Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44790 | 7 Apache, Apple, Debian and 4 more | 14 Http Server, Mac Os X, Macos and 11 more | 2022-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. | |||||
| CVE-2021-44224 | 6 Apache, Apple, Debian and 3 more | 12 Http Server, Mac Os X, Macos and 9 more | 2022-11-02 | 6.4 MEDIUM | 8.2 HIGH |
| A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). | |||||
| CVE-2022-41644 | 1 Deltaww | 1 Infrasuite Device Master | 2022-11-02 | N/A | 8.8 HIGH |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges. | |||||
| CVE-2022-41629 | 1 Deltaww | 1 Infrasuite Device Master | 2022-11-02 | N/A | 9.1 CRITICAL |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords. | |||||
| CVE-2022-40202 | 1 Deltaww | 1 Infrasuite Device Master | 2022-11-02 | N/A | 9.8 CRITICAL |
| The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution. | |||||
| CVE-2022-38142 | 1 Deltaww | 1 Infrasuite Device Master | 2022-11-02 | N/A | 9.8 CRITICAL |
| Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-Gateway service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. | |||||
| CVE-2022-39294 | 1 Conduit-hyper Project | 1 Conduit-hyper | 2022-11-02 | N/A | 7.5 HIGH |
| conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's [crates.io](https://crates.io/), but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, `conduit-hyper` is not recommended for production use, nor to directly serve the public Internet. | |||||
| CVE-2022-43083 | 1 Vehicle Booking System Project | 1 Vehicle Booking System | 2022-11-02 | N/A | 7.2 HIGH |
| An arbitrary file upload vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-43082 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2022-11-02 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter. | |||||
| CVE-2022-43084 | 1 Vehicle Booking System Project | 1 Vehicle Booking System | 2022-11-02 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v_name parameter. | |||||
| CVE-2022-43081 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2022-11-01 | N/A | 7.5 HIGH |
| Fast Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /fastfood/purchase.php. | |||||
| CVE-2022-43079 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2022-11-01 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Train Scheduler App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter. | |||||
| CVE-2022-43152 | 1 Tsmuxer Project | 1 Tsmuxer | 2022-11-01 | N/A | 5.5 MEDIUM |
| tsMuxer v2.6.16 was discovered to contain a heap overflow via the function BitStreamWriter::flushBits() at /tsMuxer/bitStream.h. | |||||
| CVE-2022-43151 | 1 Timg Project | 1 Timg | 2022-11-01 | N/A | 5.5 MEDIUM |
| timg v1.4.4 was discovered to contain a memory leak via the function timg::QueryBackgroundColor() at /timg/src/term-query.cc. | |||||
| CVE-2022-43127 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2022-11-01 | N/A | 7.2 HIGH |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/update_status.php. | |||||
| CVE-2022-43126 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2022-11-01 | N/A | 7.2 HIGH |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/tests/manage_test.php. | |||||
| CVE-2022-43125 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2022-11-01 | N/A | 7.2 HIGH |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /appointments/manage_appointment.php. | |||||
| CVE-2022-43124 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2022-11-01 | N/A | 7.2 HIGH |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=user/manage_user. | |||||
| CVE-2022-43086 | 1 Restaurant Pos System Project | 1 Restaurant Pos System | 2022-11-01 | N/A | 4.9 MEDIUM |
| Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via update_customer.php. | |||||
| CVE-2022-43078 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2022-11-01 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter. | |||||