Total
4434 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24663 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. | |||||
| CVE-2022-24442 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. | |||||
| CVE-2022-24429 | 1 Convert-svg-core Project | 1 Convert-svg-core | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file. | |||||
| CVE-2022-24295 | 1 Okta | 1 Advanced Server Access Client For Windows | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. | |||||
| CVE-2022-23810 | 1 Appleple | 1 A-blog Cms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to obtain an arbitrary file on the server via unspecified vectors. | |||||
| CVE-2022-23631 | 1 Blitzjs | 2 Blitz, Superjson | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2022-23614 | 3 Debian, Fedoraproject, Symfony | 3 Debian Linux, Fedora, Twig | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade. | |||||
| CVE-2022-23503 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 7.5 HIGH |
| TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1. | |||||
| CVE-2022-23332 | 1 Ejointech | 6 Acom508, Acom508 Firmware, Acom516 and 3 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field. | |||||
| CVE-2022-23120 | 2 Linux, Trendmicro | 2 Linux Kernel, Deep Security Agent | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
| A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: an attacker must first obtain access to the target agent in an un-activated and unconfigured state in order to exploit this vulnerability. | |||||
| CVE-2022-23088 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution. | |||||
| CVE-2022-22909 | 1 Digitaldruid | 1 Hoteldruid | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module. | |||||
| CVE-2022-22286 | 2 Google, Samsung | 2 Android, Bixby Routines | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
| A vulnerability using PendingIntent in Bixby Routines prior to version 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0) allows attackers to execute privileged action by hijacking and modifying the intent. | |||||
| CVE-2022-22285 | 2 Google, Samsung | 2 Android, Reminder | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
| A vulnerability using PendingIntent in Reminder prior to version 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0) allows attackers to execute privileged action by hijacking and modifying the intent. | |||||
| CVE-2022-21831 | 2 Debian, Rubyonrails | 2 Debian Linux, Active Storage | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. | |||||
| CVE-2022-21797 | 3 Debian, Fedoraproject, Joblib Project | 3 Debian Linux, Fedora, Joblib | 2024-11-21 | N/A | 7.3 HIGH |
| The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement. | |||||
| CVE-2022-21686 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. | |||||
| CVE-2022-21122 | 1 Metarhia | 1 Metacalc | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor. | |||||
| CVE-2022-1609 | 1 Weblizar | 1 School Management | 2024-11-21 | N/A | 9.8 CRITICAL |
| The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. | |||||
| CVE-2022-1159 | 1 Rockwellautomation | 10 Compact Guardlogix 5380, Compact Guardlogix 5380 Firmware, Compactlogix 5380 and 7 more | 2024-11-21 | 6.5 MEDIUM | 7.7 HIGH |
| Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user. | |||||