Total
29460 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31180 | 1 Shescape Project | 1 Shescape | 2024-11-21 | N/A | 9.8 CRITICAL |
| Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions. | |||||
| CVE-2022-31120 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 2.1 LOW |
| Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerbates the impact of CVE-2022-31118. It is recommended that the Nextcloud Server is upgraded to 22.2.7, 23.0.4 or 24.0.0. There are no workarounds available. | |||||
| CVE-2022-31055 | 1 Google | 1 Kctf | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| kCTF is a Kubernetes-based infrastructure for capture the flag (CTF) competitions. Prior to version 1.6.0, the kctf cluster set-src-ip-ranges was broken and allowed traffic from any IP. The problem has been patched in v1.6.0. As a workaround, those who want to test challenges privately can mark them as `public: false` and use `kctf chal debug port-forward` to connect. | |||||
| CVE-2022-31032 | 1 Enalean | 1 Tuleap | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.58 authorizations are not properly verified when creating projects or trackers from projects marked as templates. Users can get access to information in those template projects because the permissions model is not properly enforced. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-31025 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 2.6 LOW |
| Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users. | |||||
| CVE-2022-31007 | 1 Elabftw | 1 Elabftw | 2024-11-21 | 6.5 MEDIUM | 4.9 MEDIUM |
| eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts. | |||||
| CVE-2022-30973 | 1 Apache | 1 Tika | 2024-11-21 | 2.6 LOW | 5.5 MEDIUM |
| We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. | |||||
| CVE-2022-30945 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 6.8 MEDIUM | 8.5 HIGH |
| Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. | |||||
| CVE-2022-30885 | 1 Esa | 1 Pyesasky | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.0-1.4.2. | |||||
| CVE-2022-30877 | 1 Keep Project | 1 Keep | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2. | |||||
| CVE-2022-30757 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
| Improper authorization in isemtelephony prior to SMR Jul-2022 Release 1 allows attacker to obtain CID without ACCESS_FINE_LOCATION permission. | |||||
| CVE-2022-30752 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_STATE_CHANGED action. | |||||
| CVE-2022-30751 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in sendDHCPACKBroadcast function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected by using WIFI_AP_STA_DHCPACK_EVENT action. | |||||
| CVE-2022-30750 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| Improper access control vulnerability in updateLastConnectedClientInfo function of SemWifiApClient prior to SMR Jul-2022 Release 1 allows attacker to access wifi ap client mac address that connected. | |||||
| CVE-2022-30748 | 1 Samsung | 1 Members | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
| Unprotected dynamic receiver in Samsung Members prior to version 4.2.005 allows attacker to launch arbitrary activity. | |||||
| CVE-2022-30745 | 1 Samsung | 1 Quick Share | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
| Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share. | |||||
| CVE-2022-30731 | 1 Samsung | 1 My Files | 2024-11-21 | 2.1 LOW | 5.1 MEDIUM |
| Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application. | |||||
| CVE-2022-30730 | 1 Samsung | 1 Samsung Pass | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication. | |||||
| CVE-2022-30729 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| Implicit Intent hijacking vulnerability in Settings prior to SMR Jun-2022 Release 1 allows attackers to get Wi-Fi SSID and password via a malicious QR code scanner. | |||||
| CVE-2022-30717 | 1 Google | 1 Android | 2024-11-21 | 5.0 MEDIUM | 4.0 MEDIUM |
| Improper caller check in AR Emoji prior to SMR Jun-2022 Release 1 allows untrusted applications to use some camera functions via deeplink. | |||||