Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38197 | 1 Esri | 1 Arcgis Server | 2022-10-31 | N/A | 6.1 MEDIUM |
| Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. | |||||
| CVE-2022-38196 | 1 Esri | 1 Arcgis Server | 2022-10-31 | N/A | 8.1 HIGH |
| Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. | |||||
| CVE-2022-2126 | 4 Apple, Debian, Fedoraproject and 1 more | 4 Macos, Debian Linux, Fedora and 1 more | 2022-10-31 | 6.8 MEDIUM | 7.8 HIGH |
| Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. | |||||
| CVE-2022-38436 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2022-10-31 | N/A | 7.8 HIGH |
| Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2022-38435 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2022-10-31 | N/A | 7.8 HIGH |
| Adobe Illustrator versions 26.4 (and earlier) and 25.4.7 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2022-38200 | 1 Esri | 1 Arcgis Server | 2022-10-31 | N/A | 6.1 MEDIUM |
| A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser. | |||||
| CVE-2022-38162 | 1 Withsecure | 1 F-secure Policy Manager | 2022-10-31 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input. | |||||
| CVE-2022-38744 | 1 Rockwellautomation | 1 Factorytalk Alarms And Events | 2022-10-31 | N/A | 7.5 HIGH |
| An unauthenticated attacker with network access to a victim's Rockwell Automation FactoryTalk Alarm and Events service could open a connection, causing the service to fault and become unavailable. The affected port could be used as a server ping port and uses messages structured with XML. | |||||
| CVE-2022-3409 | 1 Openbmc-project | 1 Openbmc | 2022-10-31 | N/A | 7.5 HIGH |
| A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. | |||||
| CVE-2022-36452 | 1 Mitel | 1 Micollab | 2022-10-31 | N/A | 9.8 CRITICAL |
| A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application. | |||||
| CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2022-10-31 | N/A | 6.1 MEDIUM |
| Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||||
| CVE-2022-2809 | 1 Openbmc-project | 1 Openbmc | 2022-10-31 | N/A | 7.5 HIGH |
| A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS. | |||||
| CVE-2022-3300 | 1 10web | 1 Form Maker | 2022-10-28 | N/A | 7.2 HIGH |
| The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | |||||
| CVE-2022-39350 | 1 Owasp | 1 Dependency-track Frontend | 2022-10-28 | N/A | N/A |
| @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1. | |||||
| CVE-2022-43233 | 1 Canteen Management System Project | 1 Canteen Management System | 2022-10-28 | N/A | 7.2 HIGH |
| Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchSelectedUser.php. | |||||
| CVE-2022-43232 | 1 Canteen Management System Project | 1 Canteen Management System | 2022-10-28 | N/A | 7.2 HIGH |
| Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchOrderData.php. | |||||
| CVE-2022-43231 | 1 Canteen Management System Project | 1 Canteen Management System | 2022-10-28 | N/A | 7.2 HIGH |
| Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/manage_website.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-43230 | 1 Simple Cold Storage Management System Project | 1 Simple Cold Storage Managment System | 2022-10-28 | N/A | 7.2 HIGH |
| Simple Cold Storage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/?page=bookings/view_details. | |||||
| CVE-2022-43228 | 1 Barangay Management System Project | 1 Barangay Management System | 2022-10-28 | N/A | 7.2 HIGH |
| Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /clearance/clearance.php. | |||||
| CVE-2022-42992 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2022-10-28 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields. | |||||