| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This could thereby impact the confidentiality of user content. This issue affects: Western Digital WD Discovery WD Discovery Desktop App versions prior to 4.4.396 on Mac; WD Discovery Desktop App versions prior to 4.4.396 on Windows. |
| In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. |
| In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible |
| In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible |
| In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed |
| In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible |
| In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible |
| In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient |
| In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. |
| The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. |
| In Quest KACE Systems Management Appliance (SMA) through 12.0, predictable token generation occurs when appliance linking is enabled. |
| A SQL injection vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.0 that can allow for remote code execution via download_agent_installer.php. |
| ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. |
| A Java Deserialization vulnerability in the Fishbowl Server in Fishbowl Inventory before 2022.4.1 allows remote attackers to execute arbitrary code via a crafted XML payload. |
| Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. |
| A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.13), Teamcenter V13.0 (All versions < V13.0.0.9). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. |