Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4152 | 1 Contest-gallery | 1 Contest Gallery | 2023-01-04 | N/A | 6.5 MEDIUM |
| The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
| CVE-2019-25085 | 1 Gnome | 1 Gvariant Database | 2023-01-04 | N/A | 8.8 HIGH |
| A vulnerability was found in GNOME gvdb. It has been classified as critical. This affects the function gvdb_table_write_contents_async of the file gvdb-builder.c. The manipulation leads to use after free. It is possible to initiate the attack remotely. The name of the patch is d83587b2a364eb9a9a53be7e6a708074e252de14. It is recommended to apply a patch to fix this issue. The identifier VDB-216789 was assigned to this vulnerability. | |||||
| CVE-2022-4742 | 1 Json-pointer Project | 1 Json-pointer | 2023-01-04 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in json-pointer. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The name of the patch is 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to apply a patch to fix this issue. VDB-216794 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-30134 | 6 Ht Slider Range For Amazon Affiliates Project, Php Curl Class Project, Ptwooplugins and 3 more | 6 Ht Slider Range For Amazon Affiliates, Php Curl Class, Invoicing With Invoicexpress For Woocommerce and 3 more | 2023-01-04 | N/A | 6.1 MEDIUM |
| php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. | |||||
| CVE-2021-44758 | 1 Heimdal Project | 1 Heimdal | 2023-01-04 | N/A | 7.5 HIGH |
| Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. | |||||
| CVE-2022-40005 | 1 Intelbras | 2 Wifiber 120ac Inmesh, Wifiber 120ac Inmesh Firmware | 2023-01-04 | N/A | 8.8 HIGH |
| Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute. | |||||
| CVE-2021-4278 | 1 Tree Kit Project | 1 Tree Kit | 2023-01-04 | N/A | 7.8 HIGH |
| A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability. | |||||
| CVE-2022-4741 | 1 Search | 1 Docconv | 2023-01-04 | N/A | 6.5 MEDIUM |
| A vulnerability was found in docconv up to 1.2.0 and classified as problematic. This issue affects the function ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText. The manipulation leads to uncontrolled memory allocation. The attack may be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is 42bcff666855ab978e67a9041d0cdea552f20301. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216779. | |||||
| CVE-2022-41317 | 1 Squid-cache | 1 Squid | 2023-01-04 | N/A | 6.5 MEDIUM |
| An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. | |||||
| CVE-2022-41318 | 1 Squid-cache | 1 Squid | 2023-01-04 | N/A | 7.5 HIGH |
| A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. | |||||
| CVE-2020-36632 | 1 Flat Project | 1 Flat | 2023-01-04 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability. | |||||
| CVE-2020-36631 | 1 Dwc Network Server Emulator Project | 1 Dwc Network Server Emulator | 2023-01-04 | N/A | 9.8 CRITICAL |
| A vulnerability was found in barronwaffles dwc_network_server_emulator. It has been declared as critical. This vulnerability affects the function update_profile of the file gamespy/gs_database.py. The manipulation of the argument firstname/lastname leads to sql injection. The attack can be initiated remotely. The name of the patch is f70eb21394f75019886fbc2fb536de36161ba422. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216772. | |||||
| CVE-2020-36630 | 1 Sangoma | 1 Freepbx | 2023-01-04 | N/A | 9.8 CRITICAL |
| A vulnerability was found in FreePBX cdr 14.0. It has been classified as critical. This affects the function ajaxHandler of the file ucp/Cdr.class.php. The manipulation of the argument limit/offset leads to sql injection. Upgrading to version 14.0.5.21 is able to address this issue. The name of the patch is f1a9eea2dfff30fb99d825bac194a676a82b9ec8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216771. | |||||
| CVE-2019-25084 | 1 Hide Files On Github Project | 1 Hide Files On Github | 2023-01-04 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Hide Files on GitHub up to 2.x. This issue affects the function addEventListener of the file extension/options.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 9de0c57df81db1178e0e79431d462f6d9842742e. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216767. | |||||
| CVE-2022-4227 | 1 Booster | 3 Booster Elite For Woocommerce, Booster For Woocommerce, Booster Plus For Woocommerce | 2023-01-04 | N/A | 6.1 MEDIUM |
| The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting | |||||
| CVE-2022-4226 | 1 Wpkube | 1 Simple Basic Contact Form | 2023-01-04 | N/A | 4.8 MEDIUM |
| The Simple Basic Contact Form WordPress plugin before 20221201 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4197 | 1 10web | 1 Slider | 2023-01-04 | N/A | 4.8 MEDIUM |
| The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4156 | 1 Contest-gallery | 1 Contest Gallery | 2023-01-04 | N/A | 7.5 HIGH |
| The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
| CVE-2022-4157 | 1 Contest-gallery | 1 Contest Gallery | 2023-01-04 | N/A | 4.9 MEDIUM |
| The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. | |||||
| CVE-2022-4158 | 1 Contest-gallery | 1 Contest Gallery | 2023-01-04 | N/A | 7.5 HIGH |
| The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database. | |||||