Total
29736 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36562 | 1 Rubyinstaller | 1 Rubyinstaller2 | 2024-11-21 | N/A | 8.8 HIGH |
| Incorrect access control in the install directory (C:\Ruby31-x64) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory. | |||||
| CVE-2022-36427 | 1 About-rentals Project | 1 About-rentals | 2024-11-21 | N/A | 7.3 HIGH |
| Missing Access Control vulnerability in About Rentals. Inc. About Rentals plugin <= 1.5 at WordPress. | |||||
| CVE-2022-36425 | 1 Fastlinemedia | 1 Beaver Builder | 2024-11-21 | N/A | 5.4 MEDIUM |
| Broken Access Control vulnerability in Beaver Builder plugin <= 2.5.4.3 at WordPress. | |||||
| CVE-2022-36416 | 1 Vmware | 1 Ixgben | 2024-11-21 | N/A | 4.4 MEDIUM |
| Protection mechanism failure in the Intel(R) Ethernet 500 Series Controller drivers for VMware before version 1.10.0.13 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36387 | 1 About-me Project | 1 About-me | 2024-11-21 | N/A | 7.6 HIGH |
| Broken Access Control vulnerability in Alessio Caiazza's About Me plugin <= 1.0.12 at WordPress. | |||||
| CVE-2022-36375 | 1 Oxilab | 1 Responsive Tabs | 2024-11-21 | N/A | 7.2 HIGH |
| Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress. | |||||
| CVE-2022-36369 | 1 Intel | 1 Qatzip | 2024-11-21 | N/A | 7.8 HIGH |
| Improper access control in some QATzip software maintained by Intel(R) before version 1.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36348 | 1 Intel | 1 Server Platform Services | 2024-11-21 | N/A | 8.8 HIGH |
| Active debug code in some Intel (R) SPS firmware before version SPS_E5_04.04.04.300.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36325 | 1 Siemens | 180 Scalance M-800, Scalance M-800 Firmware, Scalance S615 and 177 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS. | |||||
| CVE-2022-36323 | 1 Siemens | 180 Scalance M-800, Scalance M-800 Firmware, Scalance S615 and 177 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. | |||||
| CVE-2022-36289 | 1 Intel | 1 Media Software Development Kit | 2024-11-21 | N/A | 2.8 LOW |
| Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-36278 | 1 Intel | 1 Battery Life Diagnostic Tool | 2024-11-21 | N/A | 8.2 HIGH |
| Insufficient control flow management in the Intel(R) Battery Life Diagnostic Tool software before version 2.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36267 | 1 Airspan | 2 Airspot 5410, Airspot 5410 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device. | |||||
| CVE-2022-36215 | 1 Dedebiz | 1 Dedecmsv6 | 2024-11-21 | N/A | 7.2 HIGH |
| DedeBIZ v6 was discovered to contain a remote code execution vulnerability in sys_info.php. | |||||
| CVE-2022-36110 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 8.8 HIGH |
| Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1. | |||||
| CVE-2022-36101 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 5.4 MEDIUM |
| Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. | |||||
| CVE-2022-36090 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 8.1 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki. | |||||
| CVE-2022-36088 | 2 Microsoft, Thoughtworks | 2 Windows, Gocd | 2024-11-21 | N/A | 5.0 MEDIUM |
| GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions. | |||||
| CVE-2022-36084 | 1 Aeb | 1 Cruddl | 2024-11-21 | N/A | 9.9 CRITICAL |
| cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas. | |||||
| CVE-2022-36072 | 1 Silverwaregames | 1 Silverwaregames | 2024-11-21 | N/A | 5.9 MEDIUM |
| SilverwareGames.io is a social network for users to play video games online. In version 1.1.8 and prior, due to an unobvious feature of PHP, hashes generated by built-in functions and starting with the `0e` symbols were being handled as zero multiplied with the `e` number. Therefore, the hash value was equal to 0. The maintainers fixed this in version 1.1.9 by using `===` instead of `==` in comparisons where it is possible (e.g. on sign in/sign up handlers). | |||||