‼ CVE-2022-47949 ‼
📖 Read
via "National Vulnerability Database".
The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. The victim must join a game session with the attacker. Other affected products include Mario Kart 7 before 1.2, Mario Kart 8, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44640 ‼
📖 Read
via "National Vulnerability Database".
Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45896 ‼
📖 Read
via "National Vulnerability Database".
Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44017 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44016 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can download arbitrary files from the web server by abusing an API call: /DS/LM_API/api/ConfigurationService/GetImages with an '"ImagesPath":"C:\\"' value.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44013 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can make various API calls without authentication because the password in a Credential Object is not checked.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44380 ‼
📖 Read
via "National Vulnerability Database".
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45892 ‼
📖 Read
via "National Vulnerability Database".
In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44015 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can inject raw SQL queries. By activating MSSQL features, the attacker is able to execute arbitrary commands on the MSSQL server via the xp_cmdshell extended procedure.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44381 ‼
📖 Read
via "National Vulnerability Database".
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42953 ‼
📖 Read
via "National Vulnerability Database".
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44014 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/SelectionService/GetPaggedTab.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45891 ‼
📖 Read
via "National Vulnerability Database".
Planet eStream before 6.72.10.07 allows attackers to call restricted functions, and perform unauthenticated uploads (Upload2.ashx) or access content uploaded by other users (View.aspx after Ajax.asmx/SaveGrantAccessList).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45893 ‼
📖 Read
via "National Vulnerability Database".
Planet eStream before 6.72.10.07 allows a low-privileged user to gain access to administrative and high-privileged user accounts by changing the value of the ON cookie. A brute-force attack can calculate a value that provides permanent access.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45894 ‼
📖 Read
via "National Vulnerability Database".
GetFile.aspx in Planet eStream before 6.72.10.07 allows ..\ directory traversal to read arbitrary local files.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45889 ‼
📖 Read
via "National Vulnerability Database".
Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45197 ‼
📖 Read
via "National Vulnerability Database".
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45895 ‼
📖 Read
via "National Vulnerability Database".
Planet eStream before 6.72.10.07 discloses sensitive information, related to the ON cookie (findable in HTML source code for Default.aspx in some situations) and the WhoAmI endpoint (e.g., path disclosure).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44012 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId in Simmeth Lieferantenmanager before 5.6. An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim's encrypted password can be stolen and most likely be decrypted.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45890 ‼
📖 Read
via "National Vulnerability Database".
In Planet eStream before 6.72.10.07, a Reflected Cross-Site Scripting (XSS) vulnerability exists via any metadata filter field (e.g., search within Default.aspx with the r or fo parameter).📖 Read
via "National Vulnerability Database".
‼ CVE-2019-25084 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in Hide Files on GitHub up to 2.x. This issue affects the function addEventListener of the file extension/options.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 9de0c57df81db1178e0e79431d462f6d9842742e. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216767.📖 Read
via "National Vulnerability Database".