Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28655 | 1 Apache | 1 Zeppelin | 2022-12-20 | N/A | 6.5 MEDIUM |
| The improper Input Validation vulnerability in "”Move folder to Trash” feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | |||||
| CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 4.3 MEDIUM |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | |||||
| CVE-2022-20199 | 1 Google | 1 Android | 2022-12-20 | N/A | 5.5 MEDIUM |
| In multiple locations of NfcService.java, there is a possible disclosure of NFC tags due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199291025 | |||||
| CVE-2021-35252 | 1 Solarwinds | 1 Serv-u | 2022-12-20 | N/A | 7.5 HIGH |
| Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. | |||||
| CVE-2022-4555 | 1 Wpvar | 1 Wp Shamsi | 2022-12-20 | N/A | 5.3 MEDIUM |
| The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can be used to deactivate security plugins that aids in exploiting other vulnerabilities. | |||||
| CVE-2022-41963 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-12-20 | N/A | 3.1 LOW |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1 | |||||
| CVE-2021-4245 | 1 Rfc6902 Project | 1 Rfc6902 | 2022-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883. | |||||
| CVE-2022-36223 | 1 Emby | 1 Emby | 2022-12-20 | N/A | 6.1 MEDIUM |
| In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account. | |||||
| CVE-2022-20511 | 1 Google | 1 Android | 2022-12-20 | N/A | 5.5 MEDIUM |
| In getNearbyAppStreamingPolicy of DevicePolicyManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235821829 | |||||
| CVE-2022-20509 | 1 Google | 1 Android | 2022-12-20 | N/A | 6.7 MEDIUM |
| In mapGrantorDescr of MessageQueueBase.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-244713317 | |||||
| CVE-2022-20507 | 1 Google | 1 Android | 2022-12-20 | N/A | 7.8 HIGH |
| In onMulticastListUpdateNotificationReceived of UwbEventManager.java, there is a possible arbitrary code execution due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-246649179 | |||||
| CVE-2022-20506 | 1 Google | 1 Android | 2022-12-20 | N/A | 7.8 HIGH |
| In onCreate of WifiDialogActivity.java, there is a missing permission check. This could lead to local escalation of privilege from a guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-226133034 | |||||
| CVE-2022-20505 | 1 Google | 1 Android | 2022-12-20 | N/A | 6.7 MEDIUM |
| In openFile of CallLogProvider.java, there is a possible permission bypass due to a path traversal error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitationProduct: AndroidVersions: Android-13Android ID: A-225981754 | |||||
| CVE-2022-20504 | 1 Google | 1 Android | 2022-12-20 | N/A | 6.7 MEDIUM |
| In multiple locations of DreamManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and dismissal of system dialogs with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-225878553 | |||||
| CVE-2022-20503 | 1 Google | 1 Android | 2022-12-20 | N/A | 7.8 HIGH |
| In onCreate of WifiDppConfiguratorActivity.java, there is a possible way for a guest user to add a WiFi configuration due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224772890 | |||||
| CVE-2022-4519 | 1 Wpseeds | 1 Wp User | 2022-12-20 | N/A | 4.8 MEDIUM |
| The WP User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2022-12-20 | N/A | 9.8 CRITICAL |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | |||||
| CVE-2015-5395 | 2 Alinto, Debian | 2 Sogo, Debian Linux | 2022-12-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. | |||||
| CVE-2016-6191 | 1 Alinto | 1 Sogo | 2022-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. | |||||
| CVE-2016-6189 | 1 Alinto | 1 Sogo | 2022-12-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. | |||||