Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39070 | 1 Zte | 4 Zxa10 C300m, Zxa10 C300m Firmware, Zxa10 C350m and 1 more | 2022-11-28 | N/A | 9.8 CRITICAL |
| There is an access control vulnerability in some ZTE PON OLT products. Due to improper access control settings, remote attackers could use the vulnerability to log in to the device and execute any operation. | |||||
| CVE-2022-45907 | 1 Linuxfoundation | 1 Pytorch | 2022-11-28 | N/A | 9.8 CRITICAL |
| In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. | |||||
| CVE-2022-44401 | 1 Online Tours \& Travels Management System Project | 1 Online Tours \& Travels Management System | 2022-11-28 | N/A | 9.8 CRITICAL |
| Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php. | |||||
| CVE-2022-36193 | 1 School Management System Project | 1 School Management System | 2022-11-28 | N/A | 9.8 CRITICAL |
| SQL injection in School Management System 1.0 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. | |||||
| CVE-2022-44400 | 1 Purchase Order Management System Project | 1 Purchase Order Management System | 2022-11-28 | N/A | 9.8 CRITICAL |
| Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info. | |||||
| CVE-2009-1142 | 1 Vmware | 1 Open Vm Tools | 2022-11-28 | N/A | 6.7 MEDIUM |
| An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can gain privileges via a symlink attack on /tmp files if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled. | |||||
| CVE-2021-35284 | 1 Cms-php Project | 1 Cms-php | 2022-11-28 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1. | |||||
| CVE-2009-1143 | 1 Vmware | 1 Open-vm-tools | 2022-11-28 | N/A | 7.0 HIGH |
| An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter). | |||||
| CVE-2022-38115 | 1 Solarwinds | 1 Security Event Manager | 2022-11-28 | N/A | 5.3 MEDIUM |
| Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT | |||||
| CVE-2022-38114 | 1 Solarwinds | 1 Security Event Manager | 2022-11-28 | N/A | 6.1 MEDIUM |
| This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS. | |||||
| CVE-2022-38113 | 1 Solarwinds | 1 Security Event Manager | 2022-11-28 | N/A | 5.3 MEDIUM |
| This vulnerability discloses build and services versions in the server response header. | |||||
| CVE-2022-35501 | 1 Amasty | 1 Blog Pro | 2022-11-28 | N/A | 5.4 MEDIUM |
| Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function. | |||||
| CVE-2021-25220 | 4 Fedoraproject, Isc, Netapp and 1 more | 19 Fedora, Bind, Baseboard Management Controller H300e and 16 more | 2022-11-28 | 4.0 MEDIUM | 6.8 MEDIUM |
| BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients. | |||||
| CVE-2021-35246 | 1 Solarwinds | 1 Engineer\'s Toolset | 2022-11-28 | N/A | 5.3 MEDIUM |
| The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users. | |||||
| CVE-2022-2928 | 3 Debian, Fedoraproject, Isc | 3 Debian Linux, Fedora, Dhcp | 2022-11-28 | N/A | 6.5 MEDIUM |
| In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort. | |||||
| CVE-2022-44280 | 1 Automotive Shop Management System Project | 1 Automotive Shop Management System | 2022-11-28 | N/A | 6.5 MEDIUM |
| Automotive Shop Management System v1.0 is vulnerable to Delete any file via /asms/classes/Master.php?f=delete_img. | |||||
| CVE-2022-44278 | 1 Sanitization Management System Project | 1 Sanitization Management System | 2022-11-28 | N/A | 7.2 HIGH |
| Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=user/manage_user&id=. | |||||
| CVE-2022-30257 | 1 Technitium | 1 Dns Server | 2022-11-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. | |||||
| CVE-2022-30258 | 1 Technitium | 1 Dns Server | 2022-11-28 | N/A | 9.8 CRITICAL |
| An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V2 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. | |||||
| CVE-2022-40954 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-spark | 2022-11-28 | N/A | 5.5 MEDIUM |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to DAG files. This issue affects Spark Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Spark Provider is installed (Spark Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Spark Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version that has lower version of the Spark Provider installed). | |||||