‼ CVE-2022-24795 ‼
📖 Read
via "National Vulnerability Database".
yajl-riuby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution to be unlikely. A patch is available and anticipated to be part of version 1.4.2. As a workaround, avoid passing large inputs to YAJL.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22355 ‼
📖 Read
via "National Vulnerability Database".
IBM MQ Appliance 9.2 CD and 9.2 LTS are vulnerable to a denial of service in the Login component of the application which could allow an attacker to cause a drop in performance.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27463 ‼
📖 Read
via "National Vulnerability Database".
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0602 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - DOM in GitHub repository tastyigniter/tastyigniter prior to 3.3.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27462 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22356 ‼
📖 Read
via "National Vulnerability Database".
IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID: 220487.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-30080 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the route lookup process in beego through 2.0.1, allows attackers to bypass access control.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27116 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in file profile.go in function MemProf in beego through 2.0.2, allows attackers to launch symlink attacks locally.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41752 ‼
📖 Read
via "National Vulnerability Database".
Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due to an unbounded recursive call to the new opt() function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27117 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in file profile.go in function GetCPUProfile in beego through 2.0.2, allows attackers to launch symlink attacks locally.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-28428 ‼
📖 Read
via "National Vulnerability Database".
File upload vulnerability in HorizontCMS before 1.0.0-beta.3 via uploading a .htaccess and *.hello files using the Media Files upload functionality. The original file upload vulnerability (CVE-2020-27387) was remediated by restricting the PHP extensions; however, we confirmed that the filter was bypassed via uploading an arbitrary .htaccess and *.hello files in order to execute PHP code to gain RCE.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24978 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25245 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26630 ‼
📖 Read
via "National Vulnerability Database".
Jellycms v3.8.1 and below was discovered to contain an arbitrary file upload vulnerability via \app.\admin\Controllers\db.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28219 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28651 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24811 ‼
📖 Read
via "National Vulnerability Database".
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28648 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1244 ‼
📖 Read
via "National Vulnerability Database".
heap-buffer-overflow in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is capable of inducing denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25373 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24780 ‼
📖 Read
via "National Vulnerability Database".
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".