Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4276 | 1 Dns-stats | 1 Hedgehog | 2023-01-09 | N/A | 8.8 HIGH |
| A vulnerability was found in dns-stats hedgehog. It has been rated as problematic. Affected by this issue is the function DSCIOManager::dsc_import_input_from_source of the file src/DSCIOManager.cpp. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 58922c345d3d1fe89bb2020111873a3e07ca93ac. It is recommended to apply a patch to fix this issue. VDB-216746 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: We do assume that the Data Manager server can only be accessed by authorised users. Because of this, we don’t believe this specific attack is possible without such a compromise of the Data Manager server. | |||||
| CVE-2022-43436 | 1 Easy Test Project | 1 Easy Test | 2023-01-09 | N/A | 8.8 HIGH |
| The File Upload function of EasyTest has insufficient filtering for special characters and file type. A remote attacker authenticated as a general user can upload and execute arbitrary files, to manipulate system or disrupt service. | |||||
| CVE-2022-46181 | 1 Gotify | 1 Server | 2023-01-09 | N/A | 5.4 MEDIUM |
| Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. The vulnerability has been fixed in version 2.2.2. As a workaround, you can block access to non image files via a reverse proxy in the `./image` directory. | |||||
| CVE-2022-42269 | 1 Nvidia | 14 Jetson Agx Xavier, Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb and 11 more | 2023-01-09 | N/A | 7.9 HIGH |
| NVIDIA Trusted OS contains a vulnerability in an SMC call handler, where failure to validate untrusted input may allow a highly privileged local attacker to cause information disclosure and compromise integrity. The scope of the impact can extend to other components. | |||||
| CVE-2022-42266 | 2 Microsoft, Nvidia | 3 Windows, Cloud Gaming, Virtual Gpu | 2023-01-09 | N/A | 3.3 LOW |
| NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an unprivileged regular user can cause exposure of sensitive information to an actor that is not explicitly authorized to have access to that information, which may lead to limited information disclosure. | |||||
| CVE-2022-43438 | 1 Easy Test Project | 1 Easy Test | 2023-01-09 | N/A | 8.8 HIGH |
| The Administrator function of EasyTest has an Incorrect Authorization vulnerability. A remote attacker authenticated as a general user can exploit this vulnerability to bypass the intended access restrictions, to make API functions calls, manipulate system and terminate service. | |||||
| CVE-2023-22452 | 1 Kenny2automate Project | 1 Kenny2automate | 2023-01-09 | N/A | 6.5 MEDIUM |
| kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot. | |||||
| CVE-2022-42270 | 1 Nvidia | 9 Jetson Agx Xavier, Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb and 6 more | 2023-01-09 | N/A | 7.8 HIGH |
| NVIDIA distributions of Linux contain a vulnerability in nvdla_emu_task_submit, where unvalidated input may allow a local attacker to cause stack-based buffer overflow in kernel code, which may lead to escalation of privileges, compromised integrity and confidentiality, and denial of service. | |||||
| CVE-2022-4352 | 1 Qe Seo Handyman Project | 1 Qe Seo Handyman | 2023-01-09 | N/A | 7.2 HIGH |
| The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | |||||
| CVE-2022-4302 | 1 Videousermanuals | 1 White Label Cms | 2023-01-09 | N/A | 7.2 HIGH |
| The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. | |||||
| CVE-2022-43437 | 1 Easy Test Project | 1 Easy Test | 2023-01-09 | N/A | 8.8 HIGH |
| The Download function’s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database. | |||||
| CVE-2022-4329 | 1 Product List Widget For Woocommerce Project | 1 Product List Widget For Woocommerce | 2023-01-09 | N/A | 6.1 MEDIUM |
| The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high privilege one like admin). | |||||
| CVE-2022-4324 | 1 Wpgogo | 1 Custom Field Template | 2023-01-09 | N/A | 7.2 HIGH |
| The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | |||||
| CVE-2022-4362 | 1 Code-atlantic | 1 Popup Maker | 2023-01-09 | N/A | 5.4 MEDIUM |
| The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2022-4340 | 1 Reputeinfosystems | 1 Bookingpress | 2023-01-09 | N/A | 5.3 MEDIUM |
| The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter. | |||||
| CVE-2022-3460 | 1 Octopus | 1 Octopus Deploy | 2023-01-09 | N/A | 7.5 HIGH |
| In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | |||||
| CVE-2022-4369 | 1 Wplite | 1 Wp-lister Lite For Amazon | 2023-01-09 | N/A | 6.1 MEDIUM |
| The WP-Lister Lite for Amazon WordPress plugin before 2.4.4 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin. | |||||
| CVE-2022-4351 | 1 Qe Seo Handyman Project | 1 Qe Seo Handyman | 2023-01-09 | N/A | 7.2 HIGH |
| The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | |||||
| CVE-2022-33321 | 1 Mitsubishielectric | 356 Ma-ew85s-e, Ma-ew85s-e Firmware, Ma-ew85s-uk and 353 more | 2023-01-09 | N/A | 9.8 CRITICAL |
| Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password). The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section. | |||||
| CVE-2022-4370 | 1 Multimedial Images Project | 1 Multimedial Images | 2023-01-09 | N/A | 7.2 HIGH |
| The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. | |||||