6.8 MEDIUM | 8.8 HIGH |
| The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking. | |||||
| CVE-2022-1331 | 1 Deltaww | 1 Dmars | 2022-05-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure. | |||||
| CVE-2022-23722 | 1 Pingidentity | 1 Pingfederate | 2022-05-10 | 3.5 LOW | 6.5 MEDIUM |
| When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | |||||
| CVE-2022-21949 | 1 Opensuse | 1 Open Build Service | 2022-05-10 | 9.0 HIGH | 8.8 HIGH |
| A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13. | |||||
| CVE-2021-41810 | 1 M-files | 1 Server | 2022-05-10 | 3.5 LOW | 4.8 MEDIUM |
| Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable | |||||
| CVE-2022-23063 | 1 Shopizer | 1 Shopizer | 2022-05-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Shopizer versions 2.3.0 to 3.0.1 are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. | |||||
| CVE-2022-1554 | 1 Clinical-genomics | 1 Scout | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52. | |||||
| CVE-2021-39390 | 1 Partkeepr | 1 Partkeepr | 2022-05-10 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter. | |||||
| CVE-2022-29265 | 1 Apache | 1 Nifi | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services. | |||||
| CVE-2021-25102 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2022-05-10 | 2.6 LOW | 4.7 MEDIUM |
| The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk | |||||
| CVE-2022-24898 | 1 Xwiki | 1 Commons | 2022-05-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. | |||||