Export limit exceeded: 10153 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10153 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2367 | 1 Wsm Downloader Project | 1 Wsm Downloader | 2024-11-21 | 7.5 High |
| The WSM Downloader WordPress plugin through 1.4.0 allows only specific popular websites to download images/files from, this can be bypassed due to the lack of good "link" parameter validation | ||||
| CVE-2022-2330 | 2 Mcafee, Microsoft | 2 Data Loss Prevention Endpoint, Windows | 2024-11-21 | 6.5 Medium |
| Improper Restriction of XML External Entity Reference vulnerability in DLP Endpoint for Windows prior to 11.9.100 allows a remote attacker to cause the DLP Agent to access a local service that the attacker wouldn't usually have access to via a carefully constructed XML file, which the DLP Agent doesn't parse correctly. | ||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2024-11-21 | 5.4 Medium |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | ||||
| CVE-2022-2306 | 1 Heroiclabs | 1 Nakama | 2024-11-21 | 7.5 High |
| Old session tokens can be used to authenticate to the application and send authenticated requests. | ||||
| CVE-2022-2252 | 1 Microweber | 1 Microweber | 2024-11-21 | 6.1 Medium |
| Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. | ||||
| CVE-2022-2250 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.7 Medium |
| An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL. | ||||
| CVE-2022-2243 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5 Medium |
| An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. | ||||
| CVE-2022-2198 | 1 2code | 1 Wpqa Builder | 2024-11-21 | 4.3 Medium |
| The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced. | ||||
| CVE-2022-2193 | 1 Hypr | 1 Hypr Server | 2024-11-21 | 7.5 High |
| Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1. | ||||
| CVE-2022-2191 | 2 Eclipse, Redhat | 2 Jetty, Amq Streams | 2024-11-21 | 7.5 High |
| In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. | ||||
| CVE-2022-2132 | 4 Debian, Dpdk, Fedoraproject and 1 more | 15 Debian Linux, Data Plane Development Kit, Fedora and 12 more | 2024-11-21 | 8.6 High |
| A permissive list of allowed inputs flaw was found in DPDK. This issue allows a remote attacker to cause a denial of service triggered by sending a crafted Vhost header to DPDK. | ||||
| CVE-2022-2131 | 1 Openkm | 1 Openkm | 2024-11-21 | 8.5 High |
| OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack. | ||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2024-11-21 | 4.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | ||||
| CVE-2022-2048 | 5 Debian, Eclipse, Jenkins and 2 more | 12 Debian Linux, Jetty, Jenkins and 9 more | 2024-11-21 | 7.5 High |
| In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. | ||||
| CVE-2022-2034 | 1 Automattic | 1 Sensei Lms | 2024-11-21 | 5.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | ||||
| CVE-2022-2023 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | 9.8 Critical |
| Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4. | ||||
| CVE-2022-29978 | 1 Libsixel Project | 1 Libsixel | 2024-11-21 | 6.5 Medium |
| There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | ||||
| CVE-2022-29977 | 1 Libsixel Project | 1 Libsixel | 2024-11-21 | 6.5 Medium |
| There is an assertion failure error in stbi__jpeg_huff_decode, stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file. | ||||
| CVE-2022-29943 | 1 Talend | 1 Administration Center | 2024-11-21 | 6.5 Medium |
| Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version. | ||||
| CVE-2022-29933 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | 8.8 High |
| Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). | ||||