Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3938 | 1 Crestron | 4 Am-100, Am-100 Firmware, Am-101 and 1 more | 2022-12-06 | 2.1 LOW | 7.8 HIGH |
| Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords. | |||||
| CVE-2020-24032 | 1 Xorux | 2 Lpar2rrd, Stor2rrd | 2022-12-06 | 10.0 HIGH | 9.8 CRITICAL |
| tz.pl on XoruX LPAR2RRD and STOR2RRD 2.70 virtual appliances allows cmd=set&tz=OS command injection via shell metacharacters in a timezone. | |||||
| CVE-2019-5456 | 1 Ui | 1 Unifi Controller | 2022-12-06 | 4.3 MEDIUM | 8.1 HIGH |
| SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use later. | |||||
| CVE-2019-5455 | 1 Nextcloud | 1 Nextcloud | 2022-12-06 | 4.6 MEDIUM | 6.8 MEDIUM |
| Bypassing lock protection exists in Nextcloud Android app 3.6.0 when creating a multi-account and aborting the process. | |||||
| CVE-2019-4456 | 1 Ibm | 1 Daeja Viewone | 2022-12-06 | 5.5 MEDIUM | 7.1 HIGH |
| IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 163620. | |||||
| CVE-2020-14367 | 3 Canonical, Fedoraproject, Tuxfamily | 3 Ubuntu Linux, Fedora, Chrony | 2022-12-06 | 3.6 LOW | 6.0 MEDIUM |
| A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it's opened for writing, chronyd does not check for an existing symbolic link with the same file name. This flaw allows an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system, resulting in data loss and a denial of service due to the path traversal. | |||||
| CVE-2020-13101 | 1 Oasis-open | 1 Oasis Digital Signature Services | 2022-12-06 | 5.0 MEDIUM | 7.5 HIGH |
| In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation. | |||||
| CVE-2020-14043 | 1 Codiad | 1 Codiad | 2022-12-06 | 6.8 MEDIUM | 8.8 HIGH |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad v1.7.8 and later. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2020-14044 | 1 Codiad | 1 Codiad | 2022-12-06 | 6.5 MEDIUM | 7.2 HIGH |
| ** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8 and later. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors." | |||||
| CVE-2022-41642 | 1 Kujirahand | 1 Nadesiko3 | 2022-12-06 | N/A | 9.8 CRITICAL |
| OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.61 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product. | |||||
| CVE-2022-40968 | 1 2kblater | 1 2kb Amazon Affiliates Store | 2022-12-06 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress. | |||||
| CVE-2022-23467 | 1 Openrazer Project | 1 Openrazer | 2022-12-06 | N/A | 4.6 MEDIUM |
| OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices. | |||||
| CVE-2022-43706 | 1 Stackstorm | 1 Stackstorm | 2022-12-06 | N/A | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users. | |||||
| CVE-2022-45019 | 1 Slims | 1 Senayan Library Management System | 2022-12-06 | N/A | 7.5 HIGH |
| SLiMS 9 Bulian v9.5.0 was discovered to contain a SQL injection vulnerability via the keywords parameter. | |||||
| CVE-2022-43097 | 1 User Registration \& User Management System Project | 1 User Registration \& User Management System | 2022-12-06 | N/A | 5.4 MEDIUM |
| Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & login pages. | |||||
| CVE-2022-45283 | 1 Gpac | 1 Gpac | 2022-12-06 | N/A | 7.8 HIGH |
| GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c. | |||||
| CVE-2022-45771 | 1 Pwndoc Project | 1 Pwndoc | 2022-12-06 | N/A | 8.8 HIGH |
| An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file. | |||||
| CVE-2022-38336 | 1 Mobatek | 1 Mobaxterm | 2022-12-06 | N/A | 8.1 HIGH |
| An access control issue in MobaXterm before v22.1 allows attackers to make connections to the server via the SSH or SFTP protocols without authentication. | |||||
| CVE-2021-34181 | 1 Tomexam | 1 Tomexam | 2022-12-06 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in TomExam 3.0 via p_name parameter to list.thtml. | |||||
| CVE-2022-45020 | 1 Rukovoditel | 1 Rukovoditel | 2022-12-06 | N/A | 8.8 HIGH |
| Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | |||||