Search Results (363434 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-29633 1 Linglong Project 1 Linglong 2024-11-21 9.8 Critical
An access control issue in Linglong v1.0 allows attackers to access the background of the application via a crafted cookie.
CVE-2022-29632 1 Roncoo 1 Roncoo-education 2024-11-21 9.8 Critical
An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-29631 1 Jodd 1 Jodd Http 2024-11-21 7.5 High
Jodd HTTP v6.0.9 was discovered to contain multiple CLRF injection vulnerabilities via the components jodd.http.HttpRequest#set and `jodd.http.HttpRequest#send. These vulnerabilities allow attackers to execute Server-Side Request Forgery (SSRF) via a crafted TCP payload.
CVE-2022-29628 1 Online Market Place Site Project 1 Online Market Place Site 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in /omps/seller of Online Market Place Site v1.0 allows attackers to execute arbitrary web cripts or HTML via a crafted payload injected into the Page parameter.
CVE-2022-29627 1 Online Market Place Site Project 1 Online Market Place Site 2024-11-21 4.3 Medium
An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.
CVE-2022-29624 1 Tpcms Project 1 Tpcms 2024-11-21 8.8 High
An arbitrary file upload vulnerability in the Add File function of TPCMS v3.2 allows attackers to execute arbitrary code via a crafted PHP file.
CVE-2022-29622 1 Formidable Project 1 Formidable 2024-11-21 9.8 Critical
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.
CVE-2022-29620 1 Filezilla-project 1 Filezilla Client 2024-11-21 6.5 Medium
FileZilla v3.59.0 allows attackers to obtain cleartext passwords of connected SSH or FTP servers via a memory dump.- NOTE: the vendor does not consider this a vulnerability
CVE-2022-29619 1 Sap 1 Businessobjects Business Intelligence Platform 2024-11-21 6.5 Medium
Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.x - versions 420,430 allows user Administrator to view, edit or modify rights of objects it doesn't own and which would otherwise be restricted.
CVE-2022-29618 1 Sap 1 Netweaver Development Infrastructure 2024-11-21 6.1 Medium
Due to insufficient input validation, SAP NetWeaver Development Infrastructure (Design Time Repository) - versions 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to inject script into the URL and execute code in the user’s browser. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.
CVE-2022-29617 1 Sap 1 Contributor License Agreement Assistant 2024-11-21 6.5 Medium
Due to improper error handling an authenticated user can crash CLA assistant instance. This could impact the availability of the application.
CVE-2022-29616 1 Sap 3 Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc 2024-11-21 7.5 High
SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to leverage logical errors in memory management to cause a memory corruption.
CVE-2022-29615 1 Sap 1 Netweaver Developer Studio 2024-11-21 3.4 Low
SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. The application's confidentiality and integrity could have a low impact due to the vulnerabilities associated with version 1.x.
CVE-2022-29614 1 Sap 2 Host Agent, Netweaver Abap 2024-11-21 5.0 Medium
SAP startservice - of SAP NetWeaver Application Server ABAP, Application Server Java, ABAP Platform and HANA Database - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, SAPHOSTAGENT 7.22, - on Unix systems, s-bit helper program sapuxuserchk, can be abused physically resulting in a privilege escalation of an attacker leading to low impact on confidentiality and integrity, but a profound impact on availability.
CVE-2022-29613 1 Sap 1 Employee Self Service 2024-11-21 4.3 Medium
Due to insufficient input validation, SAP Employee Self Service allows an authenticated attacker with user privileges to alter employee number. On successful exploitation, the attacker can view personal details of other users causing a limited impact on confidentiality of the application.
CVE-2022-29612 1 Sap 2 Host Agent, Netweaver Abap 2024-11-21 4.3 Medium
SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, SAPHOSTAGENT 7.22, allows an authenticated user to misuse a function of sapcontrol webfunctionality(startservice) in Kernel which enables malicious users to retrieve information. On successful exploitation, an attacker can obtain technical information like system number or physical address, which is otherwise restricted, causing a limited impact on the confidentiality of the application.
CVE-2022-29611 1 Sap 1 Netweaver Application Server Abap 2024-11-21 8.8 High
SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
CVE-2022-29610 1 Sap 1 Netweaver Application Server Abap 2024-11-21 5.4 Medium
SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.
CVE-2022-29603 1 Universis 1 Universis-api 2024-11-21 8.1 High
A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. A remote authenticated attacker could send crafted SQL statements to a vulnerable endpoint (such as /api/students/me/messages/) to, for example, retrieve personal information or change grades.
CVE-2022-29602 1 Grid Elements Project 1 Grid Elements 2024-11-21 5.4 Medium
The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS.