‼ CVE-2022-3297 ‼
📖 Read
via "National Vulnerability Database".
Use After Free in GitHub repository vim/vim prior to 9.0.0579.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41343 ‼
📖 Read
via "National Vulnerability Database".
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41347 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41352 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36159 ‼
📖 Read
via "National Vulnerability Database".
Contec FXA3200 version 1.13 and under were discovered to contain a hard coded hash password for root stored in the component /etc/shadow. As the password strength is weak, it can be cracked in few minutes. Through this credential, a malicious actor can access the Wireless LAN Manager interface and open the telnet port then sniff the traffic or inject any malware.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36158 ‼
📖 Read
via "National Vulnerability Database".
Contec FXA3200 version 1.13.00 and under suffers from Insecure Permissions in the Wireless LAN Manager interface which allows malicious actors to execute Linux commands with root privilege via a hidden web page (/usr/www/ja/mnt_cmd.cgi).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3301 ‼
📖 Read
via "National Vulnerability Database".
Improper Cleanup on Thrown Exception in GitHub repository ikus060/rdiffweb prior to 2.4.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38553 ‼
📖 Read
via "National Vulnerability Database".
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38970 ‼
📖 Read
via "National Vulnerability Database".
ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.📖 Read
via "National Vulnerability Database".
🗓️ Java template framework Pebble vulnerable to command injection 🗓️
📖 Read
via "The Daily Swig".
Issue still yet to be patched, but workarounds are available📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Java template framework Pebble vulnerable to command injection
Issue still yet to be patched, but workarounds are available
‼ CVE-2022-3024 ‼
📖 Read
via "National Vulnerability Database".
The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1755 ‼
📖 Read
via "National Vulnerability Database".
The SVG Support WordPress plugin before 2.5 does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40924 ‼
📖 Read
via "National Vulnerability Database".
Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_animal" file of the "Animals" module in the background management system.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3119 ‼
📖 Read
via "National Vulnerability Database".
The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3135 ‼
📖 Read
via "National Vulnerability Database".
The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3070 ‼
📖 Read
via "National Vulnerability Database".
The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2352 ‼
📖 Read
via "National Vulnerability Database".
The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40927 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 is vulnerable to SQL Injection via /leave_system/classes/Master.php?f=delete_designation.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2903 ‼
📖 Read
via "National Vulnerability Database".
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40925 ‼
📖 Read
via "National Vulnerability Database".
Zoo Management System v1.0 has an arbitrary file upload vulnerability in the picture upload point of the "save_event" file of the "Events" module in the background management system.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40926 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 is vulnerable to SQL Injection via /leave_system/classes/Master.php?f=delete_leave_type.📖 Read
via "National Vulnerability Database".