Total
295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36099 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.9 CRITICAL |
| XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL parameter) using the `XWikiServerClassSheet` if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a public read-only XWiki installation or a private XWiki installation where the user has an account. This allows arbitrary Groovy/Python/Velocity code execution which allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. This has been patched in versions 13.10.6 and 14.4. As a workaround, edit the affected document `XWiki.XWikiServerClassSheet` or `WikiManager.XWikiServerClassSheet` and manually perform the changes from the patch fixing the issue. On XWiki versions 12.0 and later, it is also possible to import the document `XWiki.XWikiServerClassSheet` from the xwiki-platform-wiki-ui-mainwiki package version 14.4 using the import feature of the administration application as there have been no other changes to this document since XWiki 12.0. | |||||
| CVE-2022-35153 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | N/A | 9.8 CRITICAL |
| FusionPBX 5.0.1 was discovered to contain a command injection vulnerability via /fax/fax_send.php. | |||||
| CVE-2022-34820 | 1 Siemens | 30 Simatic Cp 1242-7 V2, Simatic Cp 1242-7 V2 Firmware, Simatic Cp 1243-1 and 27 more | 2024-11-21 | 9.3 HIGH | 8.4 HIGH |
| A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions < V3.3.46), SIMATIC CP 1243-7 LTE EU (All versions < V3.3.46), SIMATIC CP 1243-7 LTE US (All versions < V3.3.46), SIMATIC CP 1243-8 IRC (All versions < V3.3.46), SIMATIC CP 1542SP-1 IRC (All versions >= V2.0 < V2.2.28), SIMATIC CP 1543-1 (All versions < V3.0.22), SIMATIC CP 1543SP-1 (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1543SP-1 ISEC (All versions >= V2.0 < V2.2.28), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (All versions >= V2.0 < V2.2.28), SIPLUS NET CP 1242-7 V2 (All versions < V3.3.46), SIPLUS NET CP 1543-1 (All versions < V3.0.22), SIPLUS S7-1200 CP 1243-1 (All versions < V3.3.46), SIPLUS S7-1200 CP 1243-1 RAIL (All versions < V3.3.46). The application does not correctly escape some user provided fields during the authentication process. This could allow an attacker to inject custom commands and execute arbitrary code with elevated privileges. | |||||
| CVE-2022-34316 | 1 Ibm | 1 Cics Tx | 2024-11-21 | N/A | 3.7 LOW |
| IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. IBM X-Force ID: 229452. | |||||
| CVE-2022-32549 | 1 Apache | 2 Sling Api, Sling Commons Log | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files. | |||||
| CVE-2022-31458 | 1 Rtx Trap Project | 1 Rtx Trap | 2024-11-21 | N/A | 6.1 MEDIUM |
| RTX TRAP v1.0 was discovered to be vulnerable to host header poisoning. | |||||
| CVE-2022-30966 | 1 Jenkins | 1 Random String Parameter | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-30781 | 1 Gitea | 1 Gitea | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Gitea before 1.16.7 does not escape git fetch remote. | |||||
| CVE-2022-2619 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | N/A | 4.3 MEDIUM |
| Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted HTML page. | |||||
| CVE-2022-2241 | 1 Fifu | 1 Featured Image From Url | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues | |||||
| CVE-2022-2099 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | |||||
| CVE-2022-29599 | 2 Apache, Debian | 2 Maven Shared Utils, Debian Linux | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. | |||||
| CVE-2022-28960 | 1 Spip | 1 Spip | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire. | |||||
| CVE-2022-26174 | 1 Beekeeperstudio | 1 Beekeeper-studio | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in Beekeeper Studio v3.2.0 allows attackers to execute arbitrary code via a crafted payload injected into the display fields. | |||||
| CVE-2022-23620 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 5.8 MEDIUM | 6.8 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export. | |||||
| CVE-2022-23079 | 1 Getmotoradmin | 1 Motor Admin | 2024-11-21 | 6.8 MEDIUM | N/A |
| In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim. | |||||
| CVE-2022-22992 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | 10.0 HIGH | 7.8 HIGH |
| A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input. | |||||
| CVE-2022-22734 | 1 Sedlex | 1 Simple Quotation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arbitrary quote, and put Cross-Site Scripting payloads in them | |||||
| CVE-2022-22151 | 1 Yokogawa | 9 Centum Cs 3000, Centum Cs 3000 Entry, Centum Cs 3000 Entry Firmware and 6 more | 2024-11-21 | 4.9 MEDIUM | 8.1 HIGH |
| CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00. | |||||
| CVE-2022-20230 | 1 Google | 1 Android | 2024-11-21 | 1.9 LOW | 5.5 MEDIUM |
| In choosePrivateKeyAlias of KeyChain.java, there is a possible access to the user's certificate due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-221859869 | |||||