‼ CVE-2022-24188 ‼
📖 Read
via "National Vulnerability Database".
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24189 ‼
📖 Read
via "National Vulnerability Database".
The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46147 ‼
📖 Read
via "National Vulnerability Database".
Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45442 ‼
📖 Read
via "National Vulnerability Database".
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3088 ‼
📖 Read
via "National Vulnerability Database".
UC-8100A-ME-T System Image: Versions v1.0 to v1.6, UC-2100 System Image: Versions v1.0 to v1.12, UC-2100-W System Image: Versions v1.0 to v 1.12, UC-3100 System Image: Versions v1.0 to v1.6, UC-5100 System Image: Versions v1.0 to v1.4, UC-8100 System Image: Versions v3.0 to v3.5, UC-8100-ME-T System Image: Versions v3.0 and v3.1, UC-8100A-ME-T System Image: Versions v1.0 to v1.6, UC-8200 System Image: v1.0 to v1.5, AIG-300 System Image: v1.0 to v1.4, UC-8410A with Debian 9 System Image: Versions v4.0.2 and v4.1.2, UC-8580 with Debian 9 System Image: Versions v2.0 and v2.1, UC-8540 with Debian 9 System Image: Versions v2.0 and v2.1, and DA-662C-16-LX (GLB) System Image: Versions v1.0.2 to v1.1.2 of Moxa's ARM-based computers have an execution with unnecessary privileges vulnerability, which could allow an attacker with user-level privileges to gain root privileges.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-4128 ‼
📖 Read
via "National Vulnerability Database".
A NULL pointer dereference issue was discovered in the Linux kernel in the MPTCP protocol when traversing the subflow list at disconnect time. A local user could use this flaw to potentially crash the system causing a denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44937 ‼
📖 Read
via "National Vulnerability Database".
Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42100 ‼
📖 Read
via "National Vulnerability Database".
KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location input reply-form.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45306 ‼
📖 Read
via "National Vulnerability Database".
Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42099 ‼
📖 Read
via "National Vulnerability Database".
KLiK SocialMediaWebsite Version 1.0.1 has XSS vulnerabilities that allow attackers to store XSS via location Forum Subject input.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41568 ‼
📖 Read
via "National Vulnerability Database".
LINE client for iOS before 12.17.0 might be crashed by sharing an invalid shared key of e2ee in group chat.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44038 ‼
📖 Read
via "National Vulnerability Database".
Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45329 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40799 ‼
📖 Read
via "National Vulnerability Database".
Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45307 ‼
📖 Read
via "National Vulnerability Database".
Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44037 ‼
📖 Read
via "National Vulnerability Database".
An access control issue in APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights without authenticating allows him to perform multiple attacks, such as attacking wireless network in the product's range.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45204 ‼
📖 Read
via "National Vulnerability Database".
GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a memory leak via the function dimC_box_read at isomedia/box_code_3gpp.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45305 ‼
📖 Read
via "National Vulnerability Database".
Insecure permissions in Chocolatey Python3 package v3.11.0 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\Python311 and all files located in that folder.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32966 ‼
📖 Read
via "National Vulnerability Database".
RTL8168FP-CG Dash remote management function has missing authorization. An unauthenticated attacker within the adjacent network can connect to DASH service port to disrupt service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32967 ‼
📖 Read
via "National Vulnerability Database".
RTL8111EP-CG/RTL8111FP-CG DASH function has hard-coded password. An unauthenticated physical attacker can use the hard-coded default password during system reboot triggered by other user, to acquire partial system information such as serial number and server information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36137 ‼
📖 Read
via "National Vulnerability Database".
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.📖 Read
via "National Vulnerability Database".