Search Results (363005 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-25259 1 Jetbrains 1 Hub 2024-11-21 6.1 Medium
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
CVE-2022-25258 4 Debian, Fedoraproject, Linux and 1 more 14 Debian Linux, Fedora, Linux Kernel and 11 more 2024-11-21 4.6 Medium
An issue was discovered in drivers/usb/gadget/composite.c in the Linux kernel before 5.16.10. The USB Gadget subsystem lacks certain validation of interface OS descriptor requests (ones with a large array index and ones associated with NULL function pointer retrieval). Memory corruption might occur.
CVE-2022-25256 6 Hpe, Ibm, Linux and 3 more 6 Hp-ux Ipfilter, Aix, Linux Kernel and 3 more 2024-11-21 6.1 Medium
SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.
CVE-2022-25255 4 Linux, Opengroup, Qt and 1 more 4 Linux Kernel, Unix, Qt and 1 more 2024-11-21 7.8 High
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVE-2022-25245 1 Zohocorp 1 Manageengine Servicedesk Plus 2024-11-21 5.3 Medium
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
CVE-2022-25244 1 Hashicorp 1 Vault 2024-11-21 6.5 Medium
Vault Enterprise clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with `read` permissions on this endpoint. Fixed in Vault Enterprise 1.9.4, 1.8.9 and 1.7.10.
CVE-2022-25243 1 Hashicorp 1 Vault 2024-11-21 6.5 Medium
"Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4.
CVE-2022-25242 1 Filecloud 1 Filecloud 2024-11-21 8.8 High
In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery (CSRF).
CVE-2022-25241 1 Filecloud 1 Filecloud 2024-11-21 8.8 High
In FileCloud before 21.3, the CSV user import functionality is vulnerable to Cross-Site Request Forgery (CSRF).
CVE-2022-25238 1 Silverstripe 1 Framework 2024-11-21 5.4 Medium
Silverstripe silverstripe/framework through 4.10.0 allows XSS, inside of script tags that can can be added to website content via XHR by an authenticated CMS user if the cwp-core module is not installed on the sanitise_server_side contig is not set to true in project code.
CVE-2022-25237 1 Bonitasoft 1 Bonita Web 2024-11-21 9.8 Critical
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
CVE-2022-25234 1 Omron 1 Cx-programmer 2024-11-21 7.8 High
Out-of-bounds write vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. This vulnerability is different from CVE-2022-21124.
CVE-2022-25231 1 Node-opcua Project 1 Node-opcua 2024-11-21 7.5 High
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
CVE-2022-25230 1 Omron 1 Cx-programmer 2024-11-21 7.8 High
Use after free vulnerability in CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite allows an attacker to cause information disclosure and/or arbitrary code execution by having a user to open a specially crafted CXP file. This vulnerability is different from CVE-2022-25325.
CVE-2022-25229 1 Popcorn Time Project 1 Popcorn Time 2024-11-21 5.4 Medium
Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
CVE-2022-25228 1 Auieo 1 Candidats 2024-11-21 6.5 Medium
CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter
CVE-2022-25227 1 Cybelesoft 1 Thinfinity Vnc 2024-11-21 8.8 High
Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.
CVE-2022-25226 1 Cybelsoft 1 Thinvnc 2024-11-21 10.0 Critical
ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.
CVE-2022-25225 1 Softinventive 1 Network Olympus 2024-11-21 7.2 High
Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue.
CVE-2022-25224 1 Proton Project 1 Proton 2024-11-21 5.4 Medium
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.