Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-22337 | 1 Ibm | 1 Sterling B2b Integrator | 2023-01-10 | N/A | 6.5 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could disclose sensitive information to an authenticated user. IBM X-Force ID: 219507. | |||||
| CVE-2022-43920 | 1 Ibm | 1 Sterling B2b Integrator | 2023-01-10 | N/A | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could allow an authenticated user to gain privileges in a different group due to an access control vulnerability in the Sftp server adapter. IBM X-Force ID: 241362. | |||||
| CVE-2022-22352 | 1 Ibm | 1 Sterling B2b Integrator | 2023-01-10 | N/A | 5.4 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220398. | |||||
| CVE-2022-45199 | 1 Python | 1 Pillow | 2023-01-10 | N/A | 7.5 HIGH |
| Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. | |||||
| CVE-2022-45198 | 1 Python | 1 Pillow | 2023-01-10 | N/A | 7.5 HIGH |
| Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). | |||||
| CVE-2018-25049 | 1 Email-existence Project | 1 Email-existence | 2023-01-10 | N/A | 7.5 HIGH |
| A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is 0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56. It is recommended to apply a patch to fix this issue. VDB-216854 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-4141 | 2 Fedoraproject, Vim | 2 Fedora, Vim | 2023-01-10 | N/A | 7.8 HIGH |
| Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command. | |||||
| CVE-2022-43984 | 1 Spatie | 1 Browsershot | 2023-01-10 | N/A | 8.2 HIGH |
| Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. | |||||
| CVE-2022-43983 | 1 Spatie | 1 Browsershot | 2023-01-10 | N/A | 8.2 HIGH |
| Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. | |||||
| CVE-2022-46180 | 1 Discourse | 1 Mermaid | 2023-01-10 | N/A | 5.4 MEDIUM |
| Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component. | |||||
| CVE-2022-3643 | 3 Broadcom, Debian, Linux | 3 Bcm5780, Debian Linux, Linux Kernel | 2023-01-10 | N/A | 10.0 CRITICAL |
| Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. | |||||
| CVE-2022-42328 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-01-10 | N/A | 5.5 MEDIUM |
| Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). | |||||
| CVE-2022-42329 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-01-10 | N/A | 5.5 MEDIUM |
| Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). | |||||
| CVE-2023-0051 | 1 Vim | 1 Vim | 2023-01-10 | N/A | 7.8 HIGH |
| Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. | |||||
| CVE-2022-41262 | 1 Sap | 1 Netweaver Application Server Java | 2023-01-10 | N/A | 6.1 MEDIUM |
| Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application. | |||||
| CVE-2023-22460 | 1 Protocol | 1 Go-ipld-prime | 2023-01-10 | N/A | 7.5 HIGH |
| go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes. | |||||
| CVE-2021-37533 | 2 Apache, Debian | 2 Commons Net, Debian Linux | 2023-01-10 | N/A | 6.5 MEDIUM |
| Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. | |||||
| CVE-2023-22457 | 1 Xwiki | 1 Ckeditor Integration | 2023-01-10 | N/A | 8.8 HIGH |
| CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version. | |||||
| CVE-2022-41274 | 1 Sap | 1 Disclosure Management | 2023-01-10 | N/A | 6.5 MEDIUM |
| SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports. | |||||
| CVE-2023-22461 | 1 Sanitize-svg Project | 1 Sanitize-svg | 2023-01-10 | N/A | 6.1 MEDIUM |
| The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds | |||||