Total
32703 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32553 | 1 Purestorage | 2 Purity\/\/fa, Purity\/\/fb | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software. | |||||
| CVE-2022-32552 | 1 Purestorage | 2 Purity\/\/fa, Purity\/\/fb | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software. | |||||
| CVE-2022-32550 | 1 1password | 6 1password, 1password In The Browser, Command-line and 3 more | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| An issue was discovered in AgileBits 1Password, involving the method various 1Password apps and integrations used to create connections to the 1Password service. In specific circumstances, this issue allowed a malicious server to convince a 1Password app or integration it is communicating with the 1Password service. | |||||
| CVE-2022-32533 | 1 Apache | 1 Jetspeed | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue | |||||
| CVE-2022-32511 | 2 Fedoraproject, Jmespath Project | 2 Fedora, Jmespath | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable. | |||||
| CVE-2022-32481 | 1 Dell | 1 Powerprotect Cyber Recovery | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Dell PowerProtect Cyber Recovery, versions prior to 19.11, contain a privilege escalation vulnerability on virtual appliance deployments. A lower-privileged authenticated user can chain docker commands to escalate privileges to root leading to complete system takeover. | |||||
| CVE-2022-32420 | 1 College Management System Project | 1 College Management System | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| College Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /College/admin/teacher.php. This vulnerability is exploited via a crafted PHP file. | |||||
| CVE-2022-32412 | 1 Hongcms Project | 1 Hongcms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell. | |||||
| CVE-2022-32411 | 1 Hongcms Project | 1 Hongcms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An issue in the languages config file of HongCMS v3.0 allows attackers to getshell. | |||||
| CVE-2022-32387 | 1 Kentico | 1 Kentico | 2024-11-21 | N/A | 7.5 HIGH |
| In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler. | |||||
| CVE-2022-32295 | 1 Amperecomputing | 4 Ampere Altra, Ampere Altra Firmware, Ampere Altra Max and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| On Ampere Altra and AltraMax devices before SRP 1.09, the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component. | |||||
| CVE-2022-32291 | 1 Realnetworks | 1 Realplayer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Real Player through 20.1.0.312, attackers can execute arbitrary code by placing a UNC share pathname (for a DLL file) in a RAM file. | |||||
| CVE-2022-32283 | 1 Cybozu | 1 Office | 2024-11-21 | N/A | 4.3 MEDIUM |
| Browse restriction bypass vulnerability in Cabinet of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Cabinet via unspecified vectors. | |||||
| CVE-2022-32278 | 2 Debian, Xfce | 2 Debian Linux, Exo | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. | |||||
| CVE-2022-32268 | 1 Starwindsoftware | 1 Starwind San \& Nas | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. | |||||
| CVE-2022-32265 | 1 Qdecoder Project | 1 Qdecoder | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| qDecoder before 12.1.0 does not ensure that the percent character is followed by two hex digits for URL decoding. | |||||
| CVE-2022-32263 | 1 Pexip | 1 Pexip Infinity | 2024-11-21 | N/A | 7.5 HIGH |
| Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719. | |||||
| CVE-2022-32244 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 5.2 MEDIUM |
| Under certain conditions an attacker authenticated as a CMS administrator access the BOE Commentary database and retrieve (non-personal) system data, modify system data but can't make the system unavailable. This needs the attacker to have high privilege access to the same physical/logical network to access information which would otherwise be restricted, leading to low impact on confidentiality and high impact on integrity of the application. | |||||
| CVE-2022-32189 | 1 Golang | 1 Go | 2024-11-21 | N/A | 7.5 HIGH |
| A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. | |||||
| CVE-2022-32158 | 1 Splunk | 1 Splunk | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. | |||||