Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3861 | 1 Muffingroup | 1 Betheme | 2022-11-30 | N/A | 8.8 HIGH |
| The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc.. | |||||
| CVE-2022-36337 | 1 Insyde | 1 Kernel | 2022-11-30 | N/A | 8.2 HIGH |
| An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow vulnerability in the MebxConfiguration driver leads to arbitrary code execution. Control of a UEFI variable under the OS can cause this overflow when read by BIOS code. | |||||
| CVE-2022-3589 | 1 Miele | 1 Appwash | 2022-11-30 | N/A | 8.1 HIGH |
| An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability. | |||||
| CVE-2022-3490 | 1 Themehigh | 1 Checkout Field Editor For Woocommerce | 2022-11-30 | N/A | 7.2 HIGH |
| The Checkout Field Editor (Checkout Manager) for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present | |||||
| CVE-2022-3603 | 1 Piwebsolution | 1 Export Customers List Csv For Woocommerce | 2022-11-30 | N/A | 9.8 CRITICAL |
| The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection. | |||||
| CVE-2021-25059 | 1 Metagauss | 1 Download Plugin | 2022-11-30 | N/A | 4.3 MEDIUM |
| The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website. | |||||
| CVE-2022-45146 | 2 Bouncycastle, Oracle | 2 Fips Java Api, Jdk | 2022-11-30 | N/A | 5.5 MEDIUM |
| An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11. | |||||
| CVE-2022-38147 | 1 Silverstripe | 1 Framework | 2022-11-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 of 3). | |||||
| CVE-2022-37421 | 1 Silverstripe | 1 Silverstripe | 2022-11-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/cms through 4.11.0 allows XSS. | |||||
| CVE-2022-42095 | 1 Backdropcms | 1 Backdrop Cms | 2022-11-30 | N/A | 4.8 MEDIUM |
| Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. | |||||
| CVE-2022-38145 | 1 Silverstripe | 1 Framework | 2022-11-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 of 3) via remote attackers adding a Javascript payload to a page's meta description and get it executed in the versioned history compare view. | |||||
| CVE-2022-37430 | 1 Silverstripe | 1 Framework | 2022-11-30 | N/A | 5.4 MEDIUM |
| Silverstripe silverstripe/framework through 4.11 allows XSS vulnerability via href attribute of a link (issue 2 of 2). | |||||
| CVE-2022-41922 | 1 Yiiframework | 1 Yii | 2022-11-30 | N/A | 9.8 CRITICAL |
| `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | |||||
| CVE-2022-39067 | 1 Zte | 2 Mf286r, Mf286r Firmware | 2022-11-30 | N/A | 6.5 MEDIUM |
| There is a buffer overflow vulnerability in ZTE MF286R. Due to lack of input validation on parameters of the wifi interface, an authenticated attacker could use the vulnerability to perform a denial of service attack. | |||||
| CVE-2022-39066 | 1 Zte | 2 Mf286r, Mf286r Firmware | 2022-11-30 | N/A | 8.8 HIGH |
| There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection. | |||||
| CVE-2022-32966 | 1 Realtek | 2 Rtl8111fp-cg, Rtl8111fp-cg Firmware | 2022-11-29 | N/A | 6.5 MEDIUM |
| RTL8168FP-CG Dash remote management function has missing authorization. An unauthenticated attacker within the adjacent network can connect to DASH service port to disrupt service. | |||||
| CVE-2022-45221 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2022-11-29 | N/A | 4.8 MEDIUM |
| Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in changepassword.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtnew_password parameter. | |||||
| CVE-2022-45214 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2022-11-29 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php. | |||||
| CVE-2022-42100 | 1 Klik Project | 1 Klik | 2022-11-29 | N/A | 5.4 MEDIUM |
| KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location input reply-form. | |||||
| CVE-2022-42099 | 1 Klik Project | 1 Klik | 2022-11-29 | N/A | 5.4 MEDIUM |
| KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location Forum Subject input. | |||||