Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44849 | 1 Metinfo | 1 Metinfo | 2022-12-12 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account. | |||||
| CVE-2022-41994 | 1 Basercms | 1 Basercms | 2022-12-12 | N/A | 4.8 MEDIUM |
| Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. | |||||
| CVE-2022-44932 | 1 Tenda | 2 A18, A18 Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| An access control issue in Tenda A18 v15.13.07.09 allows unauthenticated attackers to access the Telnet service. | |||||
| CVE-2022-44931 | 1 Tenda | 2 A18, A18 Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet. | |||||
| CVE-2022-39905 | 1 Google | 1 Android | 2022-12-09 | N/A | 5.5 MEDIUM |
| Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent. | |||||
| CVE-2022-46792 | 1 Hasura | 1 Graphql Engine | 2022-12-09 | N/A | 8.8 HIGH |
| Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.) | |||||
| CVE-2022-23476 | 1 Nokogiri | 1 Nokogiri | 2022-12-09 | N/A | 7.5 HIGH |
| Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. | |||||
| CVE-2022-39902 | 1 Samsung | 2 Exynos, Exynos Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| Improper authorization in Exynos baseband prior to SMR DEC-2022 Release 1 allows remote attacker to get sensitive information including IMEI via emergency call. | |||||
| CVE-2022-43581 | 1 Ibm | 1 Content Navigator | 2022-12-09 | N/A | 8.8 HIGH |
| IBM Content Navigator 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, and 3.0.12 is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code. IBM X-Force ID: 238805. | |||||
| CVE-2022-44351 | 1 Skycaiji | 1 Skycaiji | 2022-12-09 | N/A | 9.8 CRITICAL |
| Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. | |||||
| CVE-2022-23492 | 1 Protocol | 1 Libp2p | 2022-12-09 | N/A | 7.5 HIGH |
| go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. | |||||
| CVE-2022-23487 | 1 Protocol | 1 Libp2p | 2022-12-09 | N/A | 7.5 HIGH |
| js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-23486 | 1 Protocol | 1 Libp2p | 2022-12-09 | N/A | 7.5 HIGH |
| libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/. | |||||
| CVE-2022-4348 | 1 Ruoyi | 1 Ruoyi-cloud | 2022-12-09 | N/A | 6.1 MEDIUM |
| A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown functionality of the component JSON Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215108. | |||||
| CVE-2022-4347 | 1 Beetl-bbs Project | 1 Beetl-bbs | 2022-12-09 | N/A | 5.4 MEDIUM |
| A vulnerability was found in xiandafu beetl-bbs. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file WebUtils.java. The manipulation of the argument user leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215107. | |||||
| CVE-2020-36610 | 1 Duxcms Project | 1 Duxcms | 2022-12-09 | N/A | 8.0 HIGH |
| A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116. | |||||
| CVE-2022-4349 | 1 Pwn Project | 1 Pwn | 2022-12-09 | N/A | 6.8 MEDIUM |
| A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability. | |||||
| CVE-2022-4350 | 1 Mingsoft | 1 Mcms | 2022-12-09 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215112. | |||||
| CVE-2022-45515 | 1 Tenda | 2 W30e, W30e Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the entries parameter at /goform/addressNat. | |||||
| CVE-2022-45511 | 1 Tenda | 2 W30e, W30e Firmware | 2022-12-09 | N/A | 7.5 HIGH |
| Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the PPPOEPassword parameter at /goform/QuickIndex. | |||||