‼ CVE-2022-4004 ‼
📖 Read
via "National Vulnerability Database".
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4016 ‼
📖 Read
via "National Vulnerability Database".
The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3908 ‼
📖 Read
via "National Vulnerability Database".
The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3359 ‼
📖 Read
via "National Vulnerability Database".
The Shortcodes and extra features for Phlox WordPress plugin through 2.10.5 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4314 ‼
📖 Read
via "National Vulnerability Database".
Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3946 ‼
📖 Read
via "National Vulnerability Database".
The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3879 ‼
📖 Read
via "National Vulnerability Database".
The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4312 ‼
📖 Read
via "National Vulnerability Database".
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code. Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email account and SIM card.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3982 ‼
📖 Read
via "National Vulnerability Database".
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3906 ‼
📖 Read
via "National Vulnerability Database".
The Easy Form Builder WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3609 ‼
📖 Read
via "National Vulnerability Database".
The GetYourGuide Ticketing WordPress plugin before 1.0.4 does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45275 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42716 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Arm Mali GPU Kernel Driver. There is a use-after-free. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r4p0 through r32p0, Bifrost r1p0 through r40p0, and Valhall r19p0 through r40P0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46904 ‼
📖 Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41263 ‼
📖 Read
via "National Vulnerability Database".
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0925 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46903 ‼
📖 Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41262 ‼
📖 Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41261 ‼
📖 Read
via "National Vulnerability Database".
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46905 ‼
📖 Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46906 ‼
📖 Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.📖 Read
via "National Vulnerability Database".