Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45041 | 1 Rockoa | 1 Xinhu | 2022-12-23 | N/A | 7.5 HIGH |
| SQL Injection exits in xinhu < 2.5.0 | |||||
| CVE-2022-40607 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2022-12-23 | N/A | 6.8 MEDIUM |
| IBM Spectrum Scale 5.1 could allow users with permissions to create pod, persistent volume and persistent volume claim to access files and directories outside of the volume, including on the host filesystem. IBM X-Force ID: 235740. | |||||
| CVE-2022-44488 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2022-12-23 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction. | |||||
| CVE-2022-4609 | 1 Usememos | 1 Memos | 2022-12-23 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0. | |||||
| CVE-2022-4061 | 1 Ultimatemember | 1 Jobboardwp | 2022-12-23 | N/A | 7.5 HIGH |
| The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. | |||||
| CVE-2022-38662 | 1 Hcltech | 1 Hcl Digital Experience | 2022-12-23 | N/A | 6.1 MEDIUM |
| In HCL Digital Experience, URLs can be constructed to redirect users to untrusted sites. | |||||
| CVE-2022-4106 | 1 Cedcommerce | 1 Wholesale Market For Woocommerce | 2022-12-23 | N/A | 7.5 HIGH |
| The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. | |||||
| CVE-2022-4112 | 1 Vms-studio | 1 Quizlord | 2022-12-23 | N/A | 4.8 MEDIUM |
| The Quizlord WordPress plugin through 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-38659 | 2 Hcltech, Microsoft | 2 Bigfix Platform, Windows | 2022-12-23 | N/A | 7.8 HIGH |
| In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent. | |||||
| CVE-2022-38653 | 1 Hcltech | 1 Digital Experience | 2022-12-23 | N/A | 5.4 MEDIUM |
| In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded. | |||||
| CVE-2022-31029 | 1 Pi-hole | 1 Adminlte | 2022-12-23 | 3.5 LOW | 4.8 MEDIUM |
| AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-4063 | 1 Pluginus | 1 Inpost Gallery | 2022-12-23 | N/A | 9.8 CRITICAL |
| The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. | |||||
| CVE-2022-31630 | 1 Php | 1 Php | 2022-12-23 | N/A | 7.1 HIGH |
| In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. | |||||
| CVE-2022-23748 | 2 Audinate, Microsoft | 2 Dante Application Library, Windows | 2022-12-23 | N/A | 7.8 HIGH |
| mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files. | |||||
| CVE-2022-23491 | 1 Certifi Project | 1 Certifi | 2022-12-23 | N/A | 7.5 HIGH |
| Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. | |||||
| CVE-2020-3118 | 1 Cisco | 37 Asr 9000, Asr 9000v, Asr 9001 and 34 more | 2022-12-23 | 8.3 HIGH | 8.8 HIGH |
| A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). | |||||
| CVE-2020-3227 | 1 Cisco | 1 Ios Xe | 2022-12-23 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device. | |||||
| CVE-2022-4108 | 1 Cedcommerce | 1 Wholesale Market For Woocommerce | 2022-12-23 | N/A | 4.9 MEDIUM |
| The Wholesale Market for WooCommerce WordPress plugin before 1.0.8 does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to (for example in multisite) | |||||
| CVE-2022-4107 | 1 Cedcommerce | 1 Smsa Shipping For Woocommerce | 2022-12-23 | N/A | 6.5 MEDIUM |
| The SMSA Shipping for WooCommerce WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server | |||||
| CVE-2014-6230 | 1 Wp-ban Project | 1 Wp-ban | 2022-12-23 | 4.3 MEDIUM | N/A |
| WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header. | |||||