‼ CVE-2022-3258 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Permission Assignment for Critical Resource vulnerability in HYPR Workforce Access on Windows allows Authentication Abuse.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3852 ‼
📖 Read
via "National Vulnerability Database".
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43372 ‼
📖 Read
via "National Vulnerability Database".
Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /admin/store.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42750 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3675 ‼
📖 Read
via "National Vulnerability Database".
Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42751 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40131 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Page View Count plugin <= 2.5.5 on WordPress allows an attacker to reset the plugin settings.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36404 ‼
📖 Read
via "National Vulnerability Database".
Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemap.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40276 ‼
📖 Read
via "National Vulnerability Database".
Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43061 ‼
📖 Read
via "National Vulnerability Database".
Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41713 ‼
📖 Read
via "National Vulnerability Database".
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44862 ‼
📖 Read
via "National Vulnerability Database".
Netskope client is impacted by a vulnerability where an authenticated, local attacker can view sensitive information stored in NSClient logs which should be restricted. The vulnerability exists because the sensitive information is not masked/scrubbed before writing in the logs. A malicious user can use the sensitive information to download data and impersonate another user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42745 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42743 ‼
📖 Read
via "National Vulnerability Database".
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44628 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in JumpDEMAND Inc. 4ECPS Web Forms plugin <= 0.2.17 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44627 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemaps.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43063 ‼
📖 Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43574 ‼
📖 Read
via "National Vulnerability Database".
"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43495 ‼
📖 Read
via "National Vulnerability Database".
OpenHarmony-v3.1.2 and prior versions had a DOS vulnerability in distributedhardware_device_manager when joining a network. Network attakcers can send an abonormal packet when joining a network, cause a nullptr reference and device reboot.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41714 ‼
📖 Read
via "National Vulnerability Database".
fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42746 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.📖 Read
via "National Vulnerability Database".