Search Results (363775 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-2061 1 Chafa Project 1 Chafa 2024-11-21 3.3 Low
Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior to 1.12.0.
CVE-2022-2060 1 Dolibarr 1 Dolibarr Erp\/crm 2024-11-21 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.
CVE-2022-2059 1 Pandorafms 1 Pandora Fms 2024-11-21 3.5 Low
In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
CVE-2022-2058 5 Debian, Fedoraproject, Libtiff and 2 more 5 Debian Linux, Fedora, Libtiff and 2 more 2024-11-21 5.5 Medium
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-2057 5 Debian, Fedoraproject, Libtiff and 2 more 5 Debian Linux, Fedora, Libtiff and 2 more 2024-11-21 5.5 Medium
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-2056 5 Debian, Fedoraproject, Libtiff and 2 more 5 Debian Linux, Fedora, Libtiff and 2 more 2024-11-21 5.5 Medium
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-2053 1 Redhat 5 Integration Camel K, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 2 more 2024-11-21 7.5 High
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding "503 Service Unavailable". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.
CVE-2022-2050 1 Maxfoundry 1 Wp-paginate 2024-11-21 4.8 Medium
The WP-Paginate WordPress plugin before 2.1.9 does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfiltered_html is disallowed
CVE-2022-2049 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-2048 5 Debian, Eclipse, Jenkins and 2 more 12 Debian Linux, Jetty, Jenkins and 9 more 2024-11-21 7.5 High
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CVE-2022-2047 4 Debian, Eclipse, Netapp and 1 more 9 Debian Linux, Jetty, Element Plug-in For Vcenter Server and 6 more 2024-11-21 2.7 Low
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CVE-2022-2046 1 Wpwax 1 Directorist 2024-11-21 4.9 Medium
The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.
CVE-2022-2042 2 Apple, Vim 2 Macos, Vim 2024-11-21 7.8 High
Use After Free in GitHub repository vim/vim prior to 8.2.
CVE-2022-2037 1 Tooljet 1 Tooljet 2024-11-21 8.0 High
Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0.
CVE-2022-2036 1 Rosariosis 1 Rosariosis 2024-11-21 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.1.
CVE-2022-2035 1 Ltgplc 1 Rustici Software Scorm Engine 2024-11-21 6.1 Medium
A reflected cross-site scripting (XSS) vulnerability exists in the playerConfUrl parameter in the /defaultui/player/modern.html file for SCORM Engine versions < 20.1.45.914, 21.1.x < 21.1.7.219. The issue exists because there are no limitations on the domain or format of the url supplied by the user, allowing an attacker to craft malicious urls which can trigger a reflected XSS payload in the context of a victim's browser.
CVE-2022-2034 1 Automattic 1 Sensei Lms 2024-11-21 5.3 Medium
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
CVE-2022-2032 1 Pandorafms 1 Pandora Fms 2024-11-21 3.5 Low
In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
CVE-2022-2031 1 Samba 1 Samba 2024-11-21 8.8 High
A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services.
CVE-2022-2030 1 Zyxel 50 Atp100, Atp100 Firmware, Atp100w and 47 more 2024-11-21 6.5 Medium
A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.11 through 4.72, that could allow an authenticated attacker to access some restricted files on a vulnerable device.