Search Results (363677 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-0665 1 Pimcore 1 Pimcore 2024-11-21 6.5 Medium
Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.
CVE-2022-0663 1 Printfriendly 1 Print\, Pdf\, Email By Printfriendly 2024-11-21 4.8 Medium
The Print, PDF, Email by PrintFriendly WordPress plugin before 5.2.3 does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2022-0662 1 Ajdg 1 Adrotate 2024-11-21 4.8 Medium
The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2022-0661 1 Ad Injection Project 1 Ad Injection 2024-11-21 7.2 High
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
CVE-2022-0660 1 Microweber 1 Microweber 2024-11-21 7.5 High
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0659 1 Sync Qcloud Cos Project 1 Sync Qcloud Cos 2024-11-21 4.8 Medium
The Sync QCloud COS WordPress plugin before 2.0.1 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2022-0658 1 Wielebenwir 1 Commonsbooking 2024-11-21 9.8 Critical
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
CVE-2022-0657 1 5 Stars Rating Funnel Project 1 5 Stars Rating Funnel 2024-11-21 9.8 Critical
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
CVE-2022-0656 1 Webtoprint 1 Web To Print Shop\ 2024-11-21 7.5 High
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
CVE-2022-0654 1 Node-request-retry Project 1 Node-request-retry 2024-11-21 7.5 High
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository fgribreau/node-request-retry prior to 7.0.0.
CVE-2022-0652 1 Sophos 1 Unified Threat Management 2024-11-21 3.3 Low
Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.
CVE-2022-0649 1 Ajdg 1 Adrotate 2024-11-21 4.8 Medium
The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2022-0648 1 I13websolution 1 Team Circle Image Slider With Lightbox 2024-11-21 6.1 Medium
The Team Circle Image Slider With Lightbox WordPress plugin before 1.0.16 does not sanitize and escape the order_pos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0647 1 Bulk Creator Project 1 Bulk Creator 2024-11-21 6.1 Medium
The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0646 2 Linux, Netapp 17 Linux Kernel, H300e, H300e Firmware and 14 more 2024-11-21 7.8 High
A flaw use after free in the Linux kernel Management Component Transport Protocol (MCTP) subsystem was found in the way user triggers cancel_work_sync after the unregister_netdev during removing device. A local user could use this flaw to crash the system or escalate their privileges on the system. It is actual from Linux Kernel 5.17-rc1 (when mctp-serial.c introduced) till 5.17-rc5.
CVE-2022-0645 1 Posthog 1 Posthog 2024-11-21 6.1 Medium
Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.
CVE-2022-0643 1 Bank Mellat Project 1 Bank Mellat 2024-11-21 6.1 Medium
The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0642 1 Jivochat 1 Jivochat 2024-11-21 5.4 Medium
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
CVE-2022-0641 1 Ays-pro 1 Popup Like Box 2024-11-21 6.1 Medium
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
CVE-2022-0640 1 Wpdevart 1 Pricing Table Builder 2024-11-21 6.1 Medium
The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.