Total
29524 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36348 | 1 Intel | 1 Server Platform Services | 2024-11-21 | N/A | 8.8 HIGH |
| Active debug code in some Intel (R) SPS firmware before version SPS_E5_04.04.04.300.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36325 | 1 Siemens | 180 Scalance M-800, Scalance M-800 Firmware, Scalance S615 and 177 more | 2024-11-21 | N/A | 6.8 MEDIUM |
| Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS. | |||||
| CVE-2022-36323 | 1 Siemens | 180 Scalance M-800, Scalance M-800 Firmware, Scalance S615 and 177 more | 2024-11-21 | N/A | 9.1 CRITICAL |
| Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. | |||||
| CVE-2022-36289 | 1 Intel | 1 Media Software Development Kit | 2024-11-21 | N/A | 2.8 LOW |
| Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2022-36278 | 1 Intel | 1 Battery Life Diagnostic Tool | 2024-11-21 | N/A | 8.2 HIGH |
| Insufficient control flow management in the Intel(R) Battery Life Diagnostic Tool software before version 2.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36267 | 1 Airspan | 2 Airspot 5410, Airspot 5410 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device. | |||||
| CVE-2022-36215 | 1 Dedebiz | 1 Dedecmsv6 | 2024-11-21 | N/A | 7.2 HIGH |
| DedeBIZ v6 was discovered to contain a remote code execution vulnerability in sys_info.php. | |||||
| CVE-2022-36110 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 8.8 HIGH |
| Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1. | |||||
| CVE-2022-36101 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 5.4 MEDIUM |
| Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. | |||||
| CVE-2022-36090 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 8.1 HIGH |
| XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki. | |||||
| CVE-2022-36088 | 2 Microsoft, Thoughtworks | 2 Windows, Gocd | 2024-11-21 | N/A | 5.0 MEDIUM |
| GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions. | |||||
| CVE-2022-36084 | 1 Aeb | 1 Cruddl | 2024-11-21 | N/A | 9.9 CRITICAL |
| cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas. | |||||
| CVE-2022-36072 | 1 Silverwaregames | 1 Silverwaregames | 2024-11-21 | N/A | 5.9 MEDIUM |
| SilverwareGames.io is a social network for users to play video games online. In version 1.1.8 and prior, due to an unobvious feature of PHP, hashes generated by built-in functions and starting with the `0e` symbols were being handled as zero multiplied with the `e` number. Therefore, the hash value was equal to 0. The maintainers fixed this in version 1.1.9 by using `===` instead of `==` in comparisons where it is possible (e.g. on sign in/sign up handlers). | |||||
| CVE-2022-35980 | 1 Amazon | 1 Opensearch | 2024-11-21 | N/A | 7.5 HIGH |
| OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around. | |||||
| CVE-2022-35909 | 1 Jellyfin | 1 Jellyfin | 2024-11-21 | N/A | 8.8 HIGH |
| In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. | |||||
| CVE-2022-35692 | 1 Adobe | 2 Commerce, Magento Commerce | 2024-11-21 | N/A | 5.3 MEDIUM |
| Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to leak minor information of another user's account detials. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-35689 | 1 Adobe | 2 Commerce, Magento Open Source | 2024-11-21 | N/A | 5.3 MEDIUM |
| Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction. | |||||
| CVE-2022-35538 | 1 Wavlink | 10 Wn530h4, Wn530h4 Firmware, Wn531p3 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi_mesh.shtml. | |||||
| CVE-2022-35537 | 1 Wavlink | 10 Wn530h4, Wn530h4 Firmware, Wn531p3 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: mac_5g and Newname, which leads to command injection in page /wifi_mesh.shtml. | |||||
| CVE-2022-35536 | 1 Wavlink | 10 Wn530h4, Wn530h4 Firmware, Wn531p3 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: qos_bandwith and qos_dat, which leads to command injection in page /qos.shtml. | |||||