Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3842 | 1 Google | 1 Chrome | 2023-01-09 | N/A | 7.5 HIGH |
| Use after free in Passwords in Google Chrome prior to 105.0.5195.125 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2022-2743 | 1 Google | 3 Chrome, Chrome Os, Linux And Chrome Os | 2023-01-09 | N/A | 8.8 HIGH |
| Integer overflow in Window Manager in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to perform an out of bounds memory write via crafted UI interactions. (Chrome security severity: High) | |||||
| CVE-2022-4256 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2023-01-09 | N/A | 4.8 MEDIUM |
| The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-4025 | 1 Google | 1 Chrome | 2023-01-09 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low) | |||||
| CVE-2022-3863 | 1 Google | 1 Chrome | 2023-01-09 | N/A | 6.1 MEDIUM |
| Use after free in Browser History in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High) | |||||
| CVE-2022-4237 | 1 Collne | 1 Welcart E-commerce | 2023-01-09 | N/A | 8.8 HIGH |
| The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog | |||||
| CVE-2022-38203 | 1 Esri | 1 Portal For Arcgis | 2023-01-09 | N/A | 7.5 HIGH |
| Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212. | |||||
| CVE-2022-38210 | 1 Esri | 1 Portal For Arcgis | 2023-01-09 | N/A | 6.1 MEDIUM |
| There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser. | |||||
| CVE-2022-4260 | 1 Wp-ban Project | 1 Wp-ban | 2023-01-09 | N/A | 4.8 MEDIUM |
| The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4298 | 1 Cedcommerce | 1 Wholesale Market | 2023-01-09 | N/A | 9.8 CRITICAL |
| The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. | |||||
| CVE-2022-4297 | 1 Netflixtech | 1 Wp Autocomplete Search | 2023-01-09 | N/A | 9.8 CRITICAL |
| The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection | |||||
| CVE-2015-10010 | 1 Cisco | 1 Openresolve | 2023-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability was found in OpenDNS OpenResolve. It has been rated as problematic. Affected by this issue is the function get of the file resolverapi/endpoints.py of the component API. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is c680170d5583cd9342fe1af43001fe8b2b8004dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217196. | |||||
| CVE-2022-3911 | 1 Iubenda | 1 Iubenda-cookie-law-solution | 2023-01-09 | N/A | 8.8 HIGH |
| The iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc | |||||
| CVE-2016-15007 | 1 Centralized Salesforce Development Framework Project | 1 Centralized Salesforce Development Framework | 2023-01-09 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Centralized-Salesforce-Dev-Framework. It has been declared as problematic. Affected by this vulnerability is the function SObjectService of the file src/classes/SObjectService.cls of the component SOQL Handler. The manipulation of the argument orderDirection leads to injection. The name of the patch is db03ac5b8a9d830095991b529c067a030a0ccf7b. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217195. | |||||
| CVE-2020-36569 | 1 Digitalocean | 1 Golang-nanoauth | 2023-01-09 | N/A | 9.1 CRITICAL |
| Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token. | |||||
| CVE-2014-125036 | 1 Ansible-ntp Project | 1 Ansible-ntp | 2023-01-09 | N/A | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The name of the patch is ed4ca2cf012677973c220cdba36b5c60bfa0260b. It is recommended to apply a patch to fix this issue. VDB-217190 is the identifier assigned to this vulnerability. | |||||
| CVE-2014-125037 | 1 License To Kill Project | 1 License To Kill | 2023-01-09 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in License to Kill. This affects an unknown part of the file models/injury.rb. The manipulation of the argument name leads to sql injection. The name of the patch is cd11cf174f361c98e9b1b4c281aa7b77f46b5078. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217191. | |||||
| CVE-2014-125038 | 1 Is Projecto2 Project | 1 Is Projecto2 | 2023-01-09 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in IS_Projecto2 and classified as critical. This vulnerability affects unknown code of the file Cnn-EJB/ejbModule/ejbs/NewsBean.java. The manipulation of the argument date leads to sql injection. The name of the patch is aa128b2c9c9fdcbbf5ecd82c1e92103573017fe0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217192. | |||||
| CVE-2022-3860 | 1 Smackcoders | 1 Visual Email Designer For Woocommerce | 2023-01-09 | N/A | 8.8 HIGH |
| The Visual Email Designer for WooCommerce WordPress plugin before 1.7.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. | |||||
| CVE-2023-22451 | 1 Kiwitcms | 1 Kiwi Tcms | 2023-01-09 | N/A | 8.8 HIGH |
| Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen. | |||||