‼ CVE-2022-39200 ‼
📖 Read
via "National Vulnerability Database".
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38606 ‼
📖 Read
via "National Vulnerability Database".
Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editcategory.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36102 ‼
📖 Read
via "National Vulnerability Database".
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38135 ‼
📖 Read
via "National Vulnerability Database".
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36173 ‼
📖 Read
via "National Vulnerability Database".
FreshService macOS Agent < 4.4.0 and FreshServce Linux Agent < 3.4.0 are vulnerable to TLS Man-in-The-Middle via the FreshAgent client and scheduled update service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29490 ‼
📖 Read
via "National Vulnerability Database".
Improper Authorization vulnerability exists in the Workplace X WebUI of the Hitachi Energy MicroSCADA X SYS600 allows an authenticated user to execute any MicroSCADA internal scripts irrespective of the authenticated user's role. This issue affects: Hitachi Energy MicroSCADA X SYS600 version 10 to version 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36174 ‼
📖 Read
via "National Vulnerability Database".
FreshService Windows Agent < 2.11.0 and FreshService macOS Agent < 4.2.0 and FreshService Linux Agent < 3.3.0. are vulnerable to Broken integrity checking via the FreshAgent client and scheduled update service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38610 ‼
📖 Read
via "National Vulnerability Database".
Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editclient.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44425 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.3. An unnecessarily open listening port on a machine in the LAN of an attacker, opened by the Anydesk Windows client when using the tunneling feature, allows the attacker unauthorized access to the local machine's AnyDesk tunneling protocol stack (and also to any remote destination machine software that is listening to the AnyDesk tunneled port).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2979 ‼
📖 Read
via "National Vulnerability Database".
Opening a specially crafted file could cause the affected product to fail to release its memory reference potentially resulting in arbitrary code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36101 ‼
📖 Read
via "National Vulnerability Database".
Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38291 ‼
📖 Read
via "National Vulnerability Database".
SLiMS Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Search function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search bar.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38292 ‼
📖 Read
via "National Vulnerability Database".
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38296 ‼
📖 Read
via "National Vulnerability Database".
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38297 ‼
📖 Read
via "National Vulnerability Database".
UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38299 ‼
📖 Read
via "National Vulnerability Database".
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38304 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_leave_type.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35572 ‼
📖 Read
via "National Vulnerability Database".
On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38302 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_department.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38303 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /employees/manage_leave_type.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38298 ‼
📖 Read
via "National Vulnerability Database".
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.📖 Read
via "National Vulnerability Database".