Search Results (363284 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-27247 1 Cdsoft 1 Winhotel.mx 2024-11-21 5.3 Medium
onlinetolls in cdSoft Onlinetools-Smart Winhotel.MX 2021 allows an attacker to download sensitive information about any customer (e.g., data of birth, full address, mail information, and phone number) via GastKont Insecure Direct Object Reference.
CVE-2022-27246 1 Misp 1 Misp 2024-11-21 6.1 Medium
An issue was discovered in MISP before 2.4.156. An SVG org logo (which may contain JavaScript) is not forbidden by default.
CVE-2022-27245 1 Misp 1 Misp 2024-11-21 8.8 High
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF.
CVE-2022-27244 1 Misp 1 Misp 2024-11-21 4.8 Medium
An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user.
CVE-2022-27243 1 Misp 1 Misp 2024-11-21 7.8 High
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
CVE-2022-27242 1 Siemens 1 Openv2g 2024-11-21 5.5 Medium
A vulnerability has been identified in OpenV2G (V0.9.4). The OpenV2G EXI parsing feature is missing a length check when parsing X509 serial numbers. Thus, an attacker could introduce a buffer overflow that leads to memory corruption.
CVE-2022-27241 1 Mendix 1 Mendix 2024-11-21 7.5 High
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information.
CVE-2022-27240 1 Glewlwyd Sso Server Project 1 Glewlwyd Sso Server 2024-11-21 9.8 Critical
scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion.
CVE-2022-27239 6 Debian, Fedoraproject, Hp and 3 more 20 Debian Linux, Fedora, Helion Openstack and 17 more 2024-11-21 7.8 High
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.
CVE-2022-27238 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.4 Medium
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
CVE-2022-27237 1 Ni 5 Flexlogger, G Web Development Software, Labview and 2 more 2024-11-21 6.1 Medium
There is a cross-site scripting (XSS) vulnerability in an NI Web Server component installed with several NI products. Depending on the product(s) in use, remediation guidance includes: install SystemLink version 2021 R3 or later, install FlexLogger 2022 Q2 or later, install LabVIEW 2021 SP1, install G Web Development 2022 R1 or later, or install Static Test Software Suite version 1.2 or later.
CVE-2022-27231 1 Veronalabs 1 Wp Statistics 2024-11-21 6.1 Medium
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
CVE-2022-27230 1 F5 2 Big-ip Access Policy Manager, Big-ip Guided Configuration 2024-11-21 7.5 High
On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVE-2022-27229 1 Intel 11 Hdmi Firmware, Nuc 7 Business Nuc7i3dnhnc, Nuc 7 Business Nuc7i3dnktc and 8 more 2024-11-21 6.7 Medium
Path transversal in some Intel(R) NUC Kits NUC7i3DN, NUC7i5DN, NUC7i7DN HDMI firmware update tool software before version 1.79.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-27228 1 Bitrix24 1 Bitrix24 2024-11-21 9.8 Critical
In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
CVE-2022-27227 2 Fedoraproject, Powerdns 3 Fedora, Authoritative Server, Recursor 2024-11-21 7.5 High
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers.
CVE-2022-27226 1 Irz 10 Rl01, Rl01 Firmware, Rl21 and 7 more 2024-11-21 8.8 High
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain filesystem access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.
CVE-2022-27225 1 Gradle 1 Enterprise 2024-11-21 6.5 Medium
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.
CVE-2022-27223 3 Debian, Linux, Netapp 17 Debian Linux, Linux Kernel, Active Iq Unified Manager and 14 more 2024-11-21 8.8 High
In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12, the endpoint index is not validated and might be manipulated by the host for out-of-array access.
CVE-2022-27220 1 Siemens 1 Sinema Remote Connect Server 2024-11-21 4.3 Medium
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors.