Search Results (364271 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-32154 1 Splunk 2 Splunk, Splunk Cloud Platform 2024-11-21 6.8 Medium
Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will.
CVE-2022-32153 1 Splunk 2 Splunk, Splunk Cloud Platform 2024-11-21 8.1 High
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
CVE-2022-32152 1 Splunk 2 Splunk, Splunk Cloud Platform 2024-11-21 8.1 High
Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an attacker with administrator credentials could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
CVE-2022-32151 1 Splunk 2 Splunk, Splunk Cloud Platform 2024-11-21 7.4 High
The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries now verify server certificates by default and use the appropriate CA certificate stores for each library. Apps and add-ons that include their own HTTP libraries are not affected. For Splunk Enterprise, update to Splunk Enterprise version 9.0 and Configure TLS host name validation for Splunk-to-Splunk communications (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation) to enable the remediation.
CVE-2022-32145 1 Siemens 1 Teamcenter Active Workspace 2024-11-21 6.1 Medium
A vulnerability has been identified in Teamcenter Active Workspace V5.2 (All versions < V5.2.9), Teamcenter Active Workspace V6.0 (All versions < V6.0.3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected application that could allow an attacker to execute malicious code by tricking users into accessing a malicious link.
CVE-2022-32143 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 8.8 High
In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required
CVE-2022-32142 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 8.1 High
Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required.
CVE-2022-32141 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 6.5 Medium
Multiple CODESYS Products are prone to a buffer over read. A low privileged remote attacker may craft a request with an invalid offset, which can cause an internal buffer over-read, resulting in a denial-of-service condition. User interaction is not required.
CVE-2022-32140 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 6.5 Medium
Multiple CODESYS products are affected to a buffer overflow.A low privileged remote attacker may craft a request, which can cause a buffer copy without checking the size of the service, resulting in a denial-of-service condition. User Interaction is not required.
CVE-2022-32139 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 6.5 Medium
In multiple CODESYS products, a low privileged remote attacker may craft a request, which cause an out-of-bounds read, resulting in a denial-of-service condition. User Interaction is not required.
CVE-2022-32138 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 8.8 High
In multiple CODESYS products, a remote attacker may craft a request which may cause an unexpected sign extension, resulting in a denial-of-service condition or memory overwrite.
CVE-2022-32137 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 8.8 High
In multiple CODESYS products, a low privileged remote attacker may craft a request, which may cause a heap-based buffer overflow, resulting in a denial-of-service condition or memory overwrite. User interaction is not required.
CVE-2022-32136 1 Codesys 2 Plcwinnt, Runtime Toolkit 2024-11-21 6.5 Medium
In multiple CODESYS products, a low privileged remote attacker may craft a request that cause a read access to an uninitialized pointer, resulting in a denial-of-service. User interaction is not required.
CVE-2022-32131 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /index/notice/show.
CVE-2022-32130 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/down_resume/total/nature.
CVE-2022-32129 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/account/safety/trade.
CVE-2022-32128 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/service/increment/add/im.
CVE-2022-32127 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company/view_be_browsed/total.
CVE-2022-32126 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /company.
CVE-2022-32125 1 74cms 1 74cmsse 2024-11-21 6.1 Medium
74cmsSE v3.5.1 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the path /job.