Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4174 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2022-4187 | 2 Google, Microsoft | 2 Chrome, Windows | 2022-12-01 | N/A | 6.5 MEDIUM |
| Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4186 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 4.3 MEDIUM |
| Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4188 | 1 Google | 2 Android, Chrome | 2022-12-01 | N/A | 4.3 MEDIUM |
| Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4189 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 4.3 MEDIUM |
| Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | |||||
| CVE-2022-4190 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4194 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4191 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via profile destruction. (Chromium security severity: Medium) | |||||
| CVE-2022-4195 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 4.3 MEDIUM |
| Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium) | |||||
| CVE-2022-4193 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2022-4192 | 1 Google | 1 Chrome | 2022-12-01 | N/A | 8.8 HIGH |
| Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI interaction. (Chromium security severity: Medium) | |||||
| CVE-2022-45328 | 1 Church Management System Project | 1 Church Management System | 2022-12-01 | N/A | 7.2 HIGH |
| Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_members.php. | |||||
| CVE-2022-24187 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 7.5 HIGH |
| The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users. | |||||
| CVE-2022-24189 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 6.5 MEDIUM |
| The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users. | |||||
| CVE-2022-24188 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 7.5 HIGH |
| The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality. | |||||
| CVE-2022-24190 | 1 Sz-fujia | 1 Ourphoto | 2022-12-01 | N/A | 7.5 HIGH |
| The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction. | |||||
| CVE-2022-41965 | 1 Apereo | 1 Opencast | 2022-12-01 | N/A | 6.1 MEDIUM |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to redirect users to sites outside of one's Opencast install, potentially facilitating phishing attacks or other security issues. This issue is fixed in Opencast 12.5 and newer. | |||||
| CVE-2022-44937 | 1 Bosscms | 1 Bosscms | 2022-12-01 | N/A | 6.5 MEDIUM |
| Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module. | |||||
| CVE-2022-46147 | 1 Openedx | 1 Xblock-drag-and-drop-v2 | 2022-12-01 | N/A | 6.1 MEDIUM |
| Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2022-45921 | 1 Fusionauth | 1 Fusionauth | 2022-12-01 | N/A | 7.5 HIGH |
| FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process. | |||||