Total
32703 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31259 | 1 Beego | 1 Beego | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows attackers to bypass access control. When a /p1/p2/:name route is configured, attackers can access it by appending .xml in various places (e.g., p1.xml instead of p1). | |||||
| CVE-2022-31208 | 1 Infiray | 2 Iray-a8z3, Iray-a8z3 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The webserver contains an endpoint that can execute arbitrary commands by manipulating the cmd_string URL parameter. | |||||
| CVE-2022-31166 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 8.1 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it. | |||||
| CVE-2022-31068 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and all affected users are advised to upgrade. | |||||
| CVE-2022-31066 | 1 Edgexfoundry | 1 Edgex Foundry | 2024-11-21 | 3.6 LOW | 5.9 MEDIUM |
| EdgeX Foundry is an open source project for building a common open framework for Internet of Things edge computing. Prior to version 2.1.1, the /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus. Users should upgrade to EdgeXFoundry Kamakura release (2.2.0) or to the June 2022 EdgeXFoundry LTS Jakarta release (2.1.1) to receive a patch. More information about which go modules, docker containers, and snaps contain patches is available in the GitHub Security Advisory. There are currently no known workarounds for this issue. | |||||
| CVE-2022-31060 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners. | |||||
| CVE-2022-30949 | 1 Jenkins | 1 Repo | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||||
| CVE-2022-30948 | 1 Jenkins | 1 Mercurial | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||||
| CVE-2022-30947 | 1 Jenkins | 1 Git | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. | |||||
| CVE-2022-30943 | 1 Cybozu | 1 Garoon | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Browsing restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data of Bulletin. | |||||
| CVE-2022-30882 | 1 Pyanxdns Project | 1 Pyanxdns | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. The impact is: execute arbitrary code (remote). When installing the pyanxdns package of version 0.2, the request package will be installed. | |||||
| CVE-2022-30785 | 3 Debian, Fedoraproject, Tuxera | 3 Debian Linux, Fedora, Ntfs-3g | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite. | |||||
| CVE-2022-30756 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 8.5 HIGH |
| Implicit Intent hijacking vulnerability in Finder prior to SMR Jul-2022 Release 1 allow allows attackers to launch certain activities with privilege of Finder. | |||||
| CVE-2022-30754 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 8.5 HIGH |
| Implicit Intent hijacking vulnerability in AppLinker prior to SMR Jul-2022 Release 1 allow allows attackers to launch certain activities with privilege of AppLinker. | |||||
| CVE-2022-30737 | 1 Samsung | 1 Account | 2024-11-21 | 5.0 MEDIUM | 4.0 MEDIUM |
| Implicit Intent hijacking vulnerability in Samsung Account prior to version 13.2.00.6 allows attackers to get email ID. | |||||
| CVE-2022-30726 | 1 Google | 1 Android | 2024-11-21 | 4.6 MEDIUM | 6.2 MEDIUM |
| Unprotected component vulnerability in DeviceSearchTrampoline in SecSettingsIntelligence prior to SMR Jun-2022 Release 1 allows local attackers to launch activities of SecSettingsIntelligence. | |||||
| CVE-2022-30722 | 1 Google | 1 Android | 2024-11-21 | 7.5 HIGH | 6.2 MEDIUM |
| Implicit Intent hijacking vulnerability in Samsung Account prior to SMR Jun-2022 Release 1 allows attackers to bypass user confirmation of Samsung Account. | |||||
| CVE-2022-30708 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter. | |||||
| CVE-2022-30703 | 2 Microsoft, Trendmicro | 2 Windows, Security | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an exposed dangerous method vulnerability that could allow an attacker to obtain access to leaked kernel addresses and disclose sensitive information. This vulnerability could also potentially be chained for privilege escalation. | |||||
| CVE-2022-30697 | 1 Acronis | 1 Snap Deploy | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Snap Deploy (Windows) before build 3640 | |||||