βΌ CVE-2022-1658 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31759 βΌ
π Read
via "National Vulnerability Database".
AppLink has a vulnerability of accessing uninitialized pointers. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30309 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31751 βΌ
π Read
via "National Vulnerability Database".
The kernel emcom module has multi-thread contention. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31756 βΌ
π Read
via "National Vulnerability Database".
The fingerprint sensor module has design defects. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31758 βΌ
π Read
via "National Vulnerability Database".
The kernel module has the race condition vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31762 βΌ
π Read
via "National Vulnerability Database".
The AMS module has a vulnerability in input validation. Successful exploitation of this vulnerability may cause privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29244 βΌ
π Read
via "National Vulnerability Database".
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30308 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1657 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1961 βΌ
π Read
via "National Vulnerability Database".
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1659 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter. This can be used to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1654 βΌ
π Read
via "National Vulnerability Database".
Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actionsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-30311 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24077 βΌ
π Read
via "National Vulnerability Database".
Naver Cloud Explorer Beta allows the attacker to execute arbitrary code as System privilege via malicious DLL injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1749 βΌ
π Read
via "National Vulnerability Database".
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46814 βΌ
π Read
via "National Vulnerability Database".
The video framework has an out-of-bounds memory read/write vulnerability. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31763 βΌ
π Read
via "National Vulnerability Database".
The kernel module has the null pointer and out-of-bounds array vulnerabilities. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
β Youβre invited! Join us for a live walkthrough of the βFollinaβ storyβ¦ β
π Read
via "Naked Security".
Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!π Read
via "Naked Security".
Sophos News
Youβre invited! Join us for a live walkthrough of the βFollinaβ storyβ¦
Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!
βΌ CVE-2021-46811 βΌ
π Read
via "National Vulnerability Database".
HwSEServiceAPP has a vulnerability in permission management. Successful exploitation of this vulnerability may cause disclosure of the Card Production Life Cycle (CPLC) information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23168 βΌ
π Read
via "National Vulnerability Database".
The attacker could get access to the database. The SQL injection is in the username parameter at the login panel: username: admin'--π Read
via "National Vulnerability Database".