cyradm — web-cyradm
  A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is recommended to apply a patch to fix this issue. The identifier VDB-217449 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2007-10001
MISC
MISC
MISC titlelink — titlelink
  A vulnerability classified as critical was found in gesellix titlelink. Affected by this vulnerability is an unknown functionality of the file plugin_content_title.php. The manipulation of the argument phrase leads to sql injection. The name of the patch is b4604e523853965fa981a4e79aef4b554a535db0. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217351. 2023-01-04 not yet calculated CVE-2010-10003
MISC
MISC
MISC rivettracker — rivettracker
  A vulnerability was found in ahmyi RivetTracker. It has been declared as problematic. Affected by this vulnerability is the function changeColor of the file css.php. The manipulation of the argument set_css leads to cross site scripting. The attack can be launched remotely. The name of the patch is 45a0f33876d58cb7e4a0f17da149e58fc893b858. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217267. 2023-01-03 not yet calculated CVE-2012-10002
MISC
MISC
MISC
MISC rivettracker — rivettracker
  A vulnerability, which was classified as problematic, has been found in ahmyi RivetTracker. This issue affects some unknown processing. The manipulation of the argument $_SERVER[‘PHP_SELF’] leads to cross site scripting. The attack may be initiated remotely. The name of the patch is f053c5cc2bc44269b0496b5f275e349928a92ef9. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217271. 2023-01-03 not yet calculated CVE-2012-10003
MISC
MISC
MISC
MISC ziftr — primecoin A vulnerability classified as problematic was found in Ziftr primecoin up to 0.8.4rc1. Affected by this vulnerability is the function HTTPAuthorized of the file src/bitcoinrpc.cpp. The manipulation of the argument strUserPass/strRPCUserColonPass leads to observable timing discrepancy. Upgrading to version 0.8.4rc2 is able to address this issue. The name of the patch is cdb3441b5cd2c1bae49fae671dc4a496f7c96322. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217171. 2023-01-01 not yet calculated CVE-2013-10006
MISC
MISC
MISC
MISC wp-print-friendly — wp-print-friendly
  A vulnerability classified as problematic has been found in ethitter WP-Print-Friendly up to 0.5.2. This affects an unknown part of the file wp-print-friendly.php. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. Upgrading to version 0.5.3 is able to address this issue. The name of the patch is 437787292670c20b4abe20160ebbe8428187f2b4. It is recommended to upgrade the affected component. The identifier VDB-217269 was assigned to this vulnerability. 2023-01-03 not yet calculated CVE-2013-10007
MISC
MISC
MISC
MISC eshop — eshop A vulnerability was found in sheilazpy eShop. It has been classified as critical. Affected is an unknown function. The manipulation leads to sql injection. The name of the patch is e096c5849c4dc09e1074104531014a62a5413884. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217572. 2023-01-06 not yet calculated CVE-2013-10008
MISC
MISC
MISC pychao — pychao A vulnerability was found in DrAzraelTod pyChao and classified as critical. Affected by this issue is the function klauen/lesen of the file mod_fun/__init__.py. The manipulation leads to sql injection. The name of the patch is 9d8adbc07c384ba51c2583ce0819c9abb77dc648. It is recommended to apply a patch to fix this issue. VDB-217634 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2013-10009
MISC
MISC
MISC
MISC tbdev — tbdev
  A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and classified as problematic. Affected by this vulnerability is the function get_user_icons of the file usersearch.php. The manipulation of the argument n/r/r2/em/ip/co/ma/d/d2/ul/ul2/ls/ls2/dl/dl2 leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.1.18 is able to address this issue. The name of the patch is 0ba3fd4be29dd48fa4455c236a9403b3149a4fd4. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217147. 2022-12-31 not yet calculated CVE-2014-125027
MISC
MISC
MISC
MISC paginationserviceprovider — paginationserviceprovider
  A vulnerability was found in ttskch PaginationServiceProvider up to 0.x. It has been declared as critical. This vulnerability affects unknown code of the file demo/index.php of the component demo. The manipulation of the argument sort/id leads to sql injection. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 619de478efce17ece1a3b913ab16e40651e1ea7b. It is recommended to upgrade the affected component. VDB-217150 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125029
MISC
MISC
MISC
MISC taoeffect — empress
  A vulnerability, which was classified as critical, has been found in taoeffect Empress. Affected by this issue is some unknown functionality. The manipulation leads to use of hard-coded password. The name of the patch is 557e177d8a309d6f0f26de46efb38d43e000852d. It is recommended to apply a patch to fix this issue. VDB-217154 is the identifier assigned to this vulnerability. 2023-01-01 not yet calculated CVE-2014-125030
MISC
MISC
MISC
MISC teknet — teknet
  A vulnerability was found in kirill2485 TekNet. It has been classified as problematic. Affected is an unknown function of the file pages/loggedin.php. The manipulation of the argument statusentery leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 1c575340539f983333aa43fc58ecd76eb53e1816. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217176. 2023-01-02 not yet calculated CVE-2014-125031
MISC
MISC
MISC go-with-me — go-with-me
  A vulnerability was found in porpeeranut go-with-me. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file module/frontend/add.php. The manipulation leads to sql injection. The name of the patch is b92451e4f9e85e26cf493c95ea0a69e354c35df9. It is recommended to apply a patch to fix this issue. The identifier VDB-217177 was assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2014-125032
MISC
MISC
MISC ruby_on_rails — rails-cv-app
  A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipulation with the input ../../../etc/passwd leads to path traversal: ‘../filedir’. The exploit has been disclosed to the public and may be used. The name of the patch is 0d20362af0a5f8a126f67c77833868908484a863. It is recommended to apply a patch to fix this issue. VDB-217178 is the identifier assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2014-125033
MISC
MISC
MISC contact_app — contact_app
  A vulnerability has been found in stiiv contact_app and classified as problematic. Affected by this vulnerability is the function render of the file libs/View.php. The manipulation of the argument var leads to cross site scripting. The attack can be launched remotely. The name of the patch is 67bec33f559da9d41a1b45eb9e992bd8683a7f8c. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217183. 2023-01-02 not yet calculated CVE-2014-125034
MISC
MISC
MISC wordpress — wordpress
  A vulnerability classified as problematic was found in Jobs-Plugin. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The name of the patch is b8a56718b1d42834c6ec51d9c489c5dc20471d7b. It is recommended to apply a patch to fix this issue. The identifier VDB-217189 was assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2014-125035
MISC
MISC
MISC
MISC ansible-ntp — ansible-ntp
  A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The name of the patch is ed4ca2cf012677973c220cdba36b5c60bfa0260b. It is recommended to apply a patch to fix this issue. VDB-217190 is the identifier assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2014-125036
MISC
MISC
MISC license_to_kill — license_to_kill
  A vulnerability, which was classified as critical, was found in License to Kill. This affects an unknown part of the file models/injury.rb. The manipulation of the argument name leads to sql injection. The name of the patch is cd11cf174f361c98e9b1b4c281aa7b77f46b5078. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217191. 2023-01-02 not yet calculated CVE-2014-125037
MISC
MISC
MISC is_projecto2 — is_projecto2
  A vulnerability has been found in IS_Projecto2 and classified as critical. This vulnerability affects unknown code of the file Cnn-EJB/ejbModule/ejbs/NewsBean.java. The manipulation of the argument date leads to sql injection. The name of the patch is aa128b2c9c9fdcbbf5ecd82c1e92103573017fe0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217192. 2023-01-02 not yet calculated CVE-2014-125038
MISC
MISC
MISC neoxplora — neoxplora
  A vulnerability, which was classified as problematic, has been found in kkokko NeoXplora. Affected by this issue is some unknown functionality of the component Trainer Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is dce1aecd6ee050a29f953ffd8f02f21c7c13f1e6. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217352. 2023-01-04 not yet calculated CVE-2014-125039
MISC
MISC
MISC devnewsaggregator — devnewsaggregator
  A vulnerability was found in stevejagodzinski DevNewsAggregator. It has been rated as critical. Affected by this issue is the function getByName of the file php/data_access/RemoteHtmlContentDataAccess.php. The manipulation of the argument name leads to sql injection. The name of the patch is b9de907e7a8c9ca9d75295da675e58c5bf06b172. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217484. 2023-01-05 not yet calculated CVE-2014-125040
MISC
MISC
MISC pr-cwt — pr-cwt
  A vulnerability classified as critical was found in Miccighel PR-CWT. This vulnerability affects unknown code. The manipulation leads to sql injection. The name of the patch is e412127d07004668e5a213932c94807d87067a1f. It is recommended to apply a patch to fix this issue. VDB-217486 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2014-125041
MISC
MISC
MISC networkmanager — networkmanager
  A vulnerability classified as problematic was found in vicamo NetworkManager. Affected by this vulnerability is the function nm_setting_vlan_add_priority_str/nm_utils_rsa_key_encrypt/nm_setting_vlan_add_priority_str. The manipulation leads to missing release of resource. The name of the patch is afb0e2c53c4c17dfdb89d63b39db5101cc864704. It is recommended to apply a patch to fix this issue. The identifier VDB-217513 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2014-125042
MISC
MISC
MISC networkmanager — networkmanager
  A vulnerability, which was classified as problematic, has been found in vicamo NetworkManager. Affected by this issue is the function send_arps of the file src/devices/nm-device.c. The manipulation leads to unchecked return value. The name of the patch is 4da19b89815cbf6e063e39bc33c04fe4b3f789df. It is recommended to apply a patch to fix this issue. VDB-217514 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2014-125043
MISC
MISC
MISC wing-tight — wing-tight
  A vulnerability, which was classified as critical, was found in soshtolsus wing-tight. This affects an unknown part of the file index.php. The manipulation of the argument p leads to file inclusion. It is possible to initiate the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 567bc33e6ed82b0d0179c9add707ac2b257aeaf2. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217515. 2023-01-05 not yet calculated CVE-2014-125044
MISC
MISC
MISC
MISC meol1 — opdracht
  A vulnerability has been found in meol1 and classified as critical. Affected by this vulnerability is the function GetAnimal of the file opdracht4/index.php. The manipulation of the argument where leads to sql injection. The name of the patch is 82441e413f87920d1e8f866e8ef9d7f353a7c583. It is recommended to apply a patch to fix this issue. The identifier VDB-217525 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2014-125045
MISC
MISC
MISC cub-scout-tracker — cub-scout-tracker
  A vulnerability, which was classified as critical, was found in Seiji42 cub-scout-tracker. This affects an unknown part of the file databaseAccessFunctions.js. The manipulation leads to sql injection. The name of the patch is b4bc1a328b1f59437db159f9d136d9ed15707e31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217551. 2023-01-06 not yet calculated CVE-2014-125046
MISC
MISC
MISC school-store — school-store
  A vulnerability classified as critical has been found in tbezman school-store. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is 2957fc97054216d3a393f1775efd01ae2b072001. It is recommended to apply a patch to fix this issue. The identifier VDB-217557 was assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2014-125047
MISC
MISC
MISC xingwall — xingwall
  A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session fixiation. The name of the patch is e9f0d509e1408743048e29d9c099d36e0e1f6ae7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217559. 2023-01-06 not yet calculated CVE-2014-125048
MISC
MISC
MISC voter-js — voter-js
  A vulnerability was found in ScottTZhang voter-js and classified as critical. Affected by this issue is some unknown functionality of the file main.js. The manipulation leads to sql injection. The name of the patch is 6317c67a56061aeeaeed3cf9ec665fd9983d8044. It is recommended to apply a patch to fix this issue. VDB-217562 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2014-125050
MISC
MISC
MISC
MISC jqgrid-widget — yii2-jqgrid-widget
  A vulnerability was found in himiklab yii2-jqgrid-widget up to 1.0.7. It has been declared as critical. This vulnerability affects the function addSearchOptionsRecursively of the file JqGridAction.php. The manipulation leads to sql injection. Upgrading to version 1.0.8 is able to address this issue. The name of the patch is a117e0f2df729e3ff726968794d9a5ac40e660b9. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217564. 2023-01-06 not yet calculated CVE-2014-125051
MISC
MISC
MISC
MISC sparql-identifiers — sparql-identifiers
  A vulnerability was found in JervenBolleman sparql-identifiers and classified as critical. This issue affects some unknown processing of the file src/main/java/org/identifiers/db/RegistryDao.java. The manipulation leads to sql injection. The name of the patch is 44bb0db91c064e305b192fc73521d1dfd25bde52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217571. 2023-01-06 not yet calculated CVE-2014-125052
MISC
MISC
MISC piwigo — piwigo-guest-book
  A vulnerability was found in Piwigo-Guest-Book up to 1.3.0. It has been declared as critical. This vulnerability affects unknown code of the file include/guestbook.inc.php of the component Navigation Bar. The manipulation of the argument start leads to sql injection. Upgrading to version 1.3.1 is able to address this issue. The name of the patch is 0cdd1c388edf15089c3a7541cefe7756e560581d. It is recommended to upgrade the affected component. VDB-217582 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2014-125053
MISC
MISC
MISC
MISC redditonrails — redditonrails
  A vulnerability classified as critical was found in koroket RedditOnRails. This vulnerability affects unknown code of the component Vote Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The name of the patch is 7f3c7407d95d532fcc342b00d68d0ea09ca71030. It is recommended to apply a patch to fix this issue. VDB-217594 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125054
MISC
MISC
MISC easy-scrypt — easy-scrypt
  A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing discrepancy. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 477c10cf3b144ddf96526aa09f5fdea613f21812. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217596. 2023-01-07 not yet calculated CVE-2014-125055
MISC
MISC
MISC
MISC pylons — horus
  A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to observable timing discrepancy. The name of the patch is fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec. It is recommended to apply a patch to fix this issue. VDB-217598 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125056
MISC
MISC
MISC robitailletheknot — robitailletheknot
  A vulnerability was found in mrobit robitailletheknot. It has been classified as problematic. This affects an unknown part of the file app/filters.php of the component CSRF Token Handler. The manipulation of the argument _token leads to incorrect comparison. It is possible to initiate the attack remotely. The name of the patch is 6b2813696ccb88d0576dfb305122ee880eb36197. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217599. 2023-01-07 not yet calculated CVE-2014-125057
MISC
MISC
MISC project3 — project3
  A vulnerability was found in LearnMeSomeCodes project3 and classified as critical. This issue affects the function search_first_name of the file search.rb. The manipulation leads to sql injection. The name of the patch is d3efa17ae9f6b2fc25a6bbcf165cefed17c7035e. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217607. NOTE: Maintainer is aware of this issue as remarked in the source code. 2023-01-07 not yet calculated CVE-2014-125058
MISC
MISC
MISC sternenblog — sternenblog
  A vulnerability, which was classified as problematic, has been found in sternenseemann sternenblog. This issue affects the function blog_index of the file main.c. The manipulation of the argument post_path leads to file inclusion. The attack may be initiated remotely. Upgrading to version 0.1.0 is able to address this issue. The name of the patch is cf715d911d8ce17969a7926dea651e930c27e71a. It is recommended to upgrade the affected component. The identifier VDB-217613 was assigned to this vulnerability. NOTE: This case is rather theoretical and probably won’t happen. Maybe only on obscure Web servers. 2023-01-07 not yet calculated CVE-2014-125059
MISC
MISC
MISC
MISC sternenblog — sternenblog
  A vulnerability, which was classified as critical, was found in holdennb CollabCal. Affected is the function handleGet of the file calenderServer.cpp. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The name of the patch is b80f6d1893607c99e5113967592417d0fe310ce6. It is recommended to apply a patch to fix this issue. VDB-217614 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125060
MISC
MISC
MISC bitstorm — bitstorm
  A vulnerability classified as critical was found in ananich bitstorm. Affected by this vulnerability is an unknown functionality of the file announce.php. The manipulation of the argument event leads to sql injection. The name of the patch is ea8da92f94cdb78ee7831e1f7af6258473ab396a. It is recommended to apply a patch to fix this issue. The identifier VDB-217621 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125062
MISC
MISC
MISC bid — bid
  A vulnerability was found in ada-l0velace Bid and classified as critical. This issue affects some unknown processing. The manipulation leads to sql injection. The name of the patch is abd71140b8219fa8741d0d8a57ab27d5bfd34222. It is recommended to apply a patch to fix this issue. The identifier VDB-217625 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2014-125063
MISC
MISC
MISC gosqljson — gosqljson A vulnerability, which was classified as critical, has been found in elgs gosqljson. This issue affects the function QueryDbToArray/QueryDbToMap/ExecDb of the file gosqljson.go. The manipulation of the argument sqlStatement leads to sql injection. The name of the patch is 2740b331546cb88eb61771df4c07d389e9f0363a. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217631. 2023-01-07 not yet calculated CVE-2014-125064
MISC
MISC
MISC bottle-auth — bottle-auth
  A vulnerability, which was classified as critical, was found in john5223 bottle-auth. Affected is an unknown function. The manipulation leads to sql injection. The name of the patch is 99cfbcc0c1429096e3479744223ffb4fda276875. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217632. 2023-01-07 not yet calculated CVE-2014-125065
MISC
MISC
MISC ingnovarq — ingnovarq
  A vulnerability, which was classified as problematic, has been found in admont28 Ingnovarq. Affected by this issue is some unknown functionality of the file app/controller/insertarSliderAjax.php. The manipulation of the argument imagetitle leads to cross site scripting. The attack may be launched remotely. The name of the patch is 9d18a39944d79dfedacd754a742df38f99d3c0e2. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217172. 2023-01-01 not yet calculated CVE-2015-10006
MISC
MISC
MISC nterchange — nterchange
  A vulnerability was found in nterchange up to 4.1.0. It has been rated as critical. This issue affects the function getContent of the file app/controllers/code_caller_controller.php. The manipulation of the argument q with the input %5C%27%29;phpinfo%28%29;/* leads to code injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.1 is able to address this issue. The name of the patch is fba7d89176fba8fe289edd58835fe45080797d99. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217187. 2023-01-02 not yet calculated CVE-2015-10009
MISC
MISC
MISC
MISC opendns — openresolve
  A vulnerability was found in OpenDNS OpenResolve. It has been rated as problematic. Affected by this issue is the function get of the file resolverapi/endpoints.py of the component API. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is c680170d5583cd9342fe1af43001fe8b2b8004dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217196. 2023-01-02 not yet calculated CVE-2015-10010
MISC
MISC
MISC opendns — openresolve
  A vulnerability classified as problematic has been found in OpenDNS OpenResolve. This affects an unknown part of the file resolverapi/endpoints.py. The manipulation leads to improper output neutralization for logs. The name of the patch is 9eba6ba5abd89d0e36a008921eb307fcef8c5311. It is recommended to apply a patch to fix this issue. The identifier VDB-217197 was assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2015-10011
MISC
MISC
MISC webdevstudios — taxonomy-switcher_plugin
  A vulnerability was found in WebDevStudios taxonomy-switcher Plugin up to 1.0.3. It has been classified as problematic. Affected is the function taxonomy_switcher_init of the file taxonomy-switcher.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.4 is able to address this issue. It is recommended to upgrade the affected component. VDB-217446 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2015-10013
MISC
MISC
MISC
MISC uke — uke
  A vulnerability classified as critical has been found in arekk uke. This affects an unknown part of the file lib/uke/finder.rb. The manipulation leads to sql injection. The name of the patch is 52fd3b2d0bc16227ef57b7b98a3658bb67c1833f. It is recommended to apply a patch to fix this issue. The identifier VDB-217485 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2015-10014
MISC
MISC
MISC glidernet — ogn-live
  A vulnerability, which was classified as critical, has been found in glidernet ogn-live. This issue affects some unknown processing. The manipulation leads to sql injection. The name of the patch is bc0f19965f760587645583b7624d66a260946e01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217487. 2023-01-05 not yet calculated CVE-2015-10015
MISC
MISC
MISC
MISC opensim-utils — opensim-utils
  A vulnerability, which was classified as critical, has been found in jeff-kelley opensim-utils. Affected by this issue is the function DatabaseForRegion of the file regionscrits.php. The manipulation of the argument region leads to sql injection. The name of the patch is c29e5c729a833a29dbf5b1e505a0553fe154575e. It is recommended to apply a patch to fix this issue. VDB-217550 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2015-10016
MISC
MISC
MISC information-systems — prolod
  A vulnerability has been found in HPI-Information-Systems ProLOD and classified as critical. This vulnerability affects unknown code. The manipulation of the argument this leads to sql injection. The name of the patch is 3f710905458d49c77530bd3cbcd8960457566b73. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217552. 2023-01-06 not yet calculated CVE-2015-10017
MISC
MISC
MISC d2files — d2files
  A vulnerability has been found in DBRisinajumi d2files and classified as critical. Affected by this vulnerability is the function actionUpload/actionDownloadFile of the file controllers/D2filesController.php. The manipulation leads to sql injection. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is b5767f2ec9d0f3cbfda7f13c84740e2179c90574. It is recommended to upgrade the affected component. The identifier VDB-217561 was assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2015-10018
MISC
MISC
MISC
MISC mysimplifiedsql — mysimplifiedsql
  A vulnerability, which was classified as problematic, has been found in foxoverflow MySimplifiedSQL. This issue affects some unknown processing of the file MySimplifiedSQL_Examples.php. The manipulation of the argument FirstName/LastName leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 3b7481c72786f88041b7c2d83bb4f219f77f1293. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217595. 2023-01-07 not yet calculated CVE-2015-10019
MISC
MISC
MISC definely — definely
  A vulnerability was found in ritterim definely. It has been classified as problematic. Affected is an unknown function of the file src/database.js. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is b31a022ba4d8d17148445a13ebb5a42ad593dbaa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217608. 2023-01-07 not yet calculated CVE-2015-10021
MISC
MISC
MISC
MISC nlgis2– nlgis2
  A vulnerability was found in IISH nlgis2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file scripts/etl/custom_import.pl. The manipulation leads to sql injection. The name of the patch is 8bdb6fcf7209584eaf1232437f0f53e735b2b34c. It is recommended to apply a patch to fix this issue. The identifier VDB-217609 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2015-10022
MISC
MISC
MISC trello-octometric — trello-octometric
  A vulnerability classified as critical has been found in Fumon trello-octometric. This affects the function main of the file metrics-ui/server/srv.go. The manipulation of the argument num leads to sql injection. The name of the patch is a1f1754933fbf21e2221fbc671c81a47de6a04ef. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217611. 2023-01-07 not yet calculated CVE-2015-10023
MISC
MISC
MISC larasync — larasync
  A vulnerability classified as critical was found in hoffie larasync. This vulnerability affects unknown code of the file repository/content/file_storage.go. The manipulation leads to path traversal. The name of the patch is 776bad422f4bd4930d09491711246bbeb1be9ba5. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217612. 2023-01-07 not yet calculated CVE-2015-10024
MISC
MISC
MISC miniconf — miniconf
  A vulnerability has been found in luelista miniConf up to 1.7.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file miniConf/MessageView.cs of the component URL Scanning. The manipulation leads to denial of service. Upgrading to version 1.7.7 and 1.8.0 is able to address this issue. The name of the patch is c06c2e5116c306e4e1bc79779f0eda2d1182f655. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217615. 2023-01-07 not yet calculated CVE-2015-10025
MISC
MISC
MISC flairbot — flairbot
  A vulnerability was found in tiredtyrant flairbot. It has been declared as critical. This vulnerability affects unknown code of the file flair.py. The manipulation leads to sql injection. The name of the patch is 5e112b68c6faad1d4699d02c1ebbb7daf48ef8fb. It is recommended to apply a patch to fix this issue. VDB-217618 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2015-10026
MISC
MISC
MISC ttrss-auth-ldap — ttrss-auth-ldap
  A vulnerability, which was classified as problematic, has been found in hydrian TTRSS-Auth-LDAP. Affected by this issue is some unknown functionality of the component Username Handler. The manipulation leads to ldap injection. Upgrading to version 2.0b1 is able to address this issue. The name of the patch is a7f7a5a82d9202a5c40d606a5c519ba61b224eb8. It is recommended to upgrade the affected component. VDB-217622 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2015-10027
MISC
MISC
MISC
MISC
MISC ss15-this-is-sparta — ss15-this-is-sparta
  A vulnerability has been found in ss15-this-is-sparta and classified as problematic. This vulnerability affects unknown code of the file js/roomElement.js of the component Main Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The name of the patch is ba2f71ad3a46e5949ee0c510b544fa4ea973baaa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217624. 2023-01-07 not yet calculated CVE-2015-10028
MISC
MISC
MISC
MISC simplexrd — simplexrd
  A vulnerability classified as problematic was found in kelvinmo simplexrd up to 3.1.0. This vulnerability affects unknown code of the file simplexrd/simplexrd.class.php. The manipulation leads to xml external entity reference. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 4c9f2e028523ed705b555eca2c18c64e71f1a35d. It is recommended to upgrade the affected component. VDB-217630 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2015-10029
MISC
MISC
MISC
MISC enigmax — enigmax
  A vulnerability, which was classified as problematic, has been found in enigmaX up to 2.2. This issue affects the function getSeed of the file main.c of the component Scrambling Table Handler. The manipulation leads to predictable seed in pseudo-random number generator (prng). The attack may be initiated remotely. Upgrading to version 2.3 is able to address this issue. The name of the patch is 922bf90ca14a681629ba0b807a997a81d70225b5. It is recommended to upgrade the affected component. The identifier VDB-217181 was assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2016-15006
MISC
MISC
MISC
MISC centralized-salesforce-dev-framework — centralized-salesforce-dev-framework
  A vulnerability was found in Centralized-Salesforce-Dev-Framework. It has been declared as problematic. Affected by this vulnerability is the function SObjectService of the file src/classes/SObjectService.cls of the component SOQL Handler. The manipulation of the argument orderDirection leads to injection. The name of the patch is db03ac5b8a9d830095991b529c067a030a0ccf7b. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217195. 2023-01-02 not yet calculated CVE-2016-15007
MISC
MISC
MISC coebot-www — coebot-www
  A vulnerability was found in oxguy3 coebot-www and classified as problematic. This issue affects the function displayChannelCommands/displayChannelQuotes/displayChannelAutoreplies/showChannelHighlights/showChannelBoir of the file js/channel.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is c1a6c44092585da4236237e0e7da94ee2996a0ca. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217355. 2023-01-04 not yet calculated CVE-2016-15008
MISC
MISC
MISC openacs — bug-tracker
  A vulnerability classified as problematic has been found in OpenACS bug-tracker. Affected is an unknown function of the file lib/nav-bar.adp of the component Search. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is aee43e5714cd8b697355ec3bf83eefee176d3fc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217440. 2023-01-05 not yet calculated CVE-2016-15009
MISC
MISC
MISC dssp-client — dssp-client
  A vulnerability classified as problematic was found in e-Contract dssp up to 1.3.1. Affected by this vulnerability is the function checkSignResponse of the file dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.2 is able to address this issue. The name of the patch is ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to upgrade the affected component. The identifier VDB-217549 was assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2016-15011
MISC
MISC
MISC
MISC forumhulp — searchresults
  A vulnerability was found in ForumHulp searchresults. It has been rated as critical. Affected by this issue is the function list_keywords of the file event/listener.php. The manipulation of the argument word leads to sql injection. The name of the patch is dd8a312bb285ad9735a8e1da58e9e955837b7322. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217628. 2023-01-07 not yet calculated CVE-2016-15013
MISC
MISC
MISC
MISC cesnet — theme-cesnet
  A vulnerability has been found in CESNET theme-cesnet up to 1.x and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2016-15014
MISC
MISC
MISC
MISC
MISC keynote — keynote
  A vulnerability was found in rf Keynote up to 0.x. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/keynote/rumble.rb. The manipulation of the argument value leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 05be4356b0a6ca7de48da926a9b997beb5ffeb4a. It is recommended to upgrade the affected component. VDB-217142 is the identifier assigned to this vulnerability. 2022-12-31 not yet calculated CVE-2017-20159
MISC
MISC
MISC
MISC flitto — express-param
  A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file lib/fetchParams.js. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is db94f7391ad0a16dcfcba8b9be1af385b25c42db. It is recommended to upgrade the affected component. The identifier VDB-217149 was assigned to this vulnerability. 2022-12-31 not yet calculated CVE-2017-20160
MISC
MISC
MISC
MISC
MISC macgeiger — macgeiger
  A vulnerability classified as problematic has been found in rofl0r MacGeiger. Affected is the function dump_wlan_at of the file macgeiger.c of the component ESSID Handler. The manipulation leads to injection. Access to the local network is required for this attack to succeed. The name of the patch is 57f1dd50a4821b8c8e676e8020006ae4bfd3c9cb. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217188. 2023-01-02 not yet calculated CVE-2017-20161
MISC
MISC
MISC vercel — ms
  A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451. 2023-01-05 not yet calculated CVE-2017-20162
MISC
MISC
MISC
MISC
MISC red-snapper — nview
  A vulnerability has been found in Red Snapper NView and classified as critical. This vulnerability affects the function mutate of the file src/Session.php. The manipulation of the argument session leads to sql injection. The name of the patch is cbd255f55d476b29e5680f66f48c73ddb3d416a8. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217516. 2023-01-05 not yet calculated CVE-2017-20163
MISC
MISC
MISC symbiote — seed
  A vulnerability was found in Symbiote Seed up to 6.0.2. It has been classified as critical. Affected is the function onBeforeSecurityLogin of the file code/extensions/SecurityLoginExtension.php of the component Login. The manipulation of the argument URL leads to open redirect. It is possible to launch the attack remotely. Upgrading to version 6.0.3 is able to address this issue. The name of the patch is b065ebd82da53009d273aa7e989191f701485244. It is recommended to upgrade the affected component. VDB-217626 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2017-20164
MISC
MISC
MISC
MISC rgb2hex — rgb2hex
  A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 is able to address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151. 2022-12-31 not yet calculated CVE-2018-25061
MISC
MISC
MISC
MISC elementalx — elementalx
  A vulnerability classified as problematic has been found in flar2 ElementalX up to 6.x. Affected is the function xfrm_dump_policy_done of the file net/xfrm/xfrm_user.c of the component ipsec. The manipulation leads to denial of service. Upgrading to version 7.00 is able to address this issue. The name of the patch is 1df72c9f0f61304437f4f1037df03b5fb36d5a79. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217152. 2023-01-01 not yet calculated CVE-2018-25062
MISC
MISC
MISC zenoss — dashboard
  A vulnerability classified as problematic was found in Zenoss Dashboard up to 1.3.4. Affected by this vulnerability is an unknown functionality of the file ZenPacks/zenoss/Dashboard/browser/resources/js/defaultportlets.js. The manipulation of the argument HTMLString leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.5 is able to address this issue. The name of the patch is f462285a0a2d7e1a9255b0820240b94a43b00a44. It is recommended to upgrade the affected component. The identifier VDB-217153 was assigned to this vulnerability. 2023-01-01 not yet calculated CVE-2018-25063
MISC
MISC
MISC
MISC
MISC osm-lab — show-me-the-way
  A vulnerability was found in OSM Lab show-me-the-way. It has been rated as problematic. This issue affects some unknown processing of the file js/site.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 4bed3b34dcc01fe6661f39c0e5d2285b340f7cac. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217439. 2023-01-05 not yet calculated CVE-2018-25064
MISC
MISC
MISC
MISC wikimedia — mediawiki-extensions-i18ntags
  A vulnerability was found in Wikimedia mediawiki-extensions-I18nTags and classified as problematic. This issue affects some unknown processing of the file I18nTags_body.php of the component Unlike Parser. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is b4bc3cbbb099eab50cf2b544cf577116f1867b94. It is recommended to apply a patch to fix this issue. The identifier VDB-217445 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2018-25065
MISC
MISC
MISC nodebatis — nodebatis
  A vulnerability was found in PeterMu nodebatis up to 2.1.x. It has been classified as critical. Affected is an unknown function. The manipulation leads to sql injection. Upgrading to version 2.2.0 is able to address this issue. The name of the patch is 6629ff5b7e3d62ad8319007a54589ec1f62c7c35. It is recommended to upgrade the affected component. VDB-217554 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2018-25066
MISC
MISC
MISC
MISC joomgallery — joomgallery
  A vulnerability, which was classified as critical, was found in JoomGallery up to 3.3.3. This affects an unknown part of the file administrator/components/com_joomgallery/views/config/tmpl/default.php of the component Image Sort Handler. The manipulation leads to sql injection. Upgrading to version 3.3.4 is able to address this issue. The name of the patch is dc414ee954e849082260f8613e15a1c1e1d354a1. It is recommended to upgrade the affected component. The identifier VDB-217569 was assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2018-25067
MISC
MISC
MISC
MISC
MISC globalom — globalpom
  A vulnerability has been found in devent globalpom-utils up to 4.5.0 and classified as critical. This vulnerability affects the function createTmpDir of the file globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.java. The manipulation leads to insecure temporary file. The attack can be initiated remotely. Upgrading to version 4.5.1 is able to address this issue. The name of the patch is 77a820bac2f68e662ce261ecb050c643bd7ee560. It is recommended to upgrade the affected component. VDB-217570 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2018-25068
MISC
MISC
MISC
MISC netis — netcore_router
  A vulnerability classified as critical has been found in Netis Netcore Router. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The identifier VDB-217593 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2018-25069
MISC
MISC
MISC phosphorus_five — phosphorus_five
  A vulnerability has been found in polterguy Phosphorus Five up to 8.2 and classified as critical. This vulnerability affects the function csv.Read of the file plugins/extras/p5.mysql/NonQuery.cs of the component CSV Import. The manipulation leads to sql injection. Upgrading to version 8.3 is able to address this issue. The name of the patch is c179a3d0703db55cfe0cb939b89593f2e7a87246. It is recommended to upgrade the affected component. VDB-217606 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2018-25070
MISC
MISC
MISC
MISC lmeve — lmeve
  A vulnerability was found in roxlukas LMeve up to 0.1.58. It has been rated as critical. Affected by this issue is the function insert_log of the file wwwroot/ccpwgl/proxy.php. The manipulation of the argument fetch leads to sql injection. Upgrading to version 0.1.59-beta is able to address this issue. The name of the patch is c25ff7fe83a2cda1fcb365b182365adc3ffae332. It is recommended to upgrade the affected component. VDB-217610 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2018-25071
MISC
MISC
MISC
MISC google — chrome
  Use after free in FileAPI in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chrome security severity: High) 2023-01-02 not yet calculated CVE-2019-13768
MISC
MISC dragonexpert — dragonexpert
  A vulnerability, which was classified as problematic, was found in dragonexpert Recent Threads on Index. Affected is the function recentthread_list_threads of the file inc/plugins/recentthreads/hooks.php of the component Setting Handler. The manipulation of the argument recentthread_forumskip leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 051465d807a8fcc6a8b0f4bcbb19299672399f48. It is recommended to apply a patch to fix this issue. VDB-217182 is the identifier assigned to this vulnerability. 2023-01-02 not yet calculated CVE-2019-25093
MISC
MISC
MISC innologi — innologi
  A vulnerability, which was classified as problematic, was found in innologi appointments Extension up to 2.0.5. This affects an unknown part of the component Appointment Handler. The manipulation of the argument formfield leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.6 is able to address this issue. The name of the patch is 986d3cb34e5e086c6f04e061f600ffc5837abe7f. It is recommended to upgrade the affected component. The identifier VDB-217353 was assigned to this vulnerability. 2023-01-04 not yet calculated CVE-2019-25094
MISC
MISC
MISC
MISC kakwa — ldapcherry
  A vulnerability, which was classified as problematic, was found in kakwa LdapCherry up to 0.x. Affected is an unknown function of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 6f98076281e9452fdb1adcd1bcbb70a6f968ade9. It is recommended to upgrade the affected component. VDB-217434 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2019-25095
MISC
MISC
MISC
MISC
MISC soerennb — extplorer
  A vulnerability has been found in soerennb eXtplorer up to 2.1.12 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.1.13 is able to address this issue. The name of the patch is b8fcb888f4ff5e171c16797a4b075c6c6f50bf46. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217435. 2023-01-05 not yet calculated CVE-2019-25096
MISC
MISC
MISC
MISC soerennb — extplorer
  A vulnerability was found in soerennb eXtplorer up to 2.1.12 and classified as critical. Affected by this issue is some unknown functionality of the component Directory Content Handler. The manipulation leads to path traversal. Upgrading to version 2.1.13 is able to address this issue. The name of the patch is b8fcb888f4ff5e171c16797a4b075c6c6f50bf46. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217436. 2023-01-05 not yet calculated CVE-2019-25097
MISC
MISC
MISC
MISC soerennb — extplorer
  A vulnerability was found in soerennb eXtplorer up to 2.1.12. It has been classified as critical. This affects an unknown part of the file include/archive.php of the component Archive Handler. The manipulation leads to path traversal. Upgrading to version 2.1.13 is able to address this issue. The name of the patch is b8fcb888f4ff5e171c16797a4b075c6c6f50bf46. It is recommended to upgrade the affected component. The identifier VDB-217437 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2019-25098
MISC
MISC
MISC
MISC arthmoor — qsf-portal
  A vulnerability classified as critical was found in Arthmoor QSF-Portal. This vulnerability affects unknown code of the file index.php. The manipulation of the argument a leads to path traversal. The name of the patch is ea4f61e23ecb83247d174bc2e2cbab521c751a7d. It is recommended to apply a patch to fix this issue. VDB-217558 is the identifier assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2019-25099
MISC
MISC
MISC alliedmodders — amx_mod_x
  A vulnerability has been found in AlliedModders AMX Mod X and classified as critical. This vulnerability affects the function cmdVoteMap of the file plugins/adminvote.sma of the component Console Command Handler. The manipulation of the argument amx_votemap leads to path traversal. The name of the patch is a5f2b5539f6d61050b68df8b22ebb343a2862681. It is recommended to apply a patch to fix this issue. VDB-217354 is the identifier assigned to this vulnerability. 2023-01-04 not yet calculated CVE-2020-36639
MISC
MISC
MISC
MISC bonitasoft — bonita-connector-webservice
  A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 is able to address this issue. The name of the patch is a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443. 2023-01-05 not yet calculated CVE-2020-36640
MISC
MISC
MISC
MISC
MISC gturri — axlmrpc
  A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to version 1.12.1 is able to address this issue. The name of the patch is ad6615b3ec41353e614f6ea5fdd5b046442a832b. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2020-36641
MISC
MISC
MISC
MISC trampgeek — jobe
  A vulnerability was found in trampgeek jobe up to 1.6.x and classified as critical. This issue affects the function run_in_sandbox of the file application/libraries/LanguageTask.php. The manipulation leads to command injection. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 8f43daf50c943b98eaf0c542da901a4a16e85b02. It is recommended to upgrade the affected component. The identifier VDB-217553 was assigned to this vulnerability. 2023-01-06 not yet calculated CVE-2020-36642
MISC
MISC
MISC
MISC
MISC intgr — uqm-wasm
  A vulnerability was found in intgr uqm-wasm. It has been classified as critical. This affects the function log_displayBox in the library sc2/src/libs/log/msgbox_macosx.m. The manipulation leads to format string. The name of the patch is 1d5cbf3350a02c423ad6bef6dfd5300d38aa828f. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217563. 2023-01-06 not yet calculated CVE-2020-36643
MISC
MISC
MISC inline_svg — inline_svg
  A vulnerability has been found in jamesmartin Inline SVG up to 1.7.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file lib/inline_svg/action_view/helpers.rb of the component URL Parameter Handler. The manipulation of the argument filename leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.7.2 is able to address this issue. The name of the patch is f5363b351508486021f99e083c92068cf2943621. It is recommended to upgrade the affected component. The identifier VDB-217597 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2020-36644
MISC
MISC
MISC
MISC
MISC square — squalor
  A vulnerability, which was classified as critical, was found in square squalor. This affects an unknown part. The manipulation leads to sql injection. Upgrading to version v0.0.0 is able to address this issue. The name of the patch is f6f0a47cc344711042eb0970cb423e6950ba3f93. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217623. 2023-01-07 not yet calculated CVE-2020-36645
MISC
MISC
MISC
MISC
MISC mediaarea — zenlib
  A vulnerability classified as problematic has been found in MediaArea ZenLib up to 0.4.38. This affects the function Ztring::Date_From_Seconds_1970_Local of the file Source/ZenLib/Ztring.cpp. The manipulation of the argument Value leads to unchecked return value to null pointer dereference. Upgrading to version 0.4.39 is able to address this issue. The name of the patch is 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408. It is recommended to upgrade the affected component. The identifier VDB-217629 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2020-36646
MISC
MISC
MISC
MISC
MISC google — chrome
  Out of bounds read in WebUI Settings in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chrome security severity: Low) 2023-01-02 not yet calculated CVE-2021-21200
MISC
MISC google — chrome
  Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chrome security severity: Medium) 2023-01-02 not yet calculated CVE-2021-30558
MISC
MISC mootools — mootools
  MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue. 2023-01-03 not yet calculated CVE-2021-32821
CONFIRM apache — dubbo
  Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue. 2023-01-03 not yet calculated CVE-2021-32824
CONFIRM nuxeo — nuxeo
  The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. 2023-01-05 not yet calculated CVE-2021-32828
MISC
CONFIRM ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. IBM X-Force ID: 210323. 2023-01-04 not yet calculated CVE-2021-38928
MISC
MISC hitachi_energy — foxman-un
  DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* 2023-01-05 not yet calculated CVE-2021-40341
MISC
MISC hitachi_energy — foxman-un
  In the DES implementation, the affected product versions use a default key for encryption. Successful exploitation allows an attacker to obtain sensitive information and gain access to the network elements that are managed by the affected products versions. This issue affects * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* 2023-01-05 not yet calculated CVE-2021-40342
MISC
MISC progress — kemp_loadmaster
  The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism. 2023-01-01 not yet calculated CVE-2021-41823
MISC trampgeek — jobe
  A vulnerability has been found in trampgeek jobe up to 1.6.4 and classified as problematic. This vulnerability affects the function runs_post of the file application/controllers/Restapi.php. The manipulation of the argument sourcefilename leads to an unknown weakness. Upgrading to version 1.6.5 is able to address this issue. The name of the patch is 694da5013dbecc8d30dd83e2a83e78faadf93771. It is recommended to upgrade the affected component. VDB-217174 is the identifier assigned to this vulnerability. 2023-01-01 not yet calculated CVE-2021-4297
MISC
MISC
MISC
MISC sipity — sipity
  A vulnerability classified as critical has been found in Hesburgh Libraries of Notre Dame Sipity. This affects the function SearchCriteriaForWorksParameter of the file app/parameters/sipity/parameters/search_criteria_for_works_parameter.rb. The manipulation leads to sql injection. Upgrading to version 2021.8 is able to address this issue. The name of the patch is d1704c7363b899ffce65be03a796a0ee5fdbfbdc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217179. 2023-01-02 not yet calculated CVE-2021-4298
MISC
MISC
MISC
MISC string-kite — string-kit
  A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the file lib/naturalSort.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 0.12.8 is able to address this issue. The name of the patch is 9cac4c298ee92c1695b0695951f1488884a7ca73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217180. 2023-01-02 not yet calculated CVE-2021-4299
MISC
MISC
MISC
MISC halycon — halycon
  A vulnerability has been found in ghostlander Halcyon and classified as critical. Affected by this vulnerability is the function CBlock::AddToBlockIndex of the file src/main.cpp of the component Block Verification. The manipulation leads to improper access controls. The attack can be launched remotely. Upgrading to version 1.1.1.0-hal is able to address this issue. The name of the patch is 0675b25ae9cc10b5fdc8ea3a32c642979762d45e. It is recommended to upgrade the affected component. The identifier VDB-217417 was assigned to this vulnerability. 2023-01-04 not yet calculated CVE-2021-4300
MISC
MISC
MISC
MISC phpwcms — phpwcms
  A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms[‘db_prepend’] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to address this issue. The name of the patch is 77dafb6a8cc1015f0777daeb5792f43beef77a9d. It is recommended to upgrade the affected component. VDB-217418 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2021-4301
MISC
MISC
MISC
MISC phpwcms — phpwcms
  A vulnerability was found in slackero phpwcms up to 1.9.26. It has been classified as problematic. This affects an unknown part of the component SVG File Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.9.27 is able to address this issue. The name of the patch is b39db9c7ad3800f319195ff0e26a0981395b1c54. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217419. 2023-01-04 not yet calculated CVE-2021-4302
MISC
MISC
MISC
MISC xataface — xataface A vulnerability, which was classified as problematic, has been found in shannah Xataface up to 2.x. Affected by this issue is the function testftp of the file install/install_form.js.php of the component Installer. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 94143a4299e386f33bf582139cd4702571d93bde. It is recommended to upgrade the affected component. VDB-217442 is the identifier assigned to this vulnerability. NOTE: Installer is disabled by default. 2023-01-05 not yet calculated CVE-2021-4303
MISC
MISC
MISC
MISC ulcc-core — ulcc-core
  A vulnerability was found in eprintsug ulcc-core. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file cgi/toolbox/toolbox. The manipulation of the argument password leads to command injection. The attack can be launched remotely. The name of the patch is 811edaae81eb044891594f00062a828f51b22cb1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217447. 2023-01-05 not yet calculated CVE-2021-4304
MISC
MISC
MISC woorank — robots-txt-guard
  A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448. 2023-01-05 not yet calculated CVE-2021-4305
MISC
MISC
MISC
MISC terminal-kit — terminal-kit
  A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 is able to address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620. 2023-01-07 not yet calculated CVE-2021-4306
MISC
MISC
MISC
MISC baobab — baobab
  A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes (‘prototype pollution’). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The name of the patch is c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627. 2023-01-07 not yet calculated CVE-2021-4307
MISC
MISC
MISC
MISC
MISC huawei — emui
  The HW_KEYMASTER module has a problem in releasing memory.Successful exploitation of this vulnerability may result in out-of-bounds memory access. 2023-01-06 not yet calculated CVE-2021-46867
MISC
MISC huawei — emui
  The HW_KEYMASTER module has a problem in releasing memory.Successful exploitation of this vulnerability may result in out-of-bounds memory access. 2023-01-06 not yet calculated CVE-2021-46868
MISC
MISC google — chrome
  Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High) 2023-01-02 not yet calculated CVE-2022-0337
MISC
MISC google — chrome
  Inappropriate implementation in HTML parser in Google Chrome prior to 99.0.4844.51 allowed a remote attacker to bypass XSS preventions via a crafted HTML page. (Chrome security severity: Medium) 2023-01-02 not yet calculated CVE-2022-0801
MISC
MISC sourcecodester — royale_event_management_system
  A vulnerability was found in SourceCodester Royale Event Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /royal_event/userregister.php. The manipulation leads to improper authentication. The attack may be initiated remotely. The identifier VDB-195785 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2022-1101
MISC
MISC sourcecodester — royale_event_management_system
  A vulnerability classified as problematic has been found in SourceCodester Royale Event Management System 1.0. Affected is an unknown function of the file /royal_event/companyprofile.php. The manipulation of the argument companyname/regno/companyaddress/companyemail leads to cross site scripting. It is possible to launch the attack remotely. VDB-195786 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2022-1102
MISC
MISC
MISC Ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could disclose sensitive information to an authenticated user. IBM X-Force ID: 219507. 2023-01-04 not yet calculated CVE-2022-22337
MISC
MISC Ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 219510. 2023-01-04 not yet calculated CVE-2022-22338
MISC
MISC Ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 220398. 2023-01-04 not yet calculated CVE-2022-22352
MISC
MISC Ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195. 2023-01-05 not yet calculated CVE-2022-22371
MISC
MISC spinnaker — rosco Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker’s Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue. A workaround is available. It’s recommended to use short lived credentials via role assumption and IAM profiles. Additionally, credentials can be set in `/home/spinnaker/.aws/credentials` and `/home/spinnaker/.aws/config` as a volume mount for Rosco pods vs. setting credentials in roscos bake config properties. Last even with those it’s recommend to use IAM Roles vs. long lived credentials. This drastically mitigates the risk of credentials exposure. If users have used static credentials, it’s recommended to purge any bake logs for AWS, evaluate whether AWS_ACCESS_KEY, SECRET_KEY and/or other sensitive data has been introduced in log files and bake job logs. Then, rotate these credentials and evaluate potential improper use of those credentials. 2023-01-03 not yet calculated CVE-2022-23506
MISC
MISC spinnaker — rosco
  In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin’s digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue. 2023-01-05 not yet calculated CVE-2022-23546
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to XSS attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. 2023-01-05 not yet calculated CVE-2022-23548
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. 2023-01-05 not yet calculated CVE-2022-23549
MISC
MISC nokia — asik_airscale A vulnerability exists in Nokia’s ASIK AirScale system module (versions 474021A.101 and 474021A.102) that could allow an attacker to place a script on the file system accessible from Linux. A script placed in the appropriate place could allow for arbitrary code execution in the bootloader. 2023-01-06 not yet calculated CVE-2022-2482
MISC nokia — asik_airscale
  The bootloader in the Nokia ASIK AirScale system module (versions 474021A.101 and 474021A.102) loads public keys for firmware verification signature. If an attacker modifies the flash contents to corrupt the keys, secure boot could be permanently disabled on a given device. 2023-01-06 not yet calculated CVE-2022-2483
MISC nokia — asik_airscale
  The signature check in the Nokia ASIK AirScale system module version 474021A.101 can be bypassed allowing an attacker to run modified firmware. This could result in the execution of a malicious kernel, arbitrary programs, or modified Nokia programs. 2023-01-06 not yet calculated CVE-2022-2484
MISC c-local-bin — exec-local-bin
  Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization. 2023-01-06 not yet calculated CVE-2022-25923
MISC
MISC
MISC snyk — window-control
  Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization. 2023-01-04 not yet calculated CVE-2022-25926
MISC
MISC
MISC -sourcecodester — loan_management_system
  A vulnerability has been found in SourceCodester Loan Management System and classified as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-205618 is the identifier assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2022-2666
MISC
MISC
MISC google — chrome
  Use after free in Exosphere in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions. (Chrome security severity: High) 2023-01-02 not yet calculated CVE-2022-2742
MISC
MISC google — chrome
  Integer overflow in Window Manager in Google Chrome on Chrome OS and Lacros prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific UI interactions to perform an out of bounds memory write via crafted UI interactions. (Chrome security severity: High) 2023-01-02 not yet calculated CVE-2022-2743
MISC
MISC prosys_opc — ua_simulation_server
  Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data. 2023-01-03 not yet calculated CVE-2022-2967
MISC
MISC wordpress — wordpress
  The Build App Online WordPress plugin before 1.0.19 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection 2023-01-02 not yet calculated CVE-2022-3241
MISC mediatek — multiple_products
  In mdp, there is a possible out of bounds write due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07342114; Issue ID: ALPS07342114. 2023-01-03 not yet calculated CVE-2022-32623
MISC mediatek — multiple_products
  In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07573237; Issue ID: ALPS07573237. 2023-01-03 not yet calculated CVE-2022-32635
MISC mediatek — multiple_products
  In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07510064; Issue ID: ALPS07510064. 2023-01-03 not yet calculated CVE-2022-32636
MISC mediatek — multiple_products
  In hevc decoder, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07491374; Issue ID: ALPS07491374. 2023-01-03 not yet calculated CVE-2022-32637
MISC mediatek — multiple_products
  In isp, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494449; Issue ID: ALPS07494449. 2023-01-03 not yet calculated CVE-2022-32638
MISC mediatek — multiple_products
  In watchdog, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494487; Issue ID: ALPS07494487. 2023-01-03 not yet calculated CVE-2022-32639
MISC mediatek — multiple_products
  In meta wifi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07441652; Issue ID: ALPS07441652. 2023-01-03 not yet calculated CVE-2022-32640
MISC mediatek — multiple_products
  In meta wifi, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07453594; Issue ID: ALPS07453594. 2023-01-03 not yet calculated CVE-2022-32641
MISC mediatek — multiple_products
  In vow, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494473; Issue ID: ALPS07494473. 2023-01-03 not yet calculated CVE-2022-32644
MISC mediatek — multiple_products
  In vow, there is a possible information disclosure due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494477; Issue ID: ALPS07494477. 2023-01-03 not yet calculated CVE-2022-32645
MISC mediatek — multiple_products
  In gpu drm, there is a possible stack overflow due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07363501; Issue ID: ALPS07363501. 2023-01-03 not yet calculated CVE-2022-32646
MISC mediatek — multiple_products
  In ccu, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07554646; Issue ID: ALPS07554646. 2023-01-03 not yet calculated CVE-2022-32647
MISC mediatek — multiple_products
  In disp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06535964; Issue ID: ALPS06535964. 2023-01-03 not yet calculated CVE-2022-32648
MISC mediatek — multiple_products
  In jpeg, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07225840; Issue ID: ALPS07225840. 2023-01-03 not yet calculated CVE-2022-32649
MISC mediatek — multiple_products
  In mtk-isp, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07225853; Issue ID: ALPS07225853. 2023-01-03 not yet calculated CVE-2022-32650
MISC mediatek — multiple_products
  In mtk-aie, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07225857; Issue ID: ALPS07225857. 2023-01-03 not yet calculated CVE-2022-32651
MISC mediatek — multiple_products
  In mtk-aie, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07262617; Issue ID: ALPS07262617. 2023-01-03 not yet calculated CVE-2022-32652
MISC mediatek — multiple_products
  In mtk-aie, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07262518; Issue ID: ALPS07262518. 2023-01-03 not yet calculated CVE-2022-32653
MISC mediatek — multiple_products
  In Wi-Fi driver, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220705042; Issue ID: GN20220705042. 2023-01-03 not yet calculated CVE-2022-32657
MISC mediatek — multiple_products
  In Wi-Fi driver, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220705059; Issue ID: GN20220705059. 2023-01-03 not yet calculated CVE-2022-32658
MISC mediatek — multiple_products
  In Wi-Fi driver, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220705066; Issue ID: GN20220705066. 2023-01-03 not yet calculated CVE-2022-32659
MISC mediatek — multiple_products
  In Config Manager, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Patch ID: A20220004; Issue ID: OSBNB00140929. 2023-01-03 not yet calculated CVE-2022-32664
MISC mediatek — multiple_products
  In Boa, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20220026; Issue ID: OSBNB00144124. 2023-01-03 not yet calculated CVE-2022-32665
MISC sage — enterprise_intelligence
  Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users’ browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.) 2023-01-01 not yet calculated CVE-2022-34322
MISC sage — xrt_business_exchange
  Multiple XSS issues were discovered in Sage XRT Business Exchange 12.4.302 that allow an attacker to execute JavaScript code in the context of other users’ browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Filters and Display model features (OnlineBanking > Web Monitoring > Settings > Filters / Display models). The name of a filter or a display model is interpreted as HTML and can thus embed JavaScript code, which is executed when displayed. This is a stored XSS. Another issue is present in the Notification feature (OnlineBanking > Configuration > Notifications and alerts > Alerts *). The name of an alert is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a stored XSS. (Also, an issue is present in the File download feature, accessible via /OnlineBanking/cgi/isapi.dll/DOWNLOADFRS. When requesting to show the list of downloadable files, the contents of three form fields are embedded in the JavaScript code without prior sanitization. This is essentially a self-XSS.) 2023-01-01 not yet calculated CVE-2022-34323
MISC sage — xrt_business_exchange
  Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History. 2023-01-01 not yet calculated CVE-2022-34324
MISC ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229469. 2023-01-05 not yet calculated CVE-2022-34330
MISC
MISC octopus_deploy — octopus_server
  In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. 2023-01-03 not yet calculated CVE-2022-3460
MISC fortinet — fortitester
  Multiple improper neutralization of special elements used in an OS Command (‘OS Command Injection’) vulnerabilities [CWE-78] in FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, 2.3.0 through 3.9.1 may allow an authenticated attacker to execute arbitrary commands in the underlying shell. 2023-01-03 not yet calculated CVE-2022-35845
MISC octopus_deploy — octopus_server
  In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. 2023-01-03 not yet calculated CVE-2022-3614
MISC ssziparchive — ssziparchive
  SSZipArchive versions 2.5.3 and older contain an arbitrary file write vulnerability due to lack of sanitization on paths which are symlinks. SSZipArchive will overwrite files on the filesystem when opening a malicious ZIP containing a symlink as the first item. 2023-01-03 not yet calculated CVE-2022-36943
CONFIRM valid_parameter_transform — valid_parameter_transform
  A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems. 2023-01-05 not yet calculated CVE-2022-3715
MISC wecube — wecube
  An issue was discovered in WeCube Platform 3.2.2. Cleartext passwords are displayed in the configuration for terminal plugins. 2023-01-01 not yet calculated CVE-2022-37785
MISC
MISC wecube — wecube
  An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page. 2023-01-01 not yet calculated CVE-2022-37786
MISC
MISC wecube — wecube
  An issue was discovered in WeCube platform 3.2.2. A DOM XSS vulnerability has been found on the plugin database execution page. 2023-01-01 not yet calculated CVE-2022-37787
MISC
MISC hewlett_packard_enterprise — superdome_dlex_server
  A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 servers. The vulnerability could be exploited to allow local unauthorized data injection. HPE has made the following software updates to resolve the vulnerability in HPE Superdome Flex firmware 3.60.50 and below and Superdome Flex 280 servers firmware 1.40.60 and below. 2023-01-05 not yet calculated CVE-2022-37933
MISC hewlett_packard_enterprise — officeconnect
  A potential security vulnerability has been identified in HPE OfficeConnect 1820, and 1850 switch series. The vulnerability could be remotely exploited to allow remote directory traversal in HPE OfficeConnect 1820 switch series version PT.02.17 and below, HPE OfficeConnect 1850 switch series version PC.01.23 and below, and HPE OfficeConnect 1850 (10G aggregator) switch version PO.01.22 and below. 2023-01-05 not yet calculated CVE-2022-37934
MISC google — chrome
  Use after free in Passwords in Google Chrome prior to 105.0.5195.125 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 2023-01-02 not yet calculated CVE-2022-3842
MISC
MISC wordpress — wordpress
  The Visual Email Designer for WooCommerce WordPress plugin before 1.7.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. 2023-01-02 not yet calculated CVE-2022-3860
MISC nortek — linear_emerge_e3
  Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter. 2023-01-03 not yet calculated CVE-2022-38627
MISC
MISC google — chrome
  Use after free in Browser History in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High) 2023-01-02 not yet calculated CVE-2022-3863
MISC
MISC unisoc — unisoc In contacts service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-38678
MISC unisoc — unisoc In contacts service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-38682
MISC unisoc — unisoc In contacts service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-38683
MISC unisoc — unisoc In contacts service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-38684
MISC gravitee — gravitee Gravitee API Management before 3.15.13 allows path traversal through HTML injection. 2023-01-03 not yet calculated CVE-2022-38723
MISC
MISC renault — renault_zoe
  The remote keyless system on Renault ZOE 2021 vehicles sends 433.92 MHz RF signals from the same Rolling Codes set for each door-open request, which allows for a replay attack. 2023-01-03 not yet calculated CVE-2022-38766
MISC zte — multiple_products
  There is a SQL injection vulnerability in Some ZTE Mobile Internet products. Due to insufficient validation of the input parameters of the SNTP interface, an authenticated attacker could use the vulnerability to execute stored XSS attacks. 2023-01-06 not yet calculated CVE-2022-39072
MISC zte — mf286r
  There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands. 2023-01-06 not yet calculated CVE-2022-39073
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39081
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39082
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39083
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39084
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39085
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39086
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39087
MISC unisoc — unisoc
  In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39088
MISC unisoc — unisoc
  In contacts service, there is a missing permission check. This could lead to local denial of service in Contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-39104
MISC wordpress — wordpress
  The iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc 2023-01-02 not yet calculated CVE-2022-3911
MISC unisoc — unisoc In sprd_sysdump driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service in kernel. 2023-01-04 not yet calculated CVE-2022-39116
MISC unisoc — unisoc In sprd_sysdump driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service in kernel. 2023-01-04 not yet calculated CVE-2022-39118
MISC hitachi — multiple_products
  The affected products store both public and private key that are used to sign and protect Custom Parameter Set (CPS) file from modification. An attacker that manages to exploit this vulnerability will be able to change the CPS file, sign it so that it is trusted as the legitimate CPS file. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* 2023-01-05 not yet calculated CVE-2022-3927
MISC
MISC hitachi — multiple_products
  Hardcoded credential is found in affected products’ message queue. An attacker that manages to exploit this vulnerability will be able to access data to the internal message queue. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* 2023-01-05 not yet calculated CVE-2022-3928
MISC
MISC hitachi — multiple_products
  Communication between the client and the server application of the affected products is partially done using CORBA (Common Object Request Broker Architecture) over TCP/IP. This protocol is not encrypted and allows tracing of internal messages. This issue affects * FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; * UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C. List of CPEs: * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* 2023-01-05 not yet calculated CVE-2022-3929
MISC
MISC wordpress — wordpress
  The Team Members WordPress plugin before 5.2.1 does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in a multisite setup). 2023-01-02 not yet calculated CVE-2022-3936
MISC wordpress — wordpress
  The Authenticator WordPress plugin before 1.3.1 does not prevent subscribers from updating a site’s feed access token, which may deny other users access to the functionality in certain configurations. 2023-01-02 not yet calculated CVE-2022-3994
MISC fortinet — fortiadc
  A improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests. 2023-01-03 not yet calculated CVE-2022-39947
MISC sourcecodester — theme_park_ticketing_system
  SQL injection vulnerability in sourcecodester Theme Park Ticketing System 1.0 allows remote attackers to view sensitive information via the id parameter to the /tpts/manage_user.php page. 2023-01-06 not yet calculated CVE-2022-40049
MISC bentley_systems — microstation_connect Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to a Stack-Based Buffer Overflow when a malformed design (DGN) file is parsed. This may allow an attacker to execute arbitrary code. 2023-01-06 not yet calculated CVE-2022-40201
MISC google — chrome Inappropriate implementation in Paint in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to leak cross-origin data outside an iframe via a crafted HTML page. (Chrome security severity: Low) 2023-01-02 not yet calculated CVE-2022-4025
MISC
MISC wordpress — wordpress
  The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. 2023-01-02 not yet calculated CVE-2022-4049
MISC wordpress — wordpress
  The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin’s exported settings and logs. 2023-01-02 not yet calculated CVE-2022-4057
MISC wordpress — wordpress
  The Cryptocurrency Widgets Pack WordPress plugin through 1.8.1 does not sanitisewordpress — wordpress and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. 2023-01-02 not yet calculated CVE-2022-4059
MISC keyfactor — primekey ejbca
  PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Administrator role can inject an XSS payload to target higher-privilege users. 2023-01-01 not yet calculated CVE-2022-40711
MISC wordpress — wordpress
  The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection 2023-01-02 not yet calculated CVE-2022-4099
MISC wordpress — wordpress
  The Wholesale Market for WooCommerce WordPress plugin before 2.0.0 does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to (for example in multisite) 2023-01-02 not yet calculated CVE-2022-4109
MISC wordpress — wordpress
  The Superio WordPress theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Cross-Site Scripting attacks. 2023-01-02 not yet calculated CVE-2022-4114
MISC
MISC wordpress — wordpress
  The Image Optimizer, Resizer and CDN WordPress plugin before 6.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2023-01-02 not yet calculated CVE-2022-4119
MISC fortinet — fortiportal
  An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter. 2023-01-03 not yet calculated CVE-2022-41336
MISC wordpress — wordpress
  The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server 2023-01-02 not yet calculated CVE-2022-4140
MISC wordpress — wordpress
  The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfiltered_html capability is disabled. 2023-01-02 not yet calculated CVE-2022-4142
MISC bentley systems — microstation
  Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to an Out-of-Bounds Read when when parsing DGN files, which may allow an attacker to crash the product, disclose sensitive information, or execute arbitrary code. 2023-01-06 not yet calculated CVE-2022-41613
MISC Multiple_vendors– v-server
  Out-of-bounds read vulnerability in V-Server v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted project file. 2023-01-03 not yet calculated CVE-2022-41645
MISC
MISC ibm — robotic_process_automation
  IBM Robotic Process Automation 20.12 through 21.0.6 could allow an attacker with physical access to the system to obtain highly sensitive information from system memory. IBM X-Force ID: 238053. 2023-01-05 not yet calculated CVE-2022-41740
MISC
MISC wordpress — wordpress
  The WP Social Sharing WordPress plugin through 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2023-01-02 not yet calculated CVE-2022-4198
MISC wordpress — wordpress
  The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2023-01-02 not yet calculated CVE-2022-4200
MISC wordpress — wordpress
  The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server. 2023-01-02 not yet calculated CVE-2022-4236
MISC wordpress — wordpress
  The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog 2023-01-02 not yet calculated CVE-2022-4237
MISC ibm — business_automation_workflow
  IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054. 2023-01-04 not yet calculated CVE-2022-42435
MISC
MISC fortinet — fortiweb An improper neutralization of CRLF sequences in HTTP headers (‘HTTP Response Splitting’) vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers. 2023-01-03 not yet calculated CVE-2022-42471
MISC fortinet — fortiproxy
  A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. 2023-01-02 not yet calculated CVE-2022-42475
MISC wordpress — wordpress
  The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) 2023-01-02 not yet calculated CVE-2022-4256
MISC wordpress — wordpress
  The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 2023-01-02 not yet calculated CVE-2022-4260
MISC nice — linear_emerge_e3-series
  Nice (formerly Nortek) Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e devices are vulnerable to Stored Cross-Site Scripting (XSS). 2023-01-03 not yet calculated CVE-2022-42710
MISC wordpress — wordpress
  The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection 2023-01-02 not yet calculated CVE-2022-4297
MISC ryde — ryde
  Information disclosure due to an insecure hostname validation in the RYDE application 5.8.43 for Android and iOS allows attackers to take over an account via a deep link. 2023-01-06 not yet calculated CVE-2022-42979
MISC wordpress — wordpress
  The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. 2023-01-02 not yet calculated CVE-2022-4298
MISC wordpress — wordpress
  The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. 2023-01-02 not yet calculated CVE-2022-4302
MISC wordpress — wordpress
  The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. 2023-01-02 not yet calculated CVE-2022-4324
MISC wordpress — wordpress
  The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high privilege one like admin). 2023-01-02 not yet calculated CVE-2022-4329
MISC wordpress — wordpress
  The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it’s thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter. 2023-01-02 not yet calculated CVE-2022-4340
MISC multiple_vendors — v-sft_and_tellus
  Out-of-bounds write vulnerability in V-SFT v6.1.7.0 and earlier and TELLUS v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted image file. 2023-01-03 not yet calculated CVE-2022-43448
MISC
MISC wordpress — wordpress
  The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4351
MISC
MISC aruba — edgeconnect
  Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43519
MISC wordpress — wordpress
  The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4352
MISC
MISC aruba — edgeconnect
  Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43520
MISC aruba — edgeconnect
  Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43521
MISC aruba — edgeconnect Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43522
MISC aruba — edgeconnect
  Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43523
MISC aruba — edgeconnect
  A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43524
MISC aruba — edgeconnect
  Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43525
MISC aruba — edgeconnect
  Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43526
MISC aruba — edgeconnect
  Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43527
MISC aruba — edgeconnect
  Under certain configurations, an attacker can login to Aruba EdgeConnect Enterprise Orchestrator without supplying a multi-factor authentication code. Successful exploitation allows an attacker to login using only a username and password and successfully bypass MFA requirements in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43528
MISC aruba — edgeconnect
  A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-43529
MISC aruba — clearpass_policy_manager
  Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43530
MISC aruba — clearpass_policy_manager
  Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43531
MISC aruba — clearpass_policy_manager
  A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43532
MISC aruba — clearpass_onguard
  A vulnerability in the ClearPass OnGuard macOS agent could allow malicious users on a macOS instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with root level privileges on the macOS instance in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43533
MISC aruba — clearpass_onguard
  A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with root level privileges on the Linux instance in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43534
MISC aruba — clearpass_onguard
  A vulnerability in the ClearPass OnGuard Windows agent could allow malicious users on a Windows instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with NT AUTHORITYSYSTEM level privileges on the Windows instance in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43535
MISC aruba — clearpass_policy_manager
  Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43536
MISC aruba — clearpass_policy_manager
  Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43537
MISC aruba — clearpass_policy_manager
  Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploits could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43538
MISC aruba — clearpass_policy_manager
  A vulnerability exists in the ClearPass Policy Manager cluster communications that allow for an attacker in a privileged network position to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that allows for unauthorized actions as a privileged user on the ClearPass Policy Manager cluster in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43539
MISC aruba — clearpass_policy_manager
  A vulnerability exists in the ClearPass OnGuard macOS agent that allows for an attacker with local macOS instance access to potentially obtain sensitive information. A successful exploit could allow an attacker to retrieve information that is of a sensitive nature in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below. 2023-01-05 not yet calculated CVE-2022-43540
MISC wordpress — wordpress
  The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4355
MISC
MISC wordpress — wordpress
  The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4356
MISC
MISC wordpress — wordpress
  The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. 2023-01-02 not yet calculated CVE-2022-4357
MISC
MISC ibm — robotic_process_automation
  IBM Robotic Process Automation 20.12 through 21.0.6 is vulnerable to exposure of the name and email for the creator/modifier of platform level objects. IBM X-Force ID: 238678. 2023-01-05 not yet calculated CVE-2022-43573
MISC
MISC wordpress — wordpress
  The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4358
MISC
MISC wordpress — wordpress
  The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4359
MISC
MISC wordpress — wordpress
  The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 2023-01-02 not yet calculated CVE-2022-4360
MISC
MISC wordpress — wordpress
  The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks 2023-01-02 not yet calculated CVE-2022-4362
MISC wordpress — wordpress The WP-Lister Lite for Amazon WordPress plugin before 2.4.4 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin. 2023-01-02 not yet calculated CVE-2022-4369
MISC wordpress — wordpress
  The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. 2023-01-02 not yet calculated CVE-2022-4370
MISC
MISC wordpress — wordpress
  The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well 2023-01-02 not yet calculated CVE-2022-4371
MISC
MISC wordpress — wordpress
  The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well 2023-01-02 not yet calculated CVE-2022-4372
MISC
MISC wordpress — wordpress
  The Quote-O-Matic WordPress plugin through 1.0.5 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. 2023-01-02 not yet calculated CVE-2022-4373
MISC linux — linux_kernel
  A stack overflow flaw was found in the Linux kernel’s SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. 2023-01-05 not yet calculated CVE-2022-4378
MISC
MISC
MISC
MISC wordpress — wordpress
  The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks 2023-01-02 not yet calculated CVE-2022-4381
MISC ibm — robotic_process_automation
  IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081. 2023-01-05 not yet calculated CVE-2022-43844
MISC
MISC ibm — sterling_b2b_integrator
  IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could allow an authenticated user to gain privileges in a different group due to an access control vulnerability in the Sftp server adapter. IBM X-Force ID: 241362. 2023-01-04 not yet calculated CVE-2022-43920
MISC
MISC synology — synology_router_manager
  Improper neutralization of special elements in output used by a downstream component (‘Injection’) vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to read arbitrary files via unspecified vectors. 2023-01-05 not yet calculated CVE-2022-43932
MISC nexxt_solutions — nexxt_router_firmware
  The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 devices allows remote OS command execution by placing &telnetd in the JSON host field to the ping feature of the goform/sysTools component. Authentication is required. 2023-01-06 not yet calculated CVE-2022-44149
MISC
MISC
MISC wordpress — wordpress
  The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users 2023-01-02 not yet calculated CVE-2022-4417
MISC lenovo — thinkpad_x13s_bios
  A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS PersistenceConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure. 2023-01-05 not yet calculated CVE-2022-4432
MISC lenovo — thinkpad_x13s_bios
  A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoSetupConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure. 2023-01-05 not yet calculated CVE-2022-4433
MISC lenovo — thinkpad_x13s_bios
  A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS driver that could allow a local attacker with elevated privileges to cause information disclosure. 2023-01-05 not yet calculated CVE-2022-4434
MISC lenovo — thinkpad_x13s_bios
  A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoRemoteConfigUpdateDxe driver that could allow a local attacker with elevated privileges to cause information disclosure. 2023-01-05 not yet calculated CVE-2022-4435
MISC unisoc — unisoc
  In music service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44422
MISC unisoc — unisoc
  In music service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44423
MISC unisoc — unisoc
  In music service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44424
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44425
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44426
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44427
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44428
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44429
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44430
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44431
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44432
MISC unisoc — unisoc
  In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44434
MISC unisoc — unisoc
  In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44435
MISC unisoc — unisoc
  In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44436
MISC unisoc — unisoc
  In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44437
MISC unisoc — unisoc
  In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44438
MISC unisoc — unisoc In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional execution privileges needed. 2023-01-04 not yet calculated CVE-2022-44439
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44440
MISC unisoc — unisoc In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44441
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44442
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44443
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44444
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44445
MISC unisoc — unisoc
  In wlan driver, there is a possible missing bounds check. This could lead to local denial of service in wlan services. 2023-01-04 not yet calculated CVE-2022-44446
MISC aruba — edgeconnect
  A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-44534
MISC aruba — edgeconnect
  A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote low-privileged authenticated users to escalate their privileges to those of an administrative user. A successful exploit could allow an attacker to achieve administrative privilege on the web-management interface leading to complete system compromise in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned. 2023-01-05 not yet calculated CVE-2022-44535
MISC maccms10 — maccms10
  A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module. 2023-01-06 not yet calculated CVE-2022-44870
MISC
MISC linux — cent0s_web_panel
  RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests. 2023-01-05 not yet calculated CVE-2022-44877
MISC
MISC
FULLDISC efs_software — easy_chat_server
  Efs Software Easy Chat Server Version 3.1 was discovered to contain a DLL hijacking vulnerability via the component TextShaping.dll. This vulnerability allows attackers to execute arbitrary code via a crafted DLL. 2023-01-06 not yet calculated CVE-2022-44939
MISC perfsonar — pscheduler_server
  perfSONAR before 4.4.6, when performing participant discovery, incorrectly uses an HTTP request header value to determine a local address. 2023-01-01 not yet calculated CVE-2022-45027
MISC axiell — axiell_iguana_cms
  A reflected XSS vulnerability has been found in Axiell Iguana CMS, allowing an attacker to execute code in a victim’s browser. The url parameter on the novelist.php endpoint does not properly neutralise user input, resulting in the vulnerability. 2023-01-04 not yet calculated CVE-2022-45049
MISC
MISC axiell — iguana
  A reflected XSS vulnerability has been found in Axiell Iguana CMS, allowing an attacker to execute code in a victim’s browser. The module parameter on the Service.template.cls endpoint does not properly neutralise user input, resulting in the vulnerability. 2023-01-04 not yet calculated CVE-2022-45051
MISC
MISC axiell — iguana
  A Local File Inclusion vulnerability has been found in Axiell Iguana CMS. Due to insufficient neutralisation of user input on the url parameter on the Proxy.type.php endpoint, external users are capable of accessing files on the server. 2023-01-04 not yet calculated CVE-2022-45052
MISC
MISC apache — tomcat
  The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. 2023-01-03 not yet calculated CVE-2022-45143
MISC perfsonar — perfsonar
  perfSONAR before 4.4.6 inadvertently supports the parse option for a file:// URL. 2023-01-01 not yet calculated CVE-2022-45213
MISC apache — james_mime4j
  Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later. 2023-01-06 not yet calculated CVE-2022-45787
MISC fortinet — fortimanager
  An incorrect user management vulnerability [CWE-286] in the FortiManager version 6.4.6 and below VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin account is deleted. 2023-01-05 not yet calculated CVE-2022-45857
MISC mybb — mybb
  MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. 2023-01-03 not yet calculated CVE-2022-45867
CONFIRM apache — dolphinscheduler
  Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. 2023-01-04 not yet calculated CVE-2022-45875
MISC zimbra — collaboration
  An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur on the Classic UI login page by injecting arbitrary JavaScript code in the username field. This occurs before the user logs into the system, which means that even if the attacker executes arbitrary JavaScript, they will not get any sensitive information. 2023-01-06 not yet calculated CVE-2022-45911
MISC
MISC zimbra — collaboration
  An issue was discovered in Zimbra Collaboration (ZCS) 9.0. XSS can occur via one of attributes in webmail URLs to execute arbitrary JavaScript code, leading to information disclosure. 2023-01-06 not yet calculated CVE-2022-45913
MISC
MISC apache — james_server
  Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version 3.7.2 and prior versions. 2023-01-06 not yet calculated CVE-2022-45935
MISC tenda — ax12
  There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22.03.01.21 _ cn. This vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vulnerability from CVE-2022-2414. 2023-01-05 not yet calculated CVE-2022-45995
MISC garmin — connect
  In Garmin Connect 4.61, terminating a LiveTrack session wouldn’t prevent the LiveTrack API from continued exposure of private personal information. 2023-01-04 not yet calculated CVE-2022-46081
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another’s email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC’d on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled. 2023-01-05 not yet calculated CVE-2022-46168
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account’s primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting `email_token_valid_hours` which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower `email_token_valid_hours ` as needed. 2023-01-05 not yet calculated CVE-2022-46177
MISC
MISC
MISC discourse — mermaid
  Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component. 2023-01-04 not yet calculated CVE-2022-46180
MISC
MISC
MISC fuji_electric/hakko_electronics — v-sft/tellus
  Out-of-bounds read vulnerability in V-SFT v6.1.7.0 and earlier and TELLUS v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted image file. 2023-01-03 not yet calculated CVE-2022-46360
MISC
MISC nasm — nasm
  NASM v2.16 was discovered to contain a global buffer overflow in the component dbgdbg_typevalue at /output/outdbg.c. 2023-01-04 not yet calculated CVE-2022-46456
MISC nasm — nasm
  NASM v2.16 was discovered to contain a segmentation violation in the component ieee_write_file at /output/outieee.c. 2023-01-04 not yet calculated CVE-2022-46457
MISC gpac_mp4box — gpac_mp4box
  GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c. 2023-01-05 not yet calculated CVE-2022-46489
MISC gpac_mp4box — gpac_mp4box
  GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c. 2023-01-05 not yet calculated CVE-2022-46490
MISC wordpress — wordpress
  The Members Import plugin for WordPress is vulnerable to Self Cross-Site Scripting via the user_login parameter in an imported CSV file in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site’s administrator into uploading a CSV file with the malicious payload. 2023-01-03 not yet calculated CVE-2022-4663
MISC
MISC huawei — harmonyos_and_emui
  The system has a vulnerability that may cause dynamic hiding and restoring of app icons.Successful exploitation of this vulnerability may cause malicious hiding of app icons. 2023-01-06 not yet calculated CVE-2022-46761
MISC
MISC huawei — harmonyos_an_emui
  The memory management module has a logic bypass vulnerability.Successful exploitation of this vulnerability may affect data confidentiality. 2023-01-06 not yet calculated CVE-2022-46762
MISC
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c 2023-01-05 not yet calculated CVE-2022-47086
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c 2023-01-05 not yet calculated CVE-2022-47087
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow. 2023-01-05 not yet calculated CVE-2022-47088
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c 2023-01-05 not yet calculated CVE-2022-47089
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c 2023-01-05 not yet calculated CVE-2022-47091
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316 2023-01-05 not yet calculated CVE-2022-47092
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid 2023-01-05 not yet calculated CVE-2022-47093
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid 2023-01-05 not yet calculated CVE-2022-47094
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c 2023-01-05 not yet calculated CVE-2022-47095
MISC fuji_electric_and_hakko_electronics — v-server
  Out-of-bounds write vulnerability in V-Server v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted project file. 2023-01-03 not yet calculated CVE-2022-47317
MISC
MISC zoho_manageengine — access_manager_plus
  Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection. 2023-01-05 not yet calculated CVE-2022-47523
MISC siren — investigate
  An issue was discovered in Siren Investigate before 12.1.7. There is an ACL bypass on global objects. 2023-01-05 not yet calculated CVE-2022-47543
MISC
MISC siren — investigate
  An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed. 2023-01-05 not yet calculated CVE-2022-47544
MISC
MISC isode — m-link
  M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867. 2023-01-01 not yet calculated CVE-2022-47634
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113 2023-01-05 not yet calculated CVE-2022-47653
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 2023-01-05 not yet calculated CVE-2022-47654
MISC libde265 — libde265
  Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short> 2023-01-05 not yet calculated CVE-2022-47655
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273 2023-01-05 not yet calculated CVE-2022-47656
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662 2023-01-05 not yet calculated CVE-2022-47657
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039 2023-01-05 not yet calculated CVE-2022-47658
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data 2023-01-05 not yet calculated CVE-2022-47659
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c 2023-01-05 not yet calculated CVE-2022-47660
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes 2023-01-05 not yet calculated CVE-2022-47661
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662 2023-01-05 not yet calculated CVE-2022-47662
MISC gpac_mp4box — gpac_mp4box
  GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609 2023-01-05 not yet calculated CVE-2022-47663
MISC fuji_electric_and_hakko_electronics — v-server Stack-based buffer overflow vulnerability in V-Server v4.0.12.0 and earlier allows a local attacker to obtain the information and/or execute arbitrary code by having a user to open a specially crafted project file. 2023-01-03 not yet calculated CVE-2022-47908
MISC
MISC lxc — lxc
  lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because “Failed to open” often indicates that a file does not exist, whereas “does not refer to a network namespace path” often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that “we will report back to the user that the open() failed but the user has no way of knowing why it failed”; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. 2023-01-01 not yet calculated CVE-2022-47952
MISC
MISC
MISC
MISC huawei– harmonyos_and_emui
  The Bluetooth AVRCP module has a vulnerability that can lead to DoS attacks.Successful exploitation of this vulnerability may cause the Bluetooth process to restart. 2023-01-06 not yet calculated CVE-2022-47974
MISC
MISC huawei– harmonyos_and_emui
  The DUBAI module has a double free vulnerability.Successful exploitation of this vulnerability may affect system availability. 2023-01-06 not yet calculated CVE-2022-47975
MISC
MISC huawei– harmonyos_and_emui
  The DMSDP module of the distributed hardware has a vulnerability that may cause imposter control connections.Successful exploitation of this vulnerability may disconnect normal service connections. 2023-01-06 not yet calculated CVE-2022-47976
MISC
MISC robot_operating_system — robot_operating_system
  The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot’s behavior. This occurs because a topic name depends on the attacker-controlled time_ref_topic parameter. 2023-01-01 not yet calculated CVE-2022-48198
MISC
MISC
MISC uniswap — universal_router Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds. 2023-01-04 not yet calculated CVE-2022-48216
MISC
MISC
MISC
MISC
MISC evolution_events — artaxerxes
  A vulnerability was found in Evolution Events Artaxerxes. It has been declared as problematic. This vulnerability affects unknown code of the file arta/common/middleware.py of the component POST Parameter Handler. The manipulation of the argument password leads to information disclosure. The attack can be initiated remotely. The name of the patch is 022111407d34815c16c6eada2de69ca34084dc0d. It is recommended to apply a patch to fix this issue. VDB-217438 is the identifier assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2022-4869
MISC
MISC
MISC nflpick-em.com — nflpick-em.com
  A vulnerability classified as problematic was found in ummmmm nflpick-em.com up to 2.2.x. This vulnerability affects the function _Load_Users of the file html/includes/runtime/admin/JSON/LoadUsers.php. The manipulation of the argument sort leads to sql injection. The attack can be initiated remotely. The name of the patch is dd77a35942f527ea0beef5e0ec62b92e8b93211e. It is recommended to apply a patch to fix this issue. VDB-217270 is the identifier assigned to this vulnerability. NOTE: JSON entrypoint is only accessible via an admin account 2023-01-03 not yet calculated CVE-2022-4871
MISC
MISC
MISC fossology — fossology
  A vulnerability has been found in fossology and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument sql/VarValue leads to cross site scripting. The attack can be initiated remotely. The name of the patch is 8e0eba001662c7eb35f045b70dd458a4643b4553. It is recommended to apply a patch to fix this issue. VDB-217426 is the identifier assigned to this vulnerability. 2023-01-04 not yet calculated CVE-2022-4875
MISC
MISC
MISC
MISC kaltura — mwembed
  A vulnerability was found in Kaltura mwEmbed up to 2.96.rc1 and classified as problematic. This issue affects some unknown processing of the file includes/DefaultSettings.php. The manipulation of the argument HTTP_X_FORWARDED_HOST leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.96.rc2 is able to address this issue. The name of the patch is 13b8812ebc8c9fa034eed91ab35ba8423a528c0b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217427. 2023-01-04 not yet calculated CVE-2022-4876
MISC
MISC
MISC
MISC
MISC keter — keter
  A vulnerability has been found in snoyberg keter up to 1.8.1 and classified as problematic. This vulnerability affects unknown code of the file Keter/Proxy.hs. The manipulation of the argument host leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.8.2 is able to address this issue. The name of the patch is d41f3697926b231782a3ad8050f5af1ce5cc40b7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217444. 2023-01-05 not yet calculated CVE-2022-4877
MISC
MISC
MISC
MISC
MISC jatos — jatos
  A vulnerability classified as critical has been found in JATOS. Affected is the function ZipUtil of the file modules/common/app/utils/common/ZipUtil.java of the component ZIP Handler. The manipulation leads to path traversal. Upgrading to version 3.7.5-alpha is able to address this issue. The name of the patch is 2b42519f309d8164e8811392770ce604cdabb5da. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217548. 2023-01-06 not yet calculated CVE-2022-4878
MISC
MISC
MISC
MISC forged_alliance_forever — forged_alliance_forever
  A vulnerability was found in Forged Alliance Forever up to 3746. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Vote Handler. The manipulation leads to improper authorization. Upgrading to version 3747 is able to address this issue. The name of the patch is 6880971bd3d73d942384aff62d53058c206ce644. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217555. 2023-01-06 not yet calculated CVE-2022-4879
MISC
MISC
MISC
MISC
MISC openutau –openutau
  A vulnerability was found in stakira OpenUtau. It has been classified as critical. This affects the function VoicebankInstaller of the file OpenUtau.Core/Classic/VoicebankInstaller.cs of the component ZIP Archive Handler. The manipulation leads to path traversal. Upgrading to version 0.0.991 is able to address this issue. The name of the patch is 849a0a6912aac8b1c28cc32aa1132a3140caff4a. It is recommended to upgrade the affected component. The identifier VDB-217617 was assigned to this vulnerability. 2023-01-07 not yet calculated CVE-2022-4880
MISC
MISC
MISC
MISC
MISC multilaser — re708 A vulnerability was found in Multilaser RE708 RE1200R4GC-2T2R-V3_v3411b_MUL029B. It has been rated as problematic. This issue affects some unknown processing of the component Telnet Service. The manipulation leads to denial of service. The attack may be initiated remotely. The identifier VDB-217169 was assigned to this vulnerability. 2023-01-01 not yet calculated CVE-2023-0029
MISC
MISC
MISC wordpress — wordpress
  The “Survey Maker – Best WordPress Survey Plugin” plugin for WordPress is vulnerable to Stored Cross-Site Scripting via survey answers in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts when submitting quizzes that will execute whenever a user accesses the submissions page. 2023-01-03 not yet calculated CVE-2023-0038
MISC
MISC wordpress — wordpress
  The User Post Gallery – UPG plugin for WordPress is vulnerable to authorization bypass which leads to remote command execution due to the use of a nopriv AJAX action and user supplied function calls and parameters in versions up to, and including 2.19. This makes it possible for unauthenticated attackers to call arbitrary PHP functions and perform actions like adding new files that can be webshells and updating the site’s options to allow anyone to register as an administrator. 2023-01-03 not yet calculated CVE-2023-0039
MISC
MISC lirantal — daloradius
  Improper Restriction of Names for Files and Other Resources in GitHub repository lirantal/daloradius prior to master-branch. 2023-01-04 not yet calculated CVE-2023-0046
MISC
CONFIRM lirantal — daloradius
  Code Injection in GitHub repository lirantal/daloradius prior to master-branch. 2023-01-04 not yet calculated CVE-2023-0048
CONFIRM
MISC vim — vim
  Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. 2023-01-04 not yet calculated CVE-2023-0049
MISC
CONFIRM vim — vim
  Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. 2023-01-04 not yet calculated CVE-2023-0051
CONFIRM
MISC vim — vim
  Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. 2023-01-04 not yet calculated CVE-2023-0054
CONFIRM
MISC pyload — pyload
  Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. 2023-01-04 not yet calculated CVE-2023-0055
CONFIRM
MISC pyload — pyload
  Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33. 2023-01-05 not yet calculated CVE-2023-0057
MISC
CONFIRM synology — router_manager
  Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors. 2023-01-05 not yet calculated CVE-2023-0077
MISC wordpress — wordpress
  The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save() function. This makes it possible for unauthenticated attackers to to modify the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be used to enable SVG uploads that could make Cross-Site Scripting possible. 2023-01-05 not yet calculated CVE-2023-0086
MISC
MISC wordpress — wordpress
  The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spm_plugin_options_page_tree_max_width’ parameter in versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. 2023-01-05 not yet calculated CVE-2023-0087
MISC
MISC wordpress — wordpress
  The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2023-01-05 not yet calculated CVE-2023-0088
MISC
MISC usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0106
CONFIRM
MISC usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0107
CONFIRM
MISC usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0108
MISC
CONFIRM usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0110
MISC
CONFIRM usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0111
MISC
CONFIRM usememos — memos
  Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.10.0. 2023-01-07 not yet calculated CVE-2023-0112
MISC
CONFIRM netis — netcore_router
  A vulnerability was found in Netis Netcore Router. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file param.file.tgz of the component Backup Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-217591. 2023-01-07 not yet calculated CVE-2023-0113
MISC
MISC netis — netcore_router
  A vulnerability was found in Netis Netcore Router. It has been rated as problematic. Affected by this issue is some unknown functionality of the file param.file.tgz of the component Backup Handler. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The identifier of this vulnerability is VDB-217592. 2023-01-07 not yet calculated CVE-2023-0114
MISC
MISC kiwitcms– kiwi
  Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the `AUTH_PASSWORD_VALIDATORS` configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen. 2023-01-02 not yet calculated CVE-2023-22451
MISC
MISC
MISC kenny2automate — kenny2automate
  kenny2automate is a Discord bot. In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names. Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to the channel ID they wish to change settings for and the server settings panel for any server could change settings for the requested channel no matter which server it belonged to. Commit a947d7c resolves the issue and has been deployed to the official instance of the bot. The only workaround that exists is to disable the web config entirely by changing it to run on localhost. Note that a workaround is only necessary for those who run their own instance of the bot. 2023-01-02 not yet calculated CVE-2023-22452
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the `/u/username.json` endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround. 2023-01-05 not yet calculated CVE-2023-22453
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the “require moderator approval of all new topics” setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16. 2023-01-05 not yet calculated CVE-2023-22454
MISC
MISC discourse — discourse
  Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch. 2023-01-05 not yet calculated CVE-2023-22455
MISC
MISC viewvc– viewvc
  ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set’s `revision.ezt` file references to those changed paths, and wrap them with `[format “html”]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format “html”][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.) 2023-01-03 not yet calculated CVE-2023-22456
MISC
MISC
MISC
MISC ckeditor — ckeditor
  CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version. 2023-01-04 not yet calculated CVE-2023-22457
MISC
MISC
MISC ipld — go-ipld-prime
  go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn’t expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes. 2023-01-04 not yet calculated CVE-2023-22460
MISC
MISC
MISC sanitize-svg — sanitize-svg
  The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds 2023-01-04 not yet calculated CVE-2023-22461
MISC
MISC kubeoperator — kubepi KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading. 2023-01-04 not yet calculated CVE-2023-22463
MISC
MISC
MISC
MISC viewvc — viewvc
  ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path “copyfrom paths” during rendering. Locate in your template set’s `revision.ezt` file references to those changed paths, and wrap them with `[format “html”]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format “html”][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else “copyfrom path” names will be doubly escaped.) 2023-01-04 not yet calculated CVE-2023-22464
MISC
MISC
MISC
MISC http4s — http4s
  Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface. 2023-01-04 not yet calculated CVE-2023-22465
MISC tokio-rs– tokio
  Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe’s associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`. 2023-01-04 not yet calculated CVE-2023-22466
MISC
MISC
MISC
MISC moment — luxon
  Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon’s `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input. 2023-01-04 not yet calculated CVE-2023-22467
MISC
MISC
MISC
MISC thinkst — canarytokens
  Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens prior to sha-fb61290. An attacker who discovers an HTTP-based Canarytoken (a URL) can use this to execute Javascript in the Canarytoken’s trigger history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken’s creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken’s creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator’s network location. This vulnerability is similar to CVE-2022-31113, but affected parameters reported differently from the Canarytoken trigger request. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. Canarytokens Docker images sha-fb61290 and later contain a patch for this issue. 2023-01-06 not yet calculated CVE-2023-22475
MISC
MISC
MISC ftp — ftp
  The FTP (aka “Implementation of a simple FTP client and server”) project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not. 2023-01-01 not yet calculated CVE-2023-22551
MISC wordpress — wordpress
  WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes “the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,” but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits. 2023-01-05 not yet calculated CVE-2023-22622
MISC
MISC
MISC
MISC
MISC
MISC pghero — pghero
  PgHero before 3.1.0 allows Information Disclosure via EXPLAIN because query results may be present in an error message. (Depending on database user privileges, this may only be information from the database, or may be information from file contents on the database server.) 2023-01-05 not yet calculated CVE-2023-22626
CONFIRM nsa — ghidra
  Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided input into eval, leading to command injection when calling analyzeHeadless with untrusted input. 2023-01-06 not yet calculated CVE-2023-22671
MISC
MISC