Search Results (363821 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-0246 1 Webence 1 Iq Block Country 2024-11-21 4.9 Medium
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability.
CVE-2022-0245 1 Livehelperchat 1 Livehelperchat 2024-11-21 4.3 Medium
Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.
CVE-2022-0244 1 Gitlab 1 Gitlab 2024-11-21 8.6 High
An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file.
CVE-2022-0243 1 Orchardcore 1 Orchardcore 2024-11-21 5.4 Medium
Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.Cms.Targets prior to 1.2.2.
CVE-2022-0242 1 Craterapp 1 Crater 2024-11-21 7.2 High
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.
CVE-2022-0240 1 Mruby 1 Mruby 2024-11-21 7.5 High
mruby is vulnerable to NULL Pointer Dereference
CVE-2022-0238 2 Fedoraproject, Phoronix-media 2 Fedora, Phoronix Test Suite 2024-11-21 4.3 Medium
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2022-0237 1 Rapid7 1 Insight Agent 2024-11-21 4 Medium
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80.
CVE-2022-0235 4 Debian, Node-fetch Project, Redhat and 1 more 14 Debian Linux, Node-fetch, Acm and 11 more 2024-11-21 6.1 Medium
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-0234 1 Pluginus 1 Woocs 2024-11-21 6.1 Medium
The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting
CVE-2022-0231 1 Livehelperchat 1 Live Helper Chat 2024-11-21 6.5 Medium
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2022-0230 1 Bwp-google-xml-sitemaps Project 1 Bwp-google-xml-sitemaps 2024-11-21 6.1 Medium
The Better WordPress Google XML Sitemaps WordPress plugin through 1.4.1 does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins
CVE-2022-0229 1 Miniorange 1 Google Authenticator 2024-11-21 8.1 High
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
CVE-2022-0228 1 Sygnoos 1 Popup Builder 2024-11-21 7.2 High
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
CVE-2022-0226 1 Livehelperchat 1 Live Helper Chat 2024-11-21 4.3 Medium
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2022-0225 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 5.4 Medium
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
CVE-2022-0224 1 Dolibarr 1 Dolibarr Erp\/crm 2024-11-21 9.8 Critical
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVE-2022-0221 1 Schneider-electric 1 Scadapack Workbench 2024-11-21 5.5 Medium
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)
CVE-2022-0220 1 Welaunch 1 Wordpress Gdpr\&ccpa 2024-11-21 6.1 Medium
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)
CVE-2022-0219 1 Jadx Project 1 Jadx 2024-11-21 5.5 Medium
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.