Total
32539 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25152 | 1 Itarian | 2 On-premise, Saas Service Desk | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
| The ITarian platform (SAAS / on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor (with a valid session token) can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents. | |||||
| CVE-2022-25101 | 1 Wbce | 1 Wbce Cms | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A vulnerability in the component /templates/install.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-25099 | 1 Wbce | 1 Wbce Cms | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A vulnerability in the component /languages/index.php of WBCE CMS v1.5.2 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-25098 | 1 Ectouch | 1 Ectouch | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| ECTouch v2 suffers from arbitrary file deletion due to insufficient filtering of the filename parameter. | |||||
| CVE-2022-25095 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 allows unauthenticated attackers to compromise user accounts via a crafted POST request. | |||||
| CVE-2022-25094 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Home Owners Collection Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the parameter "cover" in SystemSettings.php. | |||||
| CVE-2022-24974 | 1 Menlosecurity | 1 Email Isolation | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Links may not be rewritten according to policy in some specially formatted emails. | |||||
| CVE-2022-24972 | 1 Tp-link | 2 Tl-wr940n, Tl-wr940n Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13911. | |||||
| CVE-2022-24961 | 1 Portainer | 1 Portainer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days. | |||||
| CVE-2022-24934 | 1 Wps | 1 Wps Office | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry. | |||||
| CVE-2022-24929 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.1 MEDIUM |
| Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication. | |||||
| CVE-2022-24928 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 5.9 MEDIUM |
| Security misconfiguration of RKP in kernel prior to SMR Mar-2022 Release 1 allows a system not to be protected by RKP. | |||||
| CVE-2022-24916 | 1 Optimism | 1 Eth-optimism\/l2geth | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Optimism before @eth-optimism/l2geth@0.5.11 allows economic griefing because a balance is duplicated upon contract self-destruction. | |||||
| CVE-2022-24905 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 2.6 LOW | 4.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds. | |||||
| CVE-2022-24822 | 1 Finn | 2 Podium Layout, Podium Proxy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74, an attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. `@podium/layout`, which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.`@podium/proxy`, which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable. It is not easily possible to work around this issue without upgrading. | |||||
| CVE-2022-24753 | 2 Microsoft, Stripe | 2 Windows, Stripe Cli | 2024-11-21 | 4.4 MEDIUM | 7.7 HIGH |
| Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. The update addresses the vulnerability by throwing an error in these situations before the code can run.Users are advised to upgrade to version 1.7.13. There are no known workarounds for this issue. | |||||
| CVE-2022-24696 | 1 Mirametrix | 1 Glance | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. NOTE: this is unrelated to products from the glance.com and glance.net websites. | |||||
| CVE-2022-24687 | 1 Hashicorp | 1 Consul | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3. | |||||
| CVE-2022-24684 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and 1.2.5 allow operators with job-submit capabilities to use the spread stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. | |||||
| CVE-2022-24683 | 1 Hashicorp | 1 Nomad | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root. | |||||