Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Total 193630 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-37175 2022-08-19 N/A N/A
Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer overflow in /goform/formWifiBasicSet.
CVE-2022-36170 2022-08-19 N/A N/A
MapGIS 10.5 Pro IGServer has hardcoded credentials in the front-end and can lead to escalation of privileges and arbitrary file deletion.
CVE-2022-36031 2022-08-19 N/A N/A
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.
CVE-2022-36009 2022-08-19 N/A N/A
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2022-36008 2022-08-19 N/A N/A
Frontier is Substrate's Ethereum compatibility layer. A security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic. No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this. There are currently no known workarounds.
CVE-2022-2788 2022-08-19 N/A N/A
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.
CVE-2022-23460 2022-08-19 N/A N/A
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.
CVE-2022-23459 2022-08-19 N/A N/A
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.
CVE-2022-22489 2022-08-19 N/A N/A
IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339.
CVE-2022-0542 2022-08-19 N/A N/A
Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.
CVE-2022-36947 2 Faststone, Microsoft 2 Image Viewer, Windows 2022-08-19 N/A 9.8 CRITICAL
Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow.
CVE-2022-1901 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-19 N/A 5.3 MEDIUM
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVE-2022-2075 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-19 N/A 7.5 HIGH
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-2074 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-19 N/A 7.5 HIGH
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-19 N/A 7.5 HIGH
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-37768 1 Jpeg 1 Libjpeg 2022-08-19 N/A 7.5 HIGH
libjpeg commit 281daa9 was discovered to contain an infinite loop via the component Frame::ParseTrailer.
CVE-2022-37422 1 Payara 1 Payara 2022-08-19 N/A 7.5 HIGH
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
CVE-2021-32862 1 Jupyter 1 Nbconvert 2022-08-19 N/A 5.4 MEDIUM
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
CVE-2022-38392 1 * 1 5400rmp Oem Harddrive 2022-08-19 N/A 5.3 MEDIUM
A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.
CVE-2019-9081 2022-08-19 N/A N/A
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.