Search Results (363715 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-30118 1 Concretecms 1 Concrete Cms 2024-11-21 6.1 Medium
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
CVE-2022-30117 1 Concretecms 1 Concrete Cms 2024-11-21 9.1 Critical
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting.
CVE-2022-30115 3 Haxx, Netapp, Splunk 15 Curl, Clustered Data Ontap, H300s and 12 more 2024-11-21 4.3 Medium
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
CVE-2022-30113 1 Fahou100 1 Electronic Mall System 2024-11-21 9.8 Critical
Electronic mall system 1.0_build20200203 is affected vulnerable to SQL Injection.
CVE-2022-30111 1 Mck Smartlock Project 1 Mck Smartlock 2024-11-21 6.8 Medium
Due to the use of an insecure algorithm for rolling codes in MCK Smartlock 1.0, allows attackers to unlock the mechanism via replay attacks.
CVE-2022-30110 1 Jirafeau 1 Jirafeau 2024-11-21 6.1 Medium
The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone visits the File Preview URL for this file, the JavaScript inside of this image/svg+xml file will be executed in the users' browser.
CVE-2022-30105 1 Belkin 2 N300, N300 Firmware 2024-11-21 9.8 Critical
In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.
CVE-2022-30083 1 Elliegrid 1 Elliegrid 2024-11-21 9.8 Critical
EllieGrid Android Application version 3.4.1 is vulnerable to Code Injection. The application appears to evaluate user input as code (remote).
CVE-2022-30079 1 Netgear 1 R6200 2024-11-21 8.8 High
Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter.
CVE-2022-30078 1 Netgear 4 R6200, R6200 Firmware, R6300 and 1 more 2024-11-21 8.8 High
NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters.
CVE-2022-30075 1 Tp-link 2 Archer Ax50, Archer Ax50 Firmware 2024-11-21 8.8 High
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
CVE-2022-30073 1 Wbce 1 Wbce Cms 2024-11-21 5.4 Medium
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via /admin/users/save.php.
CVE-2022-30072 1 Wbce 1 Wbce Cms 2024-11-21 5.4 Medium
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS) via \admin\pages\sections_save.php namesection2 parameters.
CVE-2022-30067 2 Gimp, Redhat 2 Gimp, Enterprise Linux 2024-11-21 5.5 Medium
GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash.
CVE-2022-30065 2 Busybox, Siemens 13 Busybox, Scalance Sc622-2c, Scalance Sc622-2c Firmware and 10 more 2024-11-21 7.8 High
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
CVE-2022-30063 1 Ftcms 1 Ftcms 2024-11-21 9.8 Critical
ftcms <=2.1 was discovered to be vulnerable to code execution attacks .
CVE-2022-30062 1 Ftcms 1 Ftcms 2024-11-21 6.5 Medium
ftcms <=2.1 was discovered to be vulnerable to Arbitrary File Read via tp.php
CVE-2022-30061 1 Ftcms 1 Ftcms 2024-11-21 6.5 Medium
ftcms <=2.1 was discovered to be vulnerable to directory traversal attacks via the parameter tp.
CVE-2022-30060 1 Ftcms 1 Ftcms 2024-11-21 8.8 High
ftcms <=2.1 was discovered to be vulnerable to Arbitrary File Write via admin/controllers/tp.php
CVE-2022-30059 1 Shopwind 1 Shopwind 2024-11-21 6.5 Medium
Shopwind <=v3.4.2 was discovered to contain a Arbitrary File Delete vulnerability via the neirong parameter at \backend\controllers\DbController.php.